github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 09:19:04 -04:00
Code Issues Projects Releases Packages Wiki Activity

[DOCS] Remove machine learning, alerting, cases, and connector API pages (#190747)

Browse source
This commit is contained in:
Lisa Cawley 2024-08-20 07:43:59 -07:00 committed by GitHub
parent fd3c53c8c4
commit cd1d64569a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
87 changed files with 247 additions and 7539 deletions
Download patch file Download diff file Expand all files Collapse all files

3
docs/action-type-template.asciidoc
View file

@ -36,8 +36,7 @@ Add preconfigured settings for this connector type in alert-action-settings.asci
[[<ACTION-TYPE>-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}.
You can test connectors as you're creating or editing the connector in {kib}.
<ACTION-TYPE> actions have the following properties.

18
docs/api/actions-and-connectors.asciidoc
View file

@ -1,23 +1,7 @@
[[actions-and-connectors-api]]
== Action and connector APIs
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
For information about the actions and connectors that {kib} supports, refer to
<<action-types>>.
include::actions-and-connectors/create.asciidoc[leveloffset=+1]
include::actions-and-connectors/delete.asciidoc[leveloffset=+1]
include::actions-and-connectors/get.asciidoc[leveloffset=+1]
include::actions-and-connectors/get_all.asciidoc[leveloffset=+1]
include::actions-and-connectors/list.asciidoc[leveloffset=+1]
include::actions-and-connectors/execute.asciidoc[leveloffset=+1]
include::actions-and-connectors/update.asciidoc[leveloffset=+1]
include::actions-and-connectors/legacy/index.asciidoc[]
include::actions-and-connectors/legacy/get.asciidoc[]
include::actions-and-connectors/legacy/get_all.asciidoc[]
include::actions-and-connectors/legacy/list.asciidoc[]
include::actions-and-connectors/legacy/create.asciidoc[]
include::actions-and-connectors/legacy/update.asciidoc[]
include::actions-and-connectors/legacy/execute.asciidoc[]
include::actions-and-connectors/legacy/delete.asciidoc[]
For the latest API details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].

649
docs/api/actions-and-connectors/create.asciidoc
View file

@ -1,649 +0,0 @@
[[create-connector-api]]
== Create connector API
++++
<titleabbrev>Create connector</titleabbrev>
++++
Creates a connector.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[[create-connector-api-request]]
=== {api-request-title}
`POST <kibana host>:<port>/api/actions/connector`
`POST <kibana host>:<port>/s/<space_id>/api/actions/connector`
=== {api-prereq-title}
You must have `all` privileges for the *{connectors-feature}* feature in the
*Management* section of the <<kibana-feature-privileges,{kib} feature privileges>>.
[[create-connector-api-path-params]]
=== {api-path-parms-title}
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided
in the URL, the default space is used.
[role="child_attributes"]
[[create-connector-api-request-body]]
=== {api-request-body-title}
`config`::
(Required^*^, object) The configuration for the connector. Configuration properties
vary depending on the connector type. For example:
+
--
// tag::connector-config[]
.Config properties
[%collapsible%open]
====
.{ibm-r} connectors
[%collapsible%open]
=====
`apiUrl`::
(Required, string) The {ibm-r} instance URL.
`orgId`::
(Required, string) The {ibm-r} organization ID.
For more information, refer to <<resilient-action-type>>.
=====
.Index connectors
[%collapsible%open]
=====
`executionTimeField`::
(Optional, string) Specifies a field that will contain the time the alert
condition was detected. The default value is `null`.
`index`::
(Required, string) The {es} index to be written to.
`refresh`::
(Optional, boolean) The {ref}/docs-refresh.html[refresh] policy for the write
request. The default value is `false`.
For more information, refer to <<index-action-type>>.
=====
.{jira} connectors
[%collapsible%open]
=====
`apiUrl`::
(Required, string) The {jira} instance URL.
`projectKey`::
(Required, string) The {jira} project key.
For more information, refer to <<jira-action-type>>.
=====
.Opsgenie connectors
[%collapsible%open]
=====
`apiUrl`::
(Required, string) The Opsgenie URL. For example, `https://api.opsgenie.com` or
`https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts`
setting, make sure the hostname is added to the allowed hosts.
For more information, refer to <<opsgenie-action-type>>.
=====
.{sn-itom}, {sn-itsm}, and {sn-sir} connectors
[%collapsible%open]
=====
`apiUrl`::
(Required, string) The {sn} instance URL.
`clientId`::
(Required^*^, string) The client ID assigned to your OAuth application. This
property is required when `isOAuth` is `true`.
`isOAuth`::
(Optional, string) The type of authentication to use. The default value is
`false`, which means basic authentication is used instead of open authorization
(OAuth).
`jwtKeyId`::
(Required^*^, string) The key identifier assigned to the JWT verifier map of
your OAuth application. This property is required when `isOAuth` is `true`.
`userIdentifierValue`::
(Required^*^, string) The identifier to use for OAuth authentication. This
identifier should be the user field you selected when you created an OAuth
JWT API endpoint for external clients in your {sn} instance. For example, if
the selected user field is `Email`, the user identifier should be the user's
email address. This property is required when `isOAuth` is `true`.
`usesTableApi`::
(Optional, boolean) Determines whether the connector uses the Table API or the
Import Set API. This property is supported only for {sn-itsm} and {sn-sir}
connectors. The default value is `true`.
+
NOTE: If this property is set to false, the Elastic application should be
installed in {sn}.
=====
.{swimlane} connectors
[%collapsible%open]
=====
`apiUrl`::
(Required, string) The {swimlane} instance URL.
`appId`::
(Required, string) The {swimlane} application ID.
`connectorType`::
(Required, String) The type of the connector. Valid values are: `all`, `alerts`, `cases`.
`mappings`::
(Optional, object) The field mapping.
+
.Mappings properties
[%collapsible%open]
======
`alertIdConfig`:::
(Optional, object) Mapping for the alert ID.
`fieldType`::::
(Required, string) The type of the field in {swimlane}.
`id`::::
(Required, string) The id of the field in {swimlane}.
`key`::::
(Required, string) The key of the field in {swimlane}.
`name`::::
(Required, string) The name of the field in {swimlane}.
`caseIdConfig`:::
(Optional, object) Mapping for the case ID.
`fieldType`::::
(Required, string) The type of the field in {swimlane}.
`id`::::
(Required, string) The id of the field in {swimlane}.
`key`::::
(Required, string) The key of the field in {swimlane}.
`name`::::
(Required, string) The name of the field in {swimlane}.
`caseNameConfig`:::
(Optional, object) Mapping for the case name.
`fieldType`::::
(Required, string) The type of the field in {swimlane}.
`id`::::
(Required, string) The id of the field in {swimlane}.
`key`::::
(Required, string) The key of the field in {swimlane}.
`name`::::
(Required, string) The name of the field in {swimlane}.
`commentsConfig`:::
(Optional, object) Mapping for the case comments.
`fieldType`::::
(Required, string) The type of the field in {swimlane}.
`id`::::
(Required, string) The id of the field in {swimlane}.
`key`::::
(Required, string) The key of the field in {swimlane}.
`name`::::
(Required, string) The name of the field in {swimlane}.
`descriptionConfig`:::
(Optional, object) Mapping for the case description.
`fieldType`::::
(Required, string) The type of the field in {swimlane}.
`id`::::
(Required, string) The id of the field in {swimlane}.
`key`::::
(Required, string) The key of the field in {swimlane}.
`name`::::
(Required, string) The name of the field in {swimlane}.
`ruleNameConfig`:::
(Optional, object) Mapping for the name of the alert's rule.
`fieldType`::::
(Required, string) The type of the field in {swimlane}.
`id`::::
(Required, string) The id of the field in {swimlane}.
`key`::::
(Required, string) The key of the field in {swimlane}.
`name`::::
(Required, string) The name of the field in {swimlane}.
`severityConfig`:::
(Optional, object) Mapping for the severity.
`fieldType`::::
(Required, string) The type of the field in {swimlane}.
`id`::::
(Required, string) The id of the field in {swimlane}.
`key`::::
(Required, string) The key of the field in {swimlane}.
`name`::::
(Required, string) The name of the field in {swimlane}.
======
For more information, refer to <<swimlane-action-type>>.
=====
.{webhook-cm} connectors
[%collapsible%open]
=====
`createCommentJson`::
(Optional, string) A JSON payload sent to the create comment URL to create a
case comment. You can use variables to add Kibana Cases data to the payload. The
required variable is `case.comment`. For example:
+
[source,json]
----
{
"body": {{{case.comment}}}
}
----
+
NOTE: Due to Mustache template variables (the text enclosed in triple braces,
for example, `{{{case.title}}}`), the JSON is not validated when you create the
connector. The JSON is validated once the Mustache variables have been placed
when the REST method runs. Manually ensure that the JSON is valid,
disregarding the Mustache variables, so the later validation will pass.
`createCommentMethod`::
(Optional, string) The REST API HTTP request method to create a case comment in
the third-party system. Valid values are either `patch`, `post`, and `put`. The
default value is `put`.
`createCommentUrl`::
(Optional, string) The REST API URL to create a case comment by ID in the
third-party system. You can use a variable to add the external system ID to the
URL. If you are using the `xpack.actions.allowedHosts` setting, make sure the
hostname is added to the allowed hosts. For example:
+
[source,text]
----
https://testing-jira.atlassian.net/rest/api/2/issue/{{{external.system.id}}}/comment
----
`createIncidentJson`::
(Required, string) A JSON payload sent to the create case URL to create a case. You
can use variables to add case data to the payload. Required variables are
`case.title` and `case.description`. For example:
+
[source,json]
----
{
"fields": {
"summary": {{{case.title}}},
"description": {{{case.description}}},
"labels": {{{case.tags}}}
}
}
----
+
NOTE: Due to Mustache template variables (which is the text enclosed in triple
braces, for example, `{{{case.title}}}`), the JSON is not validated when you
create the connector. The JSON is validated after the Mustache variables have
been placed when REST method runs. Manually ensure that the JSON is valid to
avoid future validation errors; disregard Mustache variables during your review.
`createIncidentMethod`::
(Optional, string) The REST API HTTP request method to create a case in the
third-party system. Valid values are `patch`, `post`, and `put`. The default
value is `post`.
`createIncidentResponseKey`::
(Required, string) The JSON key in the create case response that contains the
external case ID.
`createIncidentUrl`::
(Required, string) The REST API URL to create a case in the third-party system.
If you are using the `xpack.actions.allowedHosts` setting, make sure the
hostname is added to the allowed hosts.
`getIncidentResponseExternalTitleKey`::
(Required, string) The JSON key in get case response that contains the external
case title.
`getIncidentUrl`::
(Required, string) The REST API URL to get the case by ID from the third-party
system. If you are using the `xpack.actions.allowedHosts` setting, make sure the
hostname is added to the allowed hosts. You can use a variable to add the
external system ID to the URL. For example:
+
[source,text]
----
https://testing-jira.atlassian.net/rest/api/2/issue/{{{external.system.id}}}
----
+
NOTE: Due to Mustache template variables (the text enclosed in triple braces,
for example, `{{{case.title}}}`), the JSON is not validated when you create the
connector. The JSON is validated after the Mustache variables have been placed
when REST method runs. Manually ensure that the JSON is valid, disregarding the
Mustache variables, so the later validation will pass.
`hasAuth`::
(Optional, boolean) If true, a username and password for login type authentication
must be provided. The default value is `true`.
`headers`::
(Optional, string) A set of key-value pairs sent as headers with the request
URLs for the create case, update case, get case, and create comment methods.
`updateIncidentJson`::
(Required, string) The JSON payload sent to the update case URL to update the
case. You can use variables to add Kibana Cases data to the payload. Required
variables are `case.title` and `case.description`. For example:
+
[source,json]
----
{
"fields": {
"summary": {{{case.title}}},
"description": {{{case.description}}},
"labels": {{{case.tags}}}
}
}
----
+
NOTE: Due to Mustache template variables (which is the text enclosed in triple
braces, for example, `{{{case.title}}}`), the JSON is not validated when you
create the connector. The JSON is validated after the Mustache variables have
been placed when REST method runs. Manually ensure that the JSON is valid to
avoid future validation errors; disregard Mustache variables during your review.
`updateIncidentMethod`::
(Optional, string) The REST API HTTP request method to update the case in the
third-party system. Valid values are `patch`, `post`, and `put`. The default
value is `put`.
`updateIncidentUrl`::
(Required, string) The REST API URL to update the case by ID in the third-party
system. You can use a variable to add the external system ID to the URL. If you
are using the `xpack.actions.allowedHosts` setting, make sure the hostname is
added to the allowed hosts. For example:
+
[source,text]
----
https://testing-jira.atlassian.net/rest/api/2/issue/{{{external.system.ID}}}
----
`viewIncidentUrl`::
(Required, string) The URL to view the case in the external system. You can use
variables to add the external system ID or external system title to the URL.For example:
+
[source,text]
----
https://testing-jira.atlassian.net/browse/{{{external.system.title}}}
----
For more information, refer to <<cases-webhook-action-type>>.
=====
This object is not required for server log connectors.
For more configuration properties, refer to <<action-types>>.
====
// end::connector-config[]
--
`connector_type_id`::
(Required, string) The connector type ID for the connector. For example,
`.cases-webhook`, `.index`, `.jira`, `.opsgenie`, `.server-log`, or `.servicenow-itom`.
`name`::
(Required, string) The display name for the connector.
`secrets`::
(Required^*^, object) The secrets configuration for the connector. Secrets
configuration properties vary depending on the connector type. For information
about the secrets configuration properties, refer to <<action-types>>.
+
--
WARNING: Remember these values. You must provide them each time you call the <<update-connector-api, update>> API.
// tag::connector-secrets[]
.Secrets properties
[%collapsible%open]
====
.{ibm-r} connectors
[%collapsible%open]
=====
`apiKeyId`::
(Required, string) The authentication key ID for HTTP Basic authentication.
`apiKeySecret`::
(Required, string) The authentication key secret for HTTP Basic authentication.
=====
.{jira} connectors
[%collapsible%open]
=====
`apiToken`::
(Required, string) The {jira} API authentication token for HTTP basic
authentication.
`email`::
(Required, string) The account email for HTTP Basic authentication.
=====
.Opsgenie connectors
[%collapsible%open]
=====
`apiKey`::
(Required, string) The Opsgenie API authentication key for HTTP Basic
authentication.
=====
.{sn-itom}, {sn-itsm}, and {sn-sir} connectors
[%collapsible%open]
=====
`clientSecret`::
(Required^*^, string) The client secret assigned to your OAuth application. This
property is required when `isOAuth` is `true`.
`password`::
(Required^*^, string) The password for HTTP basic authentication. This property
is required when `isOAuth` is `false`.
`privateKey`::
(Required^*^, string) The RSA private key that you created for use in {sn}. This
property is required when `isOAuth` is `true`.
privateKeyPassword::
(Required^*^, string) The password for the RSA private key. This property is
required when `isOAuth` is `true` and you set a password on your private key.
`username`::
(Required^*^, string) The username for HTTP basic authentication. This property
is required when `isOAuth` is `false`.
=====
.{swimlane} connectors
[%collapsible%open]
=====
`apiToken`::
(string) {swimlane} API authentication token.
=====
.{webhook-cm} connectors
[%collapsible%open]
=====
`password`::
(Optional, string) The password for HTTP basic authentication.
`user`::
(Optional, string) The username for HTTP basic authentication.
=====
This object is not required for index or server log connectors.
====
// end::connector-secrets[]
--
[[create-connector-api-request-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
[[create-connector-api-example]]
=== {api-examples-title}
Create an index connector:
[source,sh]
--------------------------------------------------
POST api/actions/connector
{
"name": "my-connector",
"connector_type_id": ".index",
"config": {
"index": "test-index"
}
}
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
"connector_type_id": ".index",
"name": "my-connector",
"config": {
"index": "test-index",
"refresh": false,
"executionTimeField": null
},
"is_preconfigured": false,
"is_deprecated": false,
"is_missing_secrets": false
}
--------------------------------------------------
Create a {jira} connector:
[source,sh]
--------------------------------------------------
POST api/actions/connector
{
"name": "my-jira-connector",
"connector_type_id": ".jira",
"config": {
"apiUrl": "https://elastic.atlassian.net",
"projectKey": "ES"
},
"secrets": {
"email": "myEmail",
"apiToken": "myToken"
}
}
--------------------------------------------------
// KIBANA
Create an {ibm-r} connector:
[source,sh]
--------------------------------------------------
POST api/actions/connector
{
"name": "my-resilient-connector",
"connector_type_id": ".resilient",
"config": {
"apiUrl": "https://elastic.resilient.net",
"orgId": "201"
},
"secrets": {
"apiKeyId": "myKey",
"apiKeySecret": "myToken"
}
}
--------------------------------------------------
// KIBANA
Create an {sn-itom} connector that uses open authorization:
[source,sh]
--------------------------------------------------
POST api/actions/connector
{
"name": "my-itom-connector",
"connector_type_id": ".servicenow-itom",
"config": {
"apiUrl": "https://exmaple.service-now.com/",
"clientId": "abcdefghijklmnopqrstuvwxyzabcdef",
"isOAuth": "true",
"jwtKeyId": "fedcbazyxwvutsrqponmlkjihgfedcba",
"userIdentifierValue": "testuser@email.com"
},
"secrets": {
"clientSecret": "secretsecret",
"privateKey": "-----BEGIN RSA PRIVATE KEY-----\nprivatekeyhere\n-----END RSA PRIVATE KEY-----"
}
}
--------------------------------------------------
// KIBANA
Create a {swimlane} connector:
[source,sh]
--------------------------------------------------
POST api/actions/connector
{
"name":"my-swimlane-connector",
"connector_type_id": ".swimlane",
"config":{
"connectorType":"all",
"mappings":{
"ruleNameConfig":{
"id":"b6fst",
"name":"Alert Name",
"key":"alert-name",
"fieldType":"text"
}
},
"appId":"myAppID",
"apiUrl":"https://myswimlaneinstance.com"
},
"secrets":{
"apiToken":"myToken"
}
}
--------------------------------------------------
// KIBANA

52
docs/api/actions-and-connectors/delete.asciidoc
View file

@ -1,52 +0,0 @@
[[delete-connector-api]]
== Delete connector API
++++
<titleabbrev>Delete connector</titleabbrev>
++++
Deletes an connector by ID.
WARNING: When you delete a connector, _it cannot be recovered_.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[discrete]
[[delete-connector-api-request]]
=== {api-request-title}
`DELETE <kibana host>:<port>/api/actions/connector/<id>`
`DELETE <kibana host>:<port>/s/<space_id>/api/actions/connector/<id>`
[discrete]
=== {api-prereq-title}
You must have `all` privileges for the *{connectors-feature}* feature in the
*Management* section of the
<<kibana-feature-privileges,{kib} feature privileges>>.
[discrete]
[[delete-connector-api-path-params]]
=== {api-path-parms-title}
`id`::
(Required, string) The ID of the connector.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[discrete]
[[delete-connector-api-response-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
[discrete]
=== {api-examples-title}
[source,sh]
--------------------------------------------------
DELETE api/actions/connector/c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad
--------------------------------------------------
// KIBANA

861
docs/api/actions-and-connectors/execute.asciidoc
View file

@ -1,861 +0,0 @@
[[execute-connector-api]]
== Run connector API
++++
<titleabbrev>Run connector</titleabbrev>
++++
Runs a connector by ID.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[[execute-connector-api-request]]
=== {api-request-title}
`POST <kibana host>:<port>/api/actions/connector/<id>/_execute`
`POST <kibana host>:<port>/s/<space_id>/api/actions/connector/<id>/_execute`
[[execute-connector-api-prereq]]
=== {api-prereq-title}
You must have `read` privileges for the *{connectors-feature}* feature in the
*Management* section of the
<<kibana-feature-privileges,{kib} feature privileges>>.
If you use an index connector, you must also have `all`, `create`, `index`, or
`write` {ref}/security-privileges.html[indices privileges].
[[execute-connector-api-desc]]
=== {api-description-title}
You can use this API to test an <<alerting-concepts-actions,action>> that
involves interaction with Kibana services or integrations with third-party
systems.
[[execute-connector-api-params]]
=== {api-path-parms-title}
`id`::
(Required, string) The ID of the connector.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in
the URL, the default space is used.
[role="child_attributes"]
[[execute-connector-api-request-body]]
=== {api-request-body-title}
`params`::
(Required, object) The parameters of the connector. Parameter properties vary
depending on the connector type. For information about the parameter properties,
refer to <<action-types>>.
+
--
.`Params` properties
[%collapsible%open]
====
.Email connectors
[%collapsible%open]
=====
`bcc`::
(Optional, array of strings) A list of "blind carbon copy" email addresses.
Addresses can be specified in `user@host-name` format or in name `<user@host-name>` format.
`cc`::
(Optional, array of strings) A list of "carbon copy" email addresses.
Addresses can be specified in `user@host-name` format or in name `<user@host-name>` format.
`message`::
(Required, string) The email message text. Markdown format is supported.
`subject`::
(Required, string) The subject line of the email.
`to`::
(Required^*^, array of strings)
A list of email addresses.
Addresses can be specified in `user@host-name` format or in name `<user@host-name>` format.
There must be at least one recipient in `to`, `cc`, or `bcc`.
For more information, refer to <<email-action-type>>.
=====
.Index connectors
[%collapsible%open]
=====
`documents`::
(Required, array of objects) The documents to index in JSON format.
For more information, refer to <<index-action-type>>.
=====
.Jira connectors
[%collapsible%open]
=====
`subAction`::
(Required, string) The action to test. Valid values include: `fieldsByIssueType`,
`getFields`, `getIncident`, `issue`, `issues`, `issueTypes`, and `pushToService`.
`subActionParams`::
(Required^*^, object) The set of configuration properties, which vary depending
on the `subAction` value. This object is not required when `subAction` is
`getFields` or `issueTypes`.
+
.Properties when `subAction` is `fieldsByIssueType`
[%collapsible%open]
======
`id`:::
(Required, string) The Jira issue type identifier. For example, `10024`.
======
+
.Properties when `subAction` is `getIncident`
[%collapsible%open]
======
`externalId`:::
(Required, string) The Jira issue identifier. For example, `71778`.
======
+
.Properties when `subAction` is `issue`
[%collapsible%open]
======
`id`:::
(Required, string) The Jira issue identifier. For example, `71778`.
======
+
.Properties when `subAction` is `issues`
[%collapsible%open]
======
`title`:::
(Required, string) The title of the Jira issue.
======
+
.Properties when `subAction` is `pushToService`
[%collapsible%open]
======
`comments`:::
(Optional, array of objects) Additional information that is sent to Jira.
+
.Properties of `comments`
[%collapsible%open]
=======
`comment`::::
(string) A comment related to the incident. For example, describe how to
troubleshoot the issue.
`commentId`::::
(integer) A unique identifier for the comment.
=======
`incident`:::
(Required, object) Information necessary to create or update a Jira incident.
+
.Properties of `incident`
[%collapsible%open]
=======
`description`::::
(Optional, string) The details about the incident.
`externalId`::::
(Optional, string) The Jira issue identifier. If present, the incident is
updated. Otherwise, a new incident is created.
`labels`::::
(Optional, array of strings) The labels for the incident. For example,
`["LABEL1"]`. NOTE: Labels cannot contain spaces.
`issueType`::::
(Optional, integer) The type of incident. For example, `10006`. To obtain the
list of valid values, set `subAction` to `issueTypes`.
`parent`::::
(Optional, string) The ID or key of the parent issue. Applies only to `Sub-task`
types of issues.
`priority`::::
(Optional, string) The incident priority level. For example, `Lowest`.
`summary`::::
(Required, string) A summary of the incident.
`title`::::
(Optional, string) A title for the incident, used for searching the contents of
the knowledge base.
=======
======
For more information, refer to <<jira-action-type>>.
=====
.{opsgenie} connectors
[%collapsible%open]
=====
`subAction`::
(Required, string) The action to test. Valid values include: `createAlert` and
`closeAlert`.
`subActionParams`::
(Required, object) The set of configuration properties, which vary depending on
the `subAction` value.
+
.Properties when `subAction` is `createAlert`
[%collapsible%open]
======
`actions`::::
(Optional, array of strings) The custom actions available to the alert.
`alias`::::
(Optional, string) The unique identifier used for alert deduplication in {opsgenie}.
`description`::::
(Optional, string) A description that provides detailed information about the alert.
`details`::::
(Optional, object) The custom properties of the alert. For example:
`{"key1":"value1","key2":"value2"}`.
`entity`::::
(Optional, string) The domain of the alert. For example, the application or server
name.
`message`::::
(Required, string) The alert message.
`note`::::
(Optional, string) Additional information for the alert.
`priority`::::
(Optional, string) The priority level for the alert. Valid values are: `P1`,
`P2`, `P3`, `P4`, and `P5`.
`responders`::::
(Optional, array of objects) The entities to receive notifications about the
alert. If `type` is `user`, either `id` or `username` is required. If `type` is
`team`, either `id` or `name` is required.
+
.Properties of `responders` objects
[%collapsible%open]
=======
`id`::::
(Required^*^, string) The identifier for the entity.
`name`::::
(Required^*^, string) The name of the entity.
`type`::::
(Required, string) Valid values are `escalation`, `schedule`, `team`, and `user`.
`username`::::
(Required^*^, string) A valid email address for the user.
=======
`source`::::
(Optional, string) The display name for the source of the alert.
`tags`::::
(Optional, array of strings) The tags for the alert.
`user`::::
(Optional, string) The display name for the owner.
`visibleTo`::::
(Optional, array of objects) The teams and users that the alert will be visible
to without sending a notification. Only one of `id`, `name`, or `username` is
required.
+
.Properties of `visibleTo` objects
[%collapsible%open]
=======
`id`::::
(Required^*^, string) The identifier for the entity.
`name`::::
(Required^*^, string) The name of the entity.
`type`::::
(Required, string) Valid values are `team` and `user`.
`username`::::
(Required^*^, string) The user name. This property is required only when the
`type` is `user`.
=======
======
+
.Properties when `subAction` is `closeAlert`
[%collapsible%open]
======
`alias`::::
(Required, string) The unique identifier used for alert deduplication in {opsgenie}.
The alias must match the value used when creating the alert.
`note`::::
(Optional, string) Additional information for the alert.
`source`::::
(Optional, string) The display name for the source of the alert.
`user`::::
(Optional, string) The display name for the owner.
======
For more information, refer to <<opsgenie-action-type>>.
=====
.{sn-itom} connectors
[%collapsible%open]
=====
`subAction`::
(Required, string) The action to test. Valid values include: `addEvent` and
`getChoices`.
`subActionParams`::
(Required^*^, object) The set of configuration properties, which vary depending
on the `subAction` value.
+
.Properties when `subAction` is `addEvent`
[%collapsible%open]
======
`additional_info`::::
(Optional, string) Additional information about the event.
`description`::::
(Optional, string) The details about the event.
`event_class`::::
(Optional, string) A specific instance of the source.
`message_key`::::
(Optional, string) All actions sharing this key are associated with the same
{sn} alert. The default value is `<rule ID>:<alert instance ID>`.
`metric_name`::::
(Optional, string) The name of the metric.
`node`::::
(Optional, string) The host that the event was triggered for.
`resource`::::
(Optional, string) The name of the resource.
`severity`::::
(Optional, string) The severity of the event.
`source`::::
(Optional, string) The name of the event source type.
`time_of_event`::::
(Optional, string) The time of the event.
`type`::::
(Optional, string) The type of event.
======
+
.Properties when `subAction` is `getChoices`
[%collapsible%open]
======
`fields`::::
(Required, array of strings) An array of fields. For example, `["severity"]`.
======
=====
.{sn-itsm} connectors
[%collapsible%open]
=====
`subAction`::
(Required, string) The action to test. Valid values include: `getFields`,
`getIncident`, `getChoices`, and `pushToService`.
`subActionParams`::
(Required^*^, object) The set of configuration properties, which vary depending
on the `subAction` value. This object is not required when `subAction` is
`getFields`.
+
.Properties when `subAction` is `getChoices`
[%collapsible%open]
======
`fields`::::
(Required, array of strings) An array of fields. For example, `["category","impact"]`.
======
+
.Properties when `subAction` is `getIncident`
[%collapsible%open]
======
`externalId`::::
(Required, string) The {sn-itsm} issue identifier.
======
+
.Properties when `subAction` is `pushToService`
[%collapsible%open]
======
`comments`:::
(Optional, array of objects) Additional information that is sent to {sn-itsm}.
+
.Properties of `comments`
[%collapsible%open]
=======
`comment`::::
(string) A comment related to the incident. For example, describe how to
troubleshoot the issue.
`commentId`::::
(integer) A unique identifier for the comment.
////
version::::
(string) TBD
////
=======
`incident`:::
(Required, object) Information necessary to create or update a {sn-itsm} incident.
+
.Properties of `incident`
[%collapsible%open]
=======
`category`::::
(Optional, string) The category of the incident.
`correlation_display`::::
(Optional, string) A descriptive label of the alert for correlation purposes in
{sn}.
`correlation_id`::::
(Optional, string) The correlation identifier for the security incident.
Connectors using the same correlation ID are associated with the same {sn}
incident. This value determines whether a new {sn} incident is created or an
existing one is updated. Modifying this value is optional; if not modified, the
rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the
correlation ID value in {sn}. The maximum character length for this value is 100
characters.
+
NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures
that {sn} creates a separate incident record for every generated alert that uses
a unique alert ID. If the rule generates multiple alerts that use the same alert
IDs, {sn} creates and continually updates a single incident record for the alert.
`description`::::
(Optional, string) The details about the incident.
`externalId`::::
(Optional, string) The {sn-itsm} issue identifier. If present, the incident is
updated. Otherwise, a new incident is created.
`impact`::::
(Optional, string) The impact in {sn-itsm}.
`severity`::::
(Optional, string) The severity of the incident.
`short_description`::::
(Required, string) A short description for the incident, used for searching the
contents of the knowledge base.
`subcategory`::::
(Optional, string) The subcategory in {sn-itsm}.
`urgency`::::
(Optional, string) The urgency in {sn-itsm}.
=======
======
=====
.{sn-sir} connectors
[%collapsible%open]
=====
`subAction`::
(Required, string) The action to test. Valid values include: `getFields`,
`getIncident`, `getChoices`, and `pushToService`.
`subActionParams`::
(Required^*^, object) The set of configuration properties, which vary depending
on the `subAction` value. This object is not required when `subAction` is
`getFields`.
+
.Properties when `subAction` is `getChoices`
[%collapsible%open]
======
`fields`::::
(Required, array of strings) An array of fields. For example, `["priority","category"]`.
======
+
.Properties when `subAction` is `getIncident`
[%collapsible%open]
======
`externalId`::::
(Required, string) The {sn-sir} issue identifier.
======
+
.Properties when `subAction` is `pushToService`
[%collapsible%open]
======
`comments`:::
(Optional, array of objects) Additional information that is sent to {sn-sir}.
+
.Properties of `comments`
[%collapsible%open]
=======
`comment`::::
(string) A comment related to the incident. For example, describe how to
troubleshoot the issue.
`commentId`::::
(integer) A unique identifier for the comment.
////
`version`::::
(string) TBD
////
=======
`incident`:::
(Required, object) Information necessary to create or update a {sn-sir} incident.
+
.Properties of `incident`
[%collapsible%open]
=======
`category`::::
(Optional, string) The category of the incident.
`correlation_display`::::
(Optional, string) A descriptive label of the alert for correlation purposes in
{sn}.
`correlation_id`::::
(Optional, string) The correlation identifier for the security incident.
Connectors using the same correlation ID are associated with the same {sn}
incident. This value determines whether a new {sn} incident is created or an
existing one is updated. Modifying this value is optional; if not modified, the
rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the
correlation ID value in {sn}. The maximum character length for this value is 100
characters.
+
NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that
{sn} creates a separate incident record for every generated alert that uses a
unique alert ID. If the rule generates multiple alerts that use the same alert
IDs, {sn} creates and continually updates a single incident record for the alert.
`description`::::
(Optional, string) The details about the incident.
`dest_ip`::::
(Optional, string or array of strings) A list of destination IP addresses related
to the security incident. The IPs are added as observables to the security incident.
`externalId`::::
(Optional, string) The {sn-sir} issue identifier. If present, the incident is
updated. Otherwise, a new incident is created.
`malware_hash`::::
(Optional, string or array of strings) A list of malware hashes related to the
security incident. The hashes are added as observables to the security incident.
`malware_url`::::
(Optional, string or array of strings) A list of malware URLs related to the
security incident. The URLs are added as observables to the security incident.
`priority`::::
(Optional, string) The priority of the incident.
`short_description`::::
(Required, string) A short description for the incident, used for searching the
contents of the knowledge base.
`source_ip`::::
(Optional, string or array of strings) A list of source IP addresses related to
the security incident. The IPs are added as observables to the security incident.
`subcategory`::::
(Optional, string) The subcategory of the incident.
=======
======
=====
.Server log connectors
[%collapsible%open]
=====
`level`::
(Optional, string) The log level of the message: `trace`, `debug`, `info`,
`warn`, `error`, or `fatal`. Defaults to `info`.
`message`::
(Required, string) The message to log.
=====
.Slack connectors
[%collapsible%open]
=====
`message`::
(Required^*^, string) The Slack message text, which cannot contain Markdown, images, or other advanced formatting.
It is applicable only when the connector type is `.slack`.
`subAction`::
(Required^*^, string) The action to test.
It is applicable only when the connector type is `.slack_api`.
Valid values include: `postMessage`, `validChannelId`.
======
`subActionParams`::
(Required, object) The set of configuration properties, which vary depending
on the `subAction` value.
+
.Properties when `subAction` is `postMessage`
[%collapsible%open]
=======
`channelIds`:::
(Optional, array of strings) The Slack channel identifier, which must be one of the allowed channels in the connector configuration.
`channels`:::
(Optional, array of strings)
The name of a channel that your Slack app has access to. deprecated:[8.12.0]
`text`:::
(Optional, string) The Slack message text, which cannot contain Markdown, images, or other advanced formatting.
=======
+
.Properties when `subAction` is `validChannelId`
[%collapsible%open]
=======
`channelId`:::
(Required, string) The Slack channel identifier. For example, `C123ABC456`.
=======
======
=====
.{swimlane} connectors
[%collapsible%open]
=====
`subAction`::
(Required, string) The action to test. It must be `pushToService`.
`subActionParams`::
(Required, object) The set of configuration properties.
+
.Properties of `subActionParams`
[%collapsible%open]
======
`comments`:::
(Optional, array of objects) Additional information that is sent to {swimlane}.
+
.Properties of `comments` objects
[%collapsible%open]
=======
comment::::
(string) A comment related to the incident. For example, describe how to
troubleshoot the issue.
commentId::::
(integer) A unique identifier for the comment.
=======
`incident`:::
(Required, object) Information necessary to create or update a {swimlane} incident.
+
.Properties of `incident`
[%collapsible%open]
=======
`alertId`::::
(Optional, string) The alert identifier.
`caseId`::::
(Optional, string) The case identifier for the incident.
`caseName`::::
(Optional, string) The case name for the incident.
`description`::::
(Optional, string) The description of the incident.
`ruleName`::::
(Optional, string) The rule name.
`severity`::::
(Optional, string) The severity of the incident.
=======
======
=====
====
--
[[execute-connector-api-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
[[execute-connector-api-example]]
=== {api-examples-title}
Run an index connector:
[source,sh]
--------------------------------------------------
POST api/actions/connector/c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad/_execute
{
"params": {
"documents": [
{
"id": "test_doc_id",
"name": "test_doc_name",
"message": "hello, world"
}
]
}
}
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"status": "ok",
"data": {
"took": 10,
"errors": false,
"items": [
{
"index": {
"_index": "test-index",
"_id": "iKyijHcBKCsmXNFrQe3T",
"_version": 1,
"result": "created",
"_shards": {
"total": 2,
"successful": 1,
"failed": 0
},
"_seq_no": 0,
"_primary_term": 1,
"status": 201
}
}
]
},
"connector_id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad"
}
--------------------------------------------------
Run a server log connector:
[source,sh]
--------------------------------------------------
POST api/actions/connector/7fc7b9a0-ecc9-11ec-8736-e7d63118c907/_execute
{
"params": {
"level": "warn",
"message": "Test warning message"
}
}
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{"status":"ok","connector_id":"7fc7b9a0-ecc9-11ec-8736-e7d63118c907"}
--------------------------------------------------
Retrieve the list of issue types for a Jira connector:
[source,sh]
--------------------------------------------------
POST api/actions/connector/b3aad810-edbe-11ec-82d1-11348ecbf4a6/_execute
{
"params": {
"subAction": "issueTypes"
}
}
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"status":"ok",
"data":[
{"id":"10024","name":"Improvement"},{"id":"10006","name":"Task"},
{"id":"10007","name":"Sub-task"},{"id":"10025","name":"New Feature"},
{"id":"10023","name":"Bug"},{"id":"10000","name":"Epic"}
],
"connector_id":"b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}
--------------------------------------------------
Create then update a {swimlane} incident:
[source,sh]
--------------------------------------------------
POST api/actions/connector/a4746470-2f94-11ed-b0e0-87533c532698/_execute
{
"params":{
"subAction":"pushToService",
"subActionParams":{
"incident":{
"description":"Description of the incident",
"caseName":"Case name",
"caseId":"1000"
},
"comments":[
{"commentId":"1","comment":"A comment about the incident"}
]
}
}
}
POST api/actions/connector/a4746470-2f94-11ed-b0e0-87533c532698/_execute
{
"params":{
"subAction":"pushToService",
"subActionParams":{
"incident":{
"caseId":"1000",
"caseName":"A new case name"
}
}
}
}
--------------------------------------------------
// KIBANA
Retrieve the list of choices for a {sn-itom} connector:
[source,sh]
--------------------------------------------------
POST api/actions/connector/9d9be270-2fd2-11ed-b0e0-87533c532698/_execute
{
"params": {
"subAction": "getChoices",
"subActionParams": {
"fields": [ "severity","urgency" ]
}
}
}
--------------------------------------------------
// KIBANA
The API returns the severity and urgency choices, for example:
[source,sh]
--------------------------------------------------
{
"status": "ok",
"data":[
{"dependent_value":"","label":"Critical","value":"1","element":"severity"},
{"dependent_value":"","label":"Major","value":"2","element":"severity"},
{"dependent_value":"","label":"Minor","value":"3","element":"severity"},
{"dependent_value":"","label":"Warning","value":"4","element":"severity"},
{"dependent_value":"","label":"OK","value":"5","element":"severity"},
{"dependent_value":"","label":"Clear","value":"0","element":"severity"},
{"dependent_value":"","label":"1 - High","value":"1","element":"urgency"},
{"dependent_value":"","label":"2 - Medium","value":"2","element":"urgency"},
{"dependent_value":"","label":"3 - Low","value":"3","element":"urgency"}],
"connector_id":"9d9be270-2fd2-11ed-b0e0-87533c532698"
}
--------------------------------------------------

70
docs/api/actions-and-connectors/get.asciidoc
View file

@ -1,70 +0,0 @@
[[get-connector-api]]
== Get connector API
++++
<titleabbrev>Get connector</titleabbrev>
++++
Retrieves a connector by ID.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[discrete]
[[get-connector-api-request]]
=== {api-request-title}
`GET <kibana host>:<port>/api/actions/connector/<id>`
`GET <kibana host>:<port>/s/<space_id>/api/actions/connector/<id>`
[discrete]
=== {api-prereq-title}
You must have `read` privileges for the *{connectors-feature}* feature in the
*Management* section of the
<<kibana-feature-privileges,{kib} feature privileges>>.
[discrete]
[[get-connector-api-params]]
=== {api-path-parms-title}
`id`::
(Required, string) The ID of the connector.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[discrete]
[[get-connector-api-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
[discrete]
[[get-connector-api-example]]
=== {api-examples-title}
[source,sh]
--------------------------------------------------
GET api/actions/connector/c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
"connector_type_id": ".index",
"name": "my-connector",
"config": {
"index": "test-index",
"refresh": false,
"executionTimeField": null
},
"is_preconfigured": false,
"is_deprecated": false,
"is_missing_secrets": false
}
--------------------------------------------------

80
docs/api/actions-and-connectors/get_all.asciidoc
View file

@ -1,80 +0,0 @@
[[get-all-connectors-api]]
== Get all connectors API
++++
<titleabbrev>Get all connectors</titleabbrev>
++++
Retrieves all connectors.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[discrete]
[[get-all-connectors-api-request]]
=== {api-request-title}
`GET <kibana host>:<port>/api/actions/connectors`
`GET <kibana host>:<port>/s/<space_id>/api/actions/connectors`
[discrete]
=== {api-prereq-title}
You must have `read` privileges for the *{connectors-feature}* feature in the
*Management* section of the
<<kibana-feature-privileges,{kib} feature privileges>>.
[discrete]
[[get-all-connectors-api-path-params]]
=== {api-path-parms-title}
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[discrete]
[[get-all-connectors-api-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
[discrete]
[[get-all-connectors-api-example]]
=== {api-examples-title}
[source,sh]
--------------------------------------------------
GET api/actions/connectors
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
[
{
"id": "preconfigured-mail-connector",
"connector_type_id": ".email",
"name": "email: preconfigured-mail-connector",
"is_preconfigured": true,
"is_deprecated": false,
"referenced_by_count": 0 <1>
},
{
"id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
"connector_type_id": ".index",
"name": "my-connector",
"config": {
"index": "test-index",
"refresh": false,
"executionTimeField": null
},
"is_preconfigured": false,
"is_deprecated": false,
"is_missing_secrets": false,
"referenced_by_count": 3
}
]
--------------------------------------------------
<1> `referenced_by_count` indicates the number of saved objects that reference the connector. This value is not calculated if `is_preconfigured` is `true`.

84
docs/api/actions-and-connectors/legacy/create.asciidoc
View file

@ -1,84 +0,0 @@
[[actions-and-connectors-legacy-api-create]]
==== Legacy Create connector API
++++
<titleabbrev>Legacy Create connector</titleabbrev>
++++
deprecated::[7.13.0,Use <<create-connector-api>> instead.]
Creates a connector.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[[actions-and-connectors-legacy-api-create-request]]
===== Request
`POST <kibana host>:<port>/api/actions/action`
`POST <kibana host>:<port>/s/<space_id>/api/actions/action`
[[actions-and-connectors-legacy-api-create-path-params]]
===== Path parameters
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[actions-and-connectors-legacy-api-create-request-body]]
===== Request body
`name`::
(Required, string) The display name for the connector.
`actionTypeId`::
(Required, string) The connector type ID for the connector.
`config`::
(Required, object) The configuration for the connector. Configuration properties vary depending on
the connector type. For information about the configuration properties, refer to <<action-types,Action and connector types>>.
`secrets`::
(Required, object) The secrets configuration for the connector. Secrets configuration properties vary
depending on the connector type. For information about the secrets configuration properties, refer to <<action-types,Action and connector types>>.
+
WARNING: Remember these values. You must provide them each time you call the <<actions-and-connectors-legacy-api-update, update>> API.
[[actions-and-connectors-legacy-api-create-request-codes]]
===== Response code
`200`::
Indicates a successful call.
[[actions-and-connectors-legacy-api-create-example]]
===== Example
[source,sh]
--------------------------------------------------
$ curl -X POST api/actions/action -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '
{
"name": "my-connector",
"actionTypeId": ".index",
"config": {
"index": "test-index"
}
}'
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
"actionTypeId": ".index",
"name": "my-connector",
"config": {
"index": "test-index",
"refresh": false,
"executionTimeField": null
},
"isPreconfigured": false,
"isDeprecated": false,
"isMissingSecrets": false
}
--------------------------------------------------

43
docs/api/actions-and-connectors/legacy/delete.asciidoc
View file

@ -1,43 +0,0 @@
[[actions-and-connectors-legacy-api-delete]]
==== Legacy Delete connector API
++++
<titleabbrev>Legacy Delete connector</titleabbrev>
++++
deprecated::[7.13.0,Use <<delete-connector-api>> instead.]
Deletes a connector by ID.
When you delete an connector, _it cannot be recovered_.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[[actions-and-connectors-legacy-api-delete-request]]
===== Request
`DELETE <kibana host>:<port>/api/actions/action/<id>`
`DELETE <kibana host>:<port>/s/<space_id>/api/actions/action/<id>`
[[actions-and-connectors-legacy-api-delete-path-params]]
===== Path parameters
`id`::
(Required, string) The ID of the connector.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[actions-and-connectors-legacy-api-delete-response-codes]]
===== Response code
`200`::
Indicates a successful call.
===== Example
[source,sh]
--------------------------------------------------
$ curl -X DELETE api/actions/action/c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad
--------------------------------------------------
// KIBANA

92
docs/api/actions-and-connectors/legacy/execute.asciidoc
View file

@ -1,92 +0,0 @@
[[actions-and-connectors-legacy-api-execute]]
==== Legacy Execute connector API
++++
<titleabbrev>Legacy Execute connector</titleabbrev>
++++
deprecated::[7.13.0,Use <<execute-connector-api>> instead.]
Executes a connector by ID.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[[actions-and-connectors-legacy-api-execute-request]]
===== Request
`POST <kibana host>:<port>/api/actions/action/<id>/_execute`
`POST <kibana host>:<port>/s/<space_id>/api/actions/action/<id>/_execute`
[[actions-and-connectors-legacy-api-execute-params]]
===== Path parameters
`id`::
(Required, string) The ID of the connector.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[actions-and-connectors-legacy-api-execute-request-body]]
===== Request body
`params`::
(Required, object) The parameters of the connector. Parameter properties vary depending on
the connector type. For information about the parameter properties, refer to <<action-types,Action and connector types>>.
[[actions-and-connectors-legacy-api-execute-codes]]
===== Response code
`200`::
Indicates a successful call.
[[actions-and-connectors-legacy-api-execute-example]]
===== Example
[source,sh]
--------------------------------------------------
$ curl -X POST api/actions/action/c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad/_execute -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '
{
"params": {
"documents": [
{
"id": "test_doc_id",
"name": "test_doc_name",
"message": "hello, world"
}
]
}
}'
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"status": "ok",
"data": {
"took": 197,
"errors": false,
"items": [
{
"index": {
"_index": "updated-index",
"_id": "iKyijHcBKCsmXNFrQe3T",
"_version": 1,
"result": "created",
"_shards": {
"total": 2,
"successful": 1,
"failed": 0
},
"_seq_no": 0,
"_primary_term": 1,
"status": 201
}
}
]
},
"actionId": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad"
}
--------------------------------------------------

61
docs/api/actions-and-connectors/legacy/get.asciidoc
View file

@ -1,61 +0,0 @@
[[actions-and-connectors-legacy-api-get]]
==== Legacy Get connector API
++++
<titleabbrev>Legacy Get connector</titleabbrev>
++++
deprecated::[7.13.0,Use <<get-connector-api>> instead.]
Retrieves a connector by ID.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[[actions-and-connectors-legacy-api-get-request]]
===== Request
`GET <kibana host>:<port>/api/actions/action/<id>`
`GET <kibana host>:<port>/s/<space_id>/api/actions/action/<id>`
[[actions-and-connectors-legacy-api-get-params]]
===== Path parameters
`id`::
(Required, string) The ID of the action.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[actions-and-connectors-legacy-api-get-codes]]
===== Response code
`200`::
Indicates a successful call.
[[actions-and-connectors-legacy-api-get-example]]
===== Example
[source,sh]
--------------------------------------------------
$ curl -X GET api/actions/action/c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
"actionTypeId": ".index",
"name": "my-connector",
"config": {
"index": "test-index",
"refresh": false,
"executionTimeField": null
},
"isPreconfigured": false,
"isDeprecated": false,
"isMissingSecrets": false
}
--------------------------------------------------

67
docs/api/actions-and-connectors/legacy/get_all.asciidoc
View file

@ -1,67 +0,0 @@
[[actions-and-connectors-legacy-api-get-all]]
==== Legacy Get all connector API
++++
<titleabbrev>Legacy Get all connector</titleabbrev>
++++
deprecated::[7.13.0,Use <<get-all-connectors-api>> instead.]
Retrieves all connectors.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[[actions-and-connectors-legacy-api-get-all-request]]
===== Request
`GET <kibana host>:<port>/api/actions`
`GET <kibana host>:<port>/s/<space_id>/api/actions`
[[actions-and-connectors-legacy-api-get-all-path-params]]
===== Path parameters
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[actions-and-connectors-legacy-api-get-all-codes]]
===== Response code
`200`::
Indicates a successful call.
[[actions-and-connectors-legacy-api-get-all-example]]
===== Example
[source,sh]
--------------------------------------------------
$ curl -X GET api/actions
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
[
{
"id": "preconfigured-mail-action",
"actionTypeId": ".email",
"name": "email: preconfigured-mail-action",
"isPreconfigured": true,
"isDeprecated": false
},
{
"id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
"actionTypeId": ".index",
"name": "my-action",
"config": {
"index": "test-index",
"refresh": false,
"executionTimeField": null
},
"isPreconfigured": false,
"isDeprecated": false,
"isMissingSecrets": false
}
]
--------------------------------------------------

6
docs/api/actions-and-connectors/legacy/index.asciidoc
View file

@ -1,6 +0,0 @@
[[actions-and-connectors-legacy-apis]]
=== Deprecated 7.x APIs
These APIs are deprecated and will be removed in a future release.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].

71
docs/api/actions-and-connectors/legacy/list.asciidoc
View file

@ -1,71 +0,0 @@
[[actions-and-connectors-legacy-api-list]]
==== Legacy List connector types API
++++
<titleabbrev>Legacy List all connector types</titleabbrev>
++++
deprecated::[7.13.0,Use <<list-connector-types-api>> instead.]
Retrieves a list of all connector types.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[[actions-and-connectors-legacy-api-list-request]]
===== Request
`GET <kibana host>:<port>/api/actions/list_action_types`
`GET <kibana host>:<port>/s/<space_id>/api/actions/list_action_types`
[[actions-and-connectors-legacy-api-list-path-params]]
===== Path parameters
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[actions-and-connectors-legacy-api-list-codes]]
===== Response code
`200`::
Indicates a successful call.
[[actions-and-connectors-legacy-api-list-example]]
===== Example
[source,sh]
--------------------------------------------------
$ curl -X GET api/actions/list_action_types
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
[
{
"id": ".email", <1>
"name": "Email", <2>
"minimumLicenseRequired": "gold", <3>
"enabled": false, <4>
"enabledInConfig": true, <5>
"enabledInLicense": false <6>
},
{
"id": ".index",
"name": "Index",
"minimumLicenseRequired": "basic",
"enabled": true,
"enabledInConfig": true,
"enabledInLicense": true
}
]
--------------------------------------------------
<1> `id` - The unique ID of the connector type.
<2> `name` - The name of the connector type.
<3> `minimumLicenseRequired` - The license required to use the connector type.
<4> `enabled` - Specifies if the connector type is enabled or disabled in {kib}.
<5> `enabledInConfig` - Specifies if the connector type is enabled or enabled in the {kib} .yml file.
<6> `enabledInLicense` - Specifies if the connector type is enabled or disabled in the license.

79
docs/api/actions-and-connectors/legacy/update.asciidoc
View file

@ -1,79 +0,0 @@
[[actions-and-connectors-legacy-api-update]]
==== Legacy Update connector API
++++
<titleabbrev>Legacy Update connector</titleabbrev>
++++
deprecated::[7.13.0,Use <<update-connector-api>> instead.]
Updates the attributes for an existing connector.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[[actions-and-connectors-legacy-api-update-request]]
===== Request
`PUT <kibana host>:<port>/api/actions/action/<id>`
`PUT <kibana host>:<port>/s/<space_id>/api/actions/action/<id>`
[[actions-and-connectors-legacy-api-update-params]]
===== Path parameters
`id`::
(Required, string) The ID of the connector.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[actions-and-connectors-legacy-api-update-request-body]]
===== Request body
`name`::
(Required, string) The new name of the connector.
`config`::
(Required, object) The new connector configuration. Configuration properties vary depending on the connector type. For information about the configuration properties, refer to <<action-types,Action and connector types>>.
`secrets`::
(Required, object) The updated secrets configuration for the connector. Secrets properties vary depending on the connector type. For information about the secrets configuration properties, refer to <<action-types,Action and connector types>>.
[[actions-and-connectors-legacy-api-update-codes]]
===== Response code
`200`::
Indicates a successful call.
[[actions-and-connectors-legacy-api-update-example]]
===== Example
[source,sh]
--------------------------------------------------
$ curl -X PUT api/actions/action/c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '
{
"name": "updated-connector",
"config": {
"index": "updated-index"
}
}'
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
"actionTypeId": ".index",
"name": "updated-connector",
"config": {
"index": "updated-index",
"refresh": false,
"executionTimeField": null
},
"isPreconfigured": false,
"isDeprecated": false,
"isMissingSecrets": false
}
--------------------------------------------------

84
docs/api/actions-and-connectors/list.asciidoc
View file

@ -1,84 +0,0 @@
[[list-connector-types-api]]
== List connector types API
++++
<titleabbrev>List all connector types</titleabbrev>
++++
Retrieves a list of all connector types.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[[list-connector-types-api-request]]
=== {api-request-title}
`GET <kibana host>:<port>/api/actions/connector_types`
`GET <kibana host>:<port>/s/<space_id>/api/actions/connector_types`
[discrete]
=== {api-prereq-title}
You do not need any <<kibana-feature-privileges,{kib} feature privileges>> to
run this API.
[[list-connector-types-api-path-params]]
=== {api-path-parms-title}
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[list-connector-types-api-query-params]]
=== {api-query-parms-title}
`feature_id`::
(Optional, string) Filters list of connector types to those that support the feature id.
[[list-connector-types-api-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
[[list-connector-types-api-example]]
=== {api-examples-title}
[source,sh]
--------------------------------------------------
GET api/actions/connector_types
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
[
{
"id": ".email", <1>
"name": "Email", <2>
"minimum_license_required": "gold", <3>
"enabled": false, <4>
"enabled_in_config": true, <5>
"enabled_in_license": true, <6>
"supported_feature_ids": ["alerting"] <7>
},
{
"id": ".index",
"name": "Index",
"minimum_license_required": "basic",
"enabled": true,
"enabled_in_config": true,
"enabled_in_license": true,
"supported_feature_ids": ["alerting"]
},
...
]
--------------------------------------------------
<1> `id` - The unique ID of the connector type.
<2> `name` - The name of the connector type.
<3> `minimum_license_required` - The license required to use the connector type.
<4> `enabled` - Specifies if the connector type is enabled or disabled in {kib}.
<5> `enabled_in_config` - Specifies if the connector type is enabled or enabled in the {kib} `.yml` file.
<6> `enabled_in_license` - Specifies if the connector type is enabled or disabled in the license.
<7> `supported_feature_ids` - Specifies which Kibana features this connector type supports.

97
docs/api/actions-and-connectors/update.asciidoc
View file

@ -1,97 +0,0 @@
[[update-connector-api]]
== Update connector API
++++
<titleabbrev>Update connector</titleabbrev>
++++
Updates the attributes for a connector.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-connectors[connector APIs].
[[update-connector-api-request]]
=== {api-request-title}
`PUT <kibana host>:<port>/api/actions/connector/<id>`
`PUT <kibana host>:<port>/s/<space_id>/api/actions/connector/<id>`
[discrete]
=== {api-prereq-title}
You must have `all` privileges for the *{connectors-feature}* feature in the
*Management* section of the
<<kibana-feature-privileges,{kib} feature privileges>>.
[[update-connector-api-params]]
=== {api-path-parms-title}
`id`::
(Required, string) The ID of the connector.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[role="child_attributes"]
[[update-connector-api-request-body]]
=== {api-request-body-title}
`config`::
(Required, object) The new connector configuration. Configuration properties
vary depending on the connector type. For example:
+
--
include::create.asciidoc[tag=connector-config]
--
`name`::
(Required, string) The new name of the connector.
`secrets`::
(Required^*^, object) The updated secrets configuration for the connector. Secrets
properties vary depending on the connector type. For information about the
secrets configuration properties, refer to
<<action-types,Action and connector types>>.
+
--
include::create.asciidoc[tag=connector-secrets]
--
[[update-connector-api-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
[[update-connector-api-example]]
=== {api-examples-title}
[source,sh]
--------------------------------------------------
PUT api/actions/connector/c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad
{
"name": "updated-connector",
"config": {
"index": "updated-index"
}
}
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad",
"connector_type_id": ".index",
"name": "updated-connector",
"config": {
"index": "updated-index",
"refresh": false,
"executionTimeField": null
},
"is_preconfigured": false,
"is_deprecated": false,
"is_missing_secrets": false
}
--------------------------------------------------

17
docs/api/alerting.asciidoc
View file

@ -1,19 +1,4 @@
[[alerting-apis]]
== Alerting APIs
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
include::alerting/create_rule.asciidoc[leveloffset=+1]
include::alerting/delete_rule.asciidoc[leveloffset=+1]
include::alerting/disable_rule.asciidoc[leveloffset=+1]
include::alerting/enable_rule.asciidoc[leveloffset=+1]
include::alerting/find_rules.asciidoc[leveloffset=+1]
include::alerting/health.asciidoc[leveloffset=+1]
include::alerting/get_rules.asciidoc[leveloffset=+1]
include::alerting/list_rule_types.asciidoc[leveloffset=+1]
include::alerting/update_rule.asciidoc[leveloffset=+1]
include::alerting/mute_all_alerts.asciidoc[leveloffset=+1]
include::alerting/mute_alert.asciidoc[leveloffset=+1]
include::alerting/unmute_all_alerts.asciidoc[leveloffset=+1]
include::alerting/unmute_alert.asciidoc[leveloffset=+1]
include::alerting/legacy/index.asciidoc[]
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].

228
docs/api/alerting/create_rule.asciidoc
View file

@ -1,228 +0,0 @@
[[create-rule-api]]
== Create rule API
++++
<titleabbrev>Create rule</titleabbrev>
++++
Create {kib} rules.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[create-rule-api-request]]
=== {api-request-title}
`POST <kibana host>:<port>/api/alerting/rule/<id>`
`POST <kibana host>:<port>/s/<space_id>/api/alerting/rule/<id>`
=== {api-prereq-title}
You must have `all` privileges for the appropriate {kib} features, depending on
the `consumer` and `rule_type_id` of the rules you're creating. For example, the
*Management* > *Stack Rules* feature, *Analytics* > *Discover* and *{ml-app}*
features, *{observability}*, and *Security* features. If the rule has `actions`,
you must also have `read` privileges for the *Management* >
*{connectors-feature}* feature. For more details, refer to
<<kibana-feature-privileges>>.
[[create-rule-api-path-params]]
=== {api-path-parms-title}
`<id>`::
(Optional, string) Specifies a UUID v1 or v4 to use instead of a randomly
generated ID.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in
the URL, the default space is used.
[role="child_attributes"]
[[create-rule-api-request-body]]
=== {api-request-body-title}
`actions`::
(Optional, object array) An array of action objects.
+
.Properties of the action objects:
[%collapsible%open]
=====
`group`:::
(Required, string) Grouping actions is recommended for escalations for different
types of alerts. If you don't need this, set this value to `default`.
`id`:::
(Required, string) The ID of the connector saved object, which you can obtain by
using <<get-all-connectors-api>>.
`params`:::
(Required, object) The map to the `params` that the
<<action-types,connector type>> will receive. ` params` are handled as Mustache
templates and passed a default set of context.
=====
`consumer`::
(Required, string) The name of the application or feature that owns the rule.
For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`,
`ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.
`enabled`::
(Optional, boolean) Indicates if you want to run the rule on an interval basis
after it is created.
`name`::
(Required, string) The name of the rule. While this name does not have to be
unique, a distinctive name can help you identify a rule.
`notify_when`::
(Required, string) Defines how often alerts generate actions. Valid values are:
+
--
* `onActionGroupChange`: Actions run when the alert status changes.
* `onActiveAlert`: Actions run when the alert becomes active and at each check
interval while the rule conditions are met.
* `onThrottleInterval`: Actions run when the alert becomes active and at the
interval specified in the `throttle` property while the rule conditions are met.
--
`params`::
(Required, object) The parameters to pass to the rule type executor `params`
value. This will also validate against the rule type params validator, if defined.
`rule_type_id`::
(Required, string) The ID of the rule type that you want to call when the rule
is scheduled to run. For example, `.es-query`, `.index-threshold`,
`logs.alert.document.count`, `monitoring_alert_cluster_health`,
`siem.thresholdRule`, or `xpack.ml.anomaly_detection_alert`. For more
information, refer to <<rule-types>>.
`schedule`::
(Required, object) The check interval, which specifies how frequently the rule
conditions are checked. The interval must be specified in seconds, minutes,
hours or days. For example: `{ "interval": "10s" }`, `{ "interval": "5m" }`,
`{ "interval": "1h" }`, or `{ "interval": "1d" }`.
`tags`::
(Optional, string array) A list of tag names that are applied to a rule.
`throttle`::
(Optional, string) Defines how often an alert generates repeated actions.
This custom action interval must be specified in seconds, minutes, hours, or
days. For example, `10m` or `1h`. This property is used only if `notify_when`
is `onThrottleInterval`.
[[create-rule-api-request-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
[[create-rule-api-example]]
=== {api-examples-title}
Create an <<rule-type-index-threshold,index threshold rule>> that has actions
associated with a server log connector:
[source,sh]
--------------------------------------------------
POST api/alerting/rule
{
"params":{
"aggType":"avg",
"termSize":6,
"thresholdComparator":">",
"timeWindowSize":5,
"timeWindowUnit":"m",
"groupBy":"top",
"threshold":[
1000
],
"index":[
".test-index"
],
"timeField":"@timestamp",
"aggField":"sheet.version",
"termField":"name.keyword"
},
"consumer":"alerts",
"rule_type_id":".index-threshold",
"schedule":{
"interval":"1m"
},
"actions":[
{
"id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
"group":"threshold met",
"params":{
"level":"info",
"message":"Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
}
}
],
"tags":[
"cpu"
],
"notify_when":"onActionGroupChange",
"name":"my alert"
}
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
"consumer": "alerts",
"tags": ["cpu"],
"name": "my alert",
"enabled": true,
"throttle": null,
"schedule": {"interval": "1m"},
"params": {
"aggType": "avg",
"termSize": 6,
"thresholdComparator": ">",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"groupBy": "top",
"threshold": [1000],
"index": [".test-index"],
"timeField": "@timestamp",
"aggField": "sheet.version",
"termField": "name.keyword"
},
"rule_type_id": ".index-threshold",
"scheduled_task_id": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
"created_by": "elastic",
"updated_by": "elastic",
"created_at": "2022-06-08T17:20:31.632Z",
"updated_at": "2022-06-08T17:20:31.632Z",
"api_key_owner": "elastic",
"notify_when": "onActionGroupChange",
"mute_all": false,
"muted_alert_ids": [],
"execution_status": {
"last_execution_date": "2022-06-08T17:20:31.632Z",
"status": "pending"
},
"actions": [
{
"group": "threshold met",
"id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"connector_type_id": ".server-log"
}
]
}
--------------------------------------------------

53
docs/api/alerting/delete_rule.asciidoc
View file

@ -1,53 +0,0 @@
[[delete-rule-api]]
== Delete rule API
++++
<titleabbrev>Delete rule</titleabbrev>
++++
Permanently removes a rule.
WARNING: After you delete a rule, you cannot recover it.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[delete-rule-api-request]]
=== {api-request-title}
`DELETE <kibana host>:<port>/api/alerting/rule/<id>`
`DELETE <kibana host>:<port>/s/<space_id>/api/alerting/rule/<id>`
=== {api-prereq-title}
You must have `all` privileges for the appropriate {kib} features, depending on
the `consumer` and `rule_type_id` of the rule you're deleting. For example, the
*Management* > *Stack Rules* feature, *Analytics* > *Discover* or *{ml-app}*
features, *{observability}*, or *Security* features. For more details, refer to
<<kibana-feature-privileges>>.
[[delete-rule-api-path-params]]
=== {api-path-parms-title}
`id`::
(Required, string) The identifier of the rule that you want to remove.
`space_id`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
[[delete-rule-api-response-codes]]
=== {api-response-codes-title}
`204`::
Indicates a successful call.
=== {api-examples-title}
[source,sh]
--------------------------------------------------
DELETE api/alerting/rule/41893910-6bca-11eb-9e0d-85d233e3ee35
--------------------------------------------------
// KIBANA

52
docs/api/alerting/disable_rule.asciidoc
View file

@ -1,52 +0,0 @@
[[disable-rule-api]]
== Disable rule API
++++
<titleabbrev>Disable rule</titleabbrev>
++++
Disable a rule.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[disable-rule-api-request]]
=== {api-request-title}
`POST <kibana host>:<port>/api/alerting/rule/<id>/_disable`
`POST <kibana host>:<port>/s/<space_id>/api/alerting/rule/<id>/_disable`
=== {api-prereq-title}
You must have `all` privileges for the appropriate {kib} features, depending on
the `consumer` and `rule_type_id` of the rule. For example,
the *Management* > *Stack Rules* feature, *Analytics* > *Discover* and *{ml-app}*
features, *{observability}*, and *Security* features. For more details, refer to
<<kibana-feature-privileges>>.
[[disable-rule-api-path-params]]
=== {api-path-parms-title}
`id`::
(Required, string) The ID of the rule that you want to disable.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in
the URL, the default space is used.
[[disable-rule-api-response-codes]]
=== {api-response-codes-title}
`204`::
Indicates a successful call.
=== {api-examples-title}
[source,sh]
--------------------------------------------------
POST api/alerting/rule/41893910-6bca-11eb-9e0d-85d233e3ee35/_disable
--------------------------------------------------
// KIBANA

51
docs/api/alerting/enable_rule.asciidoc
View file

@ -1,51 +0,0 @@
[[enable-rule-api]]
== Enable rule API
++++
<titleabbrev>Enable rule</titleabbrev>
++++
Enable a rule.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[enable-rule-api-request]]
=== {api-request-title}
`POST <kibana host>:<port>/api/alerting/rule/<id>/_enable`
`POST <kibana host>:<port>/s/<space_id>/api/alerting/rule/<id>/_enable`
=== {api-prereq-title}
You must have `all` privileges for the appropriate {kib} features, depending on
the `consumer` and `rule_type_id` of the rule. For example, the
*Management* > *Stack Rules* feature, *Analytics* > *Discover* and *{ml-app}*
features, *{observability}*, and *Security* features. For more details, refer to
<<kibana-feature-privileges>>.
[[enable-rule-api-path-params]]
=== {api-path-parms-title}
`id`::
(Required, string) The ID of the rule that you want to enable.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in
the URL, the default space is used.
[[enable-rule-api-response-codes]]
=== {api-response-codes-title}
`204`::
Indicates a successful call.
=== {api-examples-title}
[source,sh]
--------------------------------------------------
POST api/alerting/rule/41893910-6bca-11eb-9e0d-85d233e3ee35/_enable
--------------------------------------------------
// KIBANA

166
docs/api/alerting/find_rules.asciidoc
View file

@ -1,166 +0,0 @@
[[find-rules-api]]
== Find rules API
++++
<titleabbrev>Find rules</titleabbrev>
++++
Retrieve a paginated set of rules based on condition.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[find-rules-api-request]]
=== {api-request-title}
`GET <kibana host>:<port>/api/alerting/rules/_find`
`GET <kibana host>:<port>/s/<space_id>/api/alerting/rules/_find`
=== {api-prereq-title}
You must have `read` privileges for the appropriate {kib} features, depending on
the `consumer` and `rule_type_id` of the rules you're seeking. For example, the
*Management* > *Stack Rules* feature, *Analytics* > *Discover* and *{ml-app}*
features, *{observability}*, and *Security* features. To find rules associated
with the *{stack-monitor-app}* feature, use the `monitoring_user` built-in role.
For more details, refer to <<kibana-feature-privileges>>.
=== {api-description-title}
As rules change in {kib}, the results on each page of the response also change.
Use the find API for traditional paginated results, but avoid using it to export
large amounts of data.
NOTE: Rule `params` are stored as a {ref}/flattened.html[flattened field type]
and analyzed as keywords.
[[find-rules-api-path-params]]
=== {api-path-parms-title}
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in
the URL, the default space is used.
[[find-rules-api-query-params]]
=== {api-query-parms-title}
`default_search_operator`::
(Optional, string) The operator to use for the `simple_query_string`. The
default is 'OR'.
`fields`::
(Optional, array of strings) The fields to return in the `attributes` key of the
response.
`filter`::
(Optional, string) A <<kuery-query, KQL>> string that you filter with an
attribute from your saved object. It should look like
`savedObjectType.attributes.title: "myTitle"`. However, If you used a direct
attribute of a saved object, such as `updatedAt`, you will have to define your
filter, for example, `savedObjectType.updatedAt > 2018-12-22`.
`has_reference`::
(Optional, object) Filters the rules that have a relation with the reference
objects with the specific "type" and "ID".
`page`::
(Optional, number) The page number.
`per_page`::
(Optional, number) The number of rules to return per page.
`search`::
(Optional, string) An {es}
{ref}/query-dsl-simple-query-string-query.html[simple_query_string] query that
filters the rules in the response.
`search_fields`::
(Optional, array or string) The fields to perform the `simple_query_string`
parsed query against.
`sort_field`::
(Optional, string) Sorts the response. Could be a rule field returned in the
`attributes` key of the response.
`sort_order`::
(Optional, string) Sort direction, either `asc` or `desc`.
[[find-rules-api-request-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Find rules with names that start with `my`:
[source,sh]
--------------------------------------------------
GET api/alerting/rules/_find?search_fields=name&search=my*
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"page": 1,
"total": 1,
"per_page": 10,
"data": [{
"id": "b530fed0-74f5-11ed-9801-35303b735aef",
"name": "cluster_health_rule",
"consumer": "alerts",
"enabled": true,
"tags": ["cluster","health"],
"throttle": null,
"schedule": {"interval":"1m"},
"params": {},
"rule_type_id": "monitoring_alert_cluster_health",
"created_by": "elastic",
"updated_by": "elastic",
"created_at": "2022-12-05T23:36:58.284Z",
"updated_at": "2022-12-05T23:36:58.284Z",
"api_key_owner": "elastic",
"notify_when": "onActiveAlert",
"mute_all": false,
"muted_alert_ids": [],
"scheduled_task_id": "b530fed0-74f5-11ed-9801-35303b735aef",
"execution_status": {
"status": "ok",
"last_execution_date": "2022-12-06T00:09:31.882Z",
"last_duration": 42
},
"actions": [{
"group": "default",
"id": "9dca3e00-74f5-11ed-9801-35303b735aef",
"params": {
"level": "info",
"message": "{{context.internalFullMessage}}"
},
"connector_type_id": ".server-log"
}],
"last_run":{
"alerts_count": {"new": 0,"ignored": 0,"recovered": 0,"active": 0},
"outcome_msg": null,
"warning": null,
"outcome": "succeeded"
},
"next_run": "2022-12-06T00:10:31.811Z"
}]
}
--------------------------------------------------
For parameters that accept multiple values (such as `fields`), repeat the
query parameter for each value:
[source,sh]
--------------------------------------------------
GET api/alerting/rules/_find?fields=id&fields=name
--------------------------------------------------
// KIBANA

122
docs/api/alerting/get_rules.asciidoc
View file

@ -1,122 +0,0 @@
[[get-rule-api]]
== Get rule API
++++
<titleabbrev>Get rule</titleabbrev>
++++
Retrieve a rule by ID.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[get-rule-api-request]]
=== {api-request-title}
`GET <kibana host>:<port>/api/alerting/rule/<id>`
`GET <kibana host>:<port>/s/<space_id>/api/alerting/rule/<id>`
=== {api-prereq-title}
You must have `read` privileges for the appropriate {kib} features, depending on
the `consumer` and `rule_type_id` of the rules you're seeking. For example, the
*Management* > *Stack Rules* feature, *Analytics* > *Discover* and *{ml-app}*
features, *{observability}*, and *Security* features. To get rules associated
with the *{stack-monitor-app}* feature, use the `monitoring_user` built-in role.
For more details, refer to <<kibana-feature-privileges>>.
[[get-rule-api-params]]
=== {api-path-parms-title}
`id`::
(Required, string) The identifier of the rule to retrieve.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in
the URL, the default space is used.
[[get-rule-api-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
[[get-rule-api-example]]
=== {api-examples-title}
Retrieve the rule object with the ID `41893910-6bca-11eb-9e0d-85d233e3ee35`:
[source,sh]
--------------------------------------------------
GET api/alerting/rule/41893910-6bca-11eb-9e0d-85d233e3ee35
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"id":"31697a40-7b36-11ed-aa79-f742c05329b2",
"consumer":"alerts",
"tags":["cpu"],
"name":"my alert",
"enabled":true,
"throttle":null,
"schedule":{
"interval":"1m"
},
"params":{
"aggType":"avg",
"termSize":6,
"thresholdComparator":">",
"timeWindowSize":5,
"timeWindowUnit":"m",
"groupBy":"top",
"threshold":[1000],
"index":["test-index"],
"timeField":"@timestamp",
"aggField":"sheet.version",
"termField":"name.keyword"
},
"rule_type_id":".index-threshold",
"created_by":"elastic",
"updated_by":"elastic",
"created_at":"2022-12-13T22:33:41.163Z",
"updated_at":"2022-12-13T22:33:41.163Z",
"api_key_owner":"elastic",
"notify_when":"onActionGroupChange",
"muted_alert_ids":[],
"mute_all":false,
"scheduled_task_id":"31697a40-7b36-11ed-aa79-f742c05329b2",
"execution_status":{
"status":"ok",
"last_execution_date":"2022-12-13T22:33:44.388Z",
"last_duration":83
},
"actions":[{
"group":"threshold met",
"id":"1007a0c0-7a6e-11ed-89d5-abec321c0def",
"params":{
"level":"info",
"message":"Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"connector_type_id":".server-log"
}],
"last_run":{
"alerts_count":{
"new":0,
"ignored":0,
"recovered":0,
"active":0
},
"outcome_msg":null,
"warning":null,
"outcome":"succeeded"
},
"next_run":"2022-12-13T22:34:44.314Z"
}
--------------------------------------------------

82
docs/api/alerting/health.asciidoc
View file

@ -1,82 +0,0 @@
[[get-alerting-framework-health-api]]
== Get alerting framework health API
++++
<titleabbrev>Get alerting framework health</titleabbrev>
++++
Retrieve the health status of the alerting framework.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[get-alerting-framework-health-api-request]]
=== {api-request-title}
`GET <kibana host>:<port>/api/alerting/_health`
`GET <kibana host>:<port>/s/<space_id>/api/alerting/_health`
=== {api-prereq-title}
You must have `read` privileges for the *Management* > *Stack Rules* feature or
for at least one of the *Analytics* > *Discover*, *Analytics* > *{ml-app}*,
*{observability}*, or *Security* features.
[[get-alerting-framework-health-api-params]]
=== {api-path-parms-title}
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in
the URL, the default space is used.
[[get-alerting-framework-health-api-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
[[get-alerting-framework-health-api-example]]
=== {api-examples-title}
Retrieve the health status of the alerting framework:
[source,sh]
--------------------------------------------------
GET api/alerting/_health
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"is_sufficiently_secure":true, <1>
"has_permanent_encryption_key":true, <2>
"alerting_framework_health":{ <3>
"decryption_health":{
"status":"ok",
"timestamp":"2022-06-21T21:46:15.023Z"
},
"execution_health":{
"status":"ok",
"timestamp":"2022-06-21T21:46:15.023Z"
},
"read_health":{
"status":"ok",
"timestamp":"2022-06-21T21:46:15.023Z"
}
}
}
--------------------------------------------------
<1> `is_sufficiently_secure` is `false` when security is enabled, but TLS is not.
<2> `has_permanent_encryption_key` is `false` when the encrypted saved object
plugin does not have a permanent encryption key.
<3> `alerting_framework_health` has three substates that identify the health of
the alerting framework: `decryption_health`, `execution_health`, and
`read_health`. `decryption_health` returns the timestamp and status of the rule
decryption: `ok`, `warn` or `error`. `execution_health` returns the timestamp
and status of the rule execution: `ok`, `warn` or `error`. `read_health` returns
the timestamp and status of the rule reading events: `ok`, `warn` or `error`.

207
docs/api/alerting/legacy/create.asciidoc
View file

@ -1,207 +0,0 @@
[[alerts-api-create]]
=== Legacy create alert API
++++
<titleabbrev>Legacy create alert</titleabbrev>
++++
deprecated::[7.13.0,Use <<create-rule-api>> instead.]
Create {kib} alerts.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[alerts-api-create-request]]
==== Request
`POST <kibana host>:<port>/api/alerts/alert/<id>`
`POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>`
[[alerts-api-create-path-params]]
==== Path parameters
`<id>`::
(Optional, string) Specifies a UUID v1 or v4 to use instead of a randomly generated ID.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-create-request-body]]
==== Request body
`name`::
(Required, string) A name to reference and search.
`tags`::
(Optional, string array) A list of keywords to reference and search.
`alertTypeId`::
(Required, string) The ID of the alert type that you want to call when the alert is scheduled to run.
`schedule`::
(Required, object) The schedule specifying when this alert should be run, using one of the available schedule formats specified under
+
._Schedule Formats_.
[%collapsible%open]
=====
A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule.
We currently support the _Interval format_ which specifies the interval in seconds, minutes, hours or days at which the alert should execute.
Example: `{ interval: "10s" }`, `{ interval: "5m" }`, `{ interval: "1h" }`, `{ interval: "1d" }`.
There are plans to support multiple other schedule formats in the near future.
=====
`throttle`::
(Optional, string) How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a `schedule` of 1 minute stays in a triggered state for 90 minutes, setting a `throttle` of `10m` or `1h` will prevent it from sending 90 notifications during this period.
`notifyWhen`::
(Required, string) The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`.
`enabled`::
(Optional, boolean) Indicates if you want to run the alert on an interval basis after it is created.
`consumer`::
(Required, string) The name of the application that owns the alert. This name has to match the Kibana Feature name, as that dictates the required RBAC privileges.
`params`::
(Required, object) The parameters to pass to the alert type executor `params` value. This will also validate against the alert type params validator, if defined.
`actions`::
(Optional, object array) An array of the following action objects.
+
.Properties of the action objects:
[%collapsible%open]
=====
`group`:::
(Required, string) Grouping actions is recommended for escalations for different types of alert instances. If you don't need this, set this value to `default`.
`id`:::
(Required, string) The ID of the action saved object to execute.
`actionTypeId`:::
(Required, string) The ID of the <<action-types,action type>>.
`params`:::
(Required, object) The map to the `params` that the <<action-types,action type>> will receive. ` params` are handled as Mustache templates and passed a default set of context.
=====
[[alerts-api-create-request-codes]]
==== Response code
`200`::
Indicates a successful call.
[[alerts-api-create-example]]
==== Example
[source,sh]
--------------------------------------------------
$ curl -X POST api/alerts/alert -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d '
{
"params":{
"aggType":"avg",
"termSize":6,
"thresholdComparator":">",
"timeWindowSize":5,
"timeWindowUnit":"m",
"groupBy":"top",
"threshold":[
1000
],
"index":[
".test-index"
],
"timeField":"@timestamp",
"aggField":"sheet.version",
"termField":"name.keyword"
},
"consumer":"alerts",
"alertTypeId":".index-threshold",
"schedule":{
"interval":"1m"
},
"actions":[
{
"id":"dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2",
"actionTypeId":".server-log",
"group":"threshold met",
"params":{
"level":"info",
"message":"Rule '{{rule.name}}' is active for group '{{context.group}}':\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
}
}
],
"tags":[
"cpu"
],
"notifyWhen":"onActionGroupChange",
"name":"my alert"
}'
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"id": "41893910-6bca-11eb-9e0d-85d233e3ee35",
"notifyWhen": "onActionGroupChange",
"params": {
"aggType": "avg",
"termSize": 6,
"thresholdComparator": ">",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"groupBy": "top",
"threshold": [
1000
],
"index": [
".kibana"
],
"timeField": "@timestamp",
"aggField": "sheet.version",
"termField": "name.keyword"
},
"consumer": "alerts",
"alertTypeId": ".index-threshold",
"schedule": {
"interval": "1m"
},
"actions": [
{
"actionTypeId": ".server-log",
"group": "threshold met",
"params": {
"level": "info",
"message": "Rule {{rule.name}} is active for group {{context.group}}:\n\n- Value: {{context.value}}\n- Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}\n- Timestamp: {{context.date}}"
},
"id": "dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2"
}
],
"tags": [
"cpu"
],
"name": "my alert",
"enabled": true,
"throttle": null,
"apiKeyOwner": "elastic",
"createdBy": "elastic",
"updatedBy": "elastic",
"muteAll": false,
"mutedInstanceIds": [],
"updatedAt": "2021-02-10T18:03:19.961Z",
"createdAt": "2021-02-10T18:03:19.961Z",
"scheduledTaskId": "425b0800-6bca-11eb-9e0d-85d233e3ee35",
"executionStatus": {
"lastExecutionDate": "2021-02-10T18:03:19.966Z",
"status": "pending"
}
}
--------------------------------------------------

48
docs/api/alerting/legacy/delete.asciidoc
View file

@ -1,48 +0,0 @@
[[alerts-api-delete]]
=== Legacy delete alert API
++++
<titleabbrev>Legacy delete alert</titleabbrev>
++++
deprecated::[7.13.0,Use <<delete-rule-api>> instead.]
Permanently remove an alert.
WARNING: Once you delete an alert, you cannot recover it.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[alerts-api-delete-request]]
==== Request
`DELETE <kibana host>:<port>/api/alerts/alert/<id>`
`DELETE <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>`
[[alerts-api-delete-path-params]]
==== Path parameters
`id`::
(Required, string) The ID of the alert that you want to remove.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-delete-response-codes]]
==== Response code
`200`::
Indicates a successful call.
==== Example
Delete an alert with ID:
[source,sh]
--------------------------------------------------
$ curl -X DELETE api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35
--------------------------------------------------
// KIBANA

46
docs/api/alerting/legacy/disable.asciidoc
View file

@ -1,46 +0,0 @@
[[alerts-api-disable]]
=== Legacy disable alert API
++++
<titleabbrev>Legacy disable alert</titleabbrev>
++++
deprecated::[7.13.0,Use <<disable-rule-api>> instead.]
Disable an alert.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[alerts-api-disable-request]]
==== Request
`POST <kibana host>:<port>/api/alerts/alert/<id>/_disable`
`POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_disable`
[[alerts-api-disable-path-params]]
==== Path parameters
`id`::
(Required, string) The ID of the alert that you want to disable.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-disable-response-codes]]
==== Response code
`200`::
Indicates a successful call.
==== Example
Disable an alert with ID:
[source,sh]
--------------------------------------------------
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_disable
--------------------------------------------------
// KIBANA

46
docs/api/alerting/legacy/enable.asciidoc
View file

@ -1,46 +0,0 @@
[[alerts-api-enable]]
=== Legacy enable alert API
++++
<titleabbrev>Legacy enable alert</titleabbrev>
++++
deprecated::[7.13.0,Use <<enable-rule-api>> instead.]
Enable an alert.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[alerts-api-enable-request]]
==== Request
`POST <kibana host>:<port>/api/alerts/alert/<id>/_enable`
`POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_enable`
[[alerts-api-enable-path-params]]
==== Path parameters
`id`::
(Required, string) The ID of the alert that you want to enable.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-enable-response-codes]]
==== Response code
`200`::
Indicates a successful call.
==== Example
Enable an alert with ID:
[source,sh]
--------------------------------------------------
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_enable
--------------------------------------------------
// KIBANA

134
docs/api/alerting/legacy/find.asciidoc
View file

@ -1,134 +0,0 @@
[[alerts-api-find]]
=== Legacy find alerts API
++++
<titleabbrev>Legacy find alerts</titleabbrev>
++++
deprecated::[7.13.0,Use <<find-rules-api>> instead.]
Retrieve a paginated set of alerts based on condition.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
As alerts change in {kib}, the results on each page of the response also
change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data.
[[alerts-api-find-request]]
==== Request
`GET <kibana host>:<port>/api/alerts/_find`
`GET <kibana host>:<port>/s/<space_id>/api/alerts/_find`
[[alerts-api-find-path-params]]
==== Path parameters
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-find-query-params]]
==== Query Parameters
NOTE: Alert `params` are stored as a {ref}/flattened.html[flattened field type] and analyzed as keywords.
`per_page`::
(Optional, number) The number of alerts to return per page.
`page`::
(Optional, number) The page number.
`search`::
(Optional, string) An Elasticsearch {ref}/query-dsl-simple-query-string-query.html[simple_query_string] query that filters the alerts in the response.
`default_search_operator`::
(Optional, string) The operator to use for the `simple_query_string`. The default is 'OR'.
`search_fields`::
(Optional, array|string) The fields to perform the `simple_query_string` parsed query against.
`fields`::
(Optional, array|string) The fields to return in the `attributes` key of the response.
`sort_field`::
(Optional, string) Sorts the response. Could be an alert fields returned in the `attributes` key of the response.
`sort_order`::
(Optional, string) Sort direction, either `asc` or `desc`.
`has_reference`::
(Optional, object) Filters the alerts that have a relations with the reference objects with the specific "type" and "ID".
`filter`::
(Optional, string) A <<kuery-query, KQL>> string that you filter with an attribute from your saved object.
It should look like savedObjectType.attributes.title: "myTitle". However, If you used a direct attribute of a saved object, such as `updatedAt`,
you will have to define your filter, for example, savedObjectType.updatedAt > 2018-12-22.
[[alerts-api-find-request-codes]]
==== Response code
`200`::
Indicates a successful call.
==== Examples
Find alerts with names that start with `my`:
[source,sh]
--------------------------------------------------
$ curl -X GET api/alerts/_find?search_fields=name&search=my*
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"page": 1,
"perPage": 10,
"total": 1,
"data": [
{
"id": "0a037d60-6b62-11eb-9e0d-85d233e3ee35",
"notifyWhen": "onActionGroupChange",
"params": {
"aggType": "avg",
},
"consumer": "alerts",
"alertTypeId": "test.alert.type",
"schedule": {
"interval": "1m"
},
"actions": [],
"tags": [],
"name": "test alert",
"enabled": true,
"throttle": null,
"apiKeyOwner": "elastic",
"createdBy": "elastic",
"updatedBy": "elastic",
"muteAll": false,
"mutedInstanceIds": [],
"updatedAt": "2021-02-10T05:37:19.086Z",
"createdAt": "2021-02-10T05:37:19.086Z",
"scheduledTaskId": "0b092d90-6b62-11eb-9e0d-85d233e3ee35",
"executionStatus": {
"lastExecutionDate": "2021-02-10T17:55:14.262Z",
"status": "ok"
}
},
]
}
--------------------------------------------------
For parameters that accept multiple values (e.g. `fields`), repeat the
query parameter for each value:
[source,sh]
--------------------------------------------------
$ curl -X GET api/alerts/_find?fields=id&fields=name
--------------------------------------------------
// KIBANA

82
docs/api/alerting/legacy/get.asciidoc
View file

@ -1,82 +0,0 @@
[[alerts-api-get]]
=== Legacy get alert API
++++
<titleabbrev>Legacy get alert</titleabbrev>
++++
deprecated::[7.13.0,Use <<get-rule-api>> instead.]
Retrieve an alert by ID.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[alerts-api-get-request]]
==== Request
`GET <kibana host>:<port>/api/alerts/alert/<id>`
`GET <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>`
[[alerts-api-get-params]]
==== Path parameters
`id`::
(Required, string) The ID of the alert to retrieve.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-get-codes]]
==== Response code
`200`::
Indicates a successful call.
[[alerts-api-get-example]]
==== Example
Retrieve the alert object with the ID `41893910-6bca-11eb-9e0d-85d233e3ee35`:
[source,sh]
--------------------------------------------------
$ curl -X GET api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"id": "0a037d60-6b62-11eb-9e0d-85d233e3ee35",
"notifyWhen": "onActionGroupChange",
"params": {
"aggType": "avg",
},
"consumer": "alerts",
"alertTypeId": "test.alert.type",
"schedule": {
"interval": "1m"
},
"actions": [],
"tags": [],
"name": "test alert",
"enabled": true,
"throttle": null,
"apiKeyOwner": "elastic",
"createdBy": "elastic",
"updatedBy": "elastic",
"muteAll": false,
"mutedInstanceIds": [],
"updatedAt": "2021-02-10T05:37:19.086Z",
"createdAt": "2021-02-10T05:37:19.086Z",
"scheduledTaskId": "0b092d90-6b62-11eb-9e0d-85d233e3ee35",
"executionStatus": {
"lastExecutionDate": "2021-02-10T17:55:14.262Z",
"status": "ok"
}
}
--------------------------------------------------

100
docs/api/alerting/legacy/health.asciidoc
View file

@ -1,100 +0,0 @@
[[alerts-api-health]]
=== Legacy get Alerting framework health API
++++
<titleabbrev>Legacy get Alerting framework health</titleabbrev>
++++
deprecated::[7.13.0,Use <<get-alerting-framework-health-api>> instead.]
Retrieve the health status of the Alerting framework.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[alerts-api-health-request]]
==== Request
`GET <kibana host>:<port>/api/alerts/_health`
`GET <kibana host>:<port>/s/<space_id>/api/alerts/_health`
[[alerts-api-health-params]]
==== Path parameters
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-health-codes]]
==== Response code
`200`::
Indicates a successful call.
[[alerts-api-health-example]]
==== Example
Retrieve the health status of the Alerting framework:
[source,sh]
--------------------------------------------------
$ curl -X GET api/alerts/_health
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"isSufficientlySecure":true,
"hasPermanentEncryptionKey":true,
"alertingFrameworkHealth":{
"decryptionHealth":{
"status":"ok",
"timestamp":"2021-02-10T23:35:04.949Z"
},
"executionHealth":{
"status":"ok",
"timestamp":"2021-02-10T23:35:04.949Z"
},
"readHealth":{
"status":"ok",
"timestamp":"2021-02-10T23:35:04.949Z"
}
}
}
--------------------------------------------------
The health API response contains the following properties:
[cols="2*<"]
|===
| `isSufficientlySecure`
| Returns `false` if security is enabled, but TLS is not.
| `hasPermanentEncryptionKey`
| Return the state `false` if Encrypted Saved Object plugin has not a permanent encryption Key.
| `alertingFrameworkHealth`
| This state property has three substates that identify the health of the alerting framework API: `decryptionHealth`, `executionHealth`, and `readHealth`.
|===
`alertingFrameworkHealth` consists of the following properties:
[cols="2*<"]
|===
| `decryptionHealth`
| Returns the timestamp and status of the alert decryption: `ok`, `warn` or `error` .
| `executionHealth`
| Returns the timestamp and status of the alert execution: `ok`, `warn` or `error`.
| `readHealth`
| Returns the timestamp and status of the alert reading events: `ok`, `warn` or `error`.
|===

18
docs/api/alerting/legacy/index.asciidoc
View file

@ -1,18 +0,0 @@
[[alerts-api]]
=== Deprecated 7.x APIs
These APIs are deprecated and will be removed in a future release.
include::create.asciidoc[leveloffset=+1]
include::delete.asciidoc[leveloffset=+1]
include::disable.asciidoc[leveloffset=+1]
include::enable.asciidoc[leveloffset=+1]
include::find.asciidoc[leveloffset=+1]
include::get.asciidoc[leveloffset=+1]
include::health.asciidoc[leveloffset=+1]
include::list.asciidoc[leveloffset=+1]
include::mute.asciidoc[leveloffset=+1]
include::mute_all.asciidoc[leveloffset=+1]
include::unmute.asciidoc[leveloffset=+1]
include::unmute_all.asciidoc[leveloffset=+1]
include::update.asciidoc[leveloffset=+1]

146
docs/api/alerting/legacy/list.asciidoc
View file

@ -1,146 +0,0 @@
[[alerts-api-list]]
=== Legacy list alert types API
++++
<titleabbrev>Legacy list all alert types</titleabbrev>
++++
deprecated::[7.13.0,Use <<list-rule-types-api>> instead.]
Retrieve a list of all alert types.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[alerts-api-list-request]]
==== Request
`GET <kibana host>:<port>/api/alerts/list_alert_types`
`GET <kibana host>:<port>/s/<space_id>/api/alerts/list_alert_types`
[[alerts-api-list-params]]
==== Path parameters
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-list-codes]]
==== Response code
`200`::
Indicates a successful call.
[[alerts-api-list-example]]
==== Example
[source,sh]
--------------------------------------------------
$ curl -X GET api/alerts/list_alert_types
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
[
{
"id":".index-threshold",
"name":"Index threshold",
"actionGroups":[
{
"id":"threshold met",
"name":"Threshold met"
},
{
"id":"recovered",
"name":"Recovered"
}
],
"recoveryActionGroup":{
"id":"recovered",
"name":"Recovered"
},
"defaultActionGroupId":"threshold met",
"actionVariables":{
"context":[
{
"name":"message",
"description":"A pre-constructed message for the alert."
},
],
"state":[],
"params":[
{
"name":"threshold",
"description":"An array of values to use as the threshold; 'between' and 'notBetween' require two values, the others require one."
},
{
"name":"index",
"description":"index"
},
]
},
"producer":"stackAlerts",
"minimumLicenseRequired":"basic",
"isExportable":true,
"enabledInLicense":true,
"authorizedConsumers":{
"alerts":{
"read":true,
"all":true
},
"stackAlerts":{
"read":true,
"all":true
},
"uptime":{
"read":true,
"all":true
}
}
}
]
--------------------------------------------------
Each alert type contains the following properties:
[cols="2*<"]
|===
| `name`
| The descriptive name of the alert type.
| `id`
| The unique ID of the alert type.
| `minimumLicenseRequired`
| The license required to use the alert type.
| `isExportable`
| Whether the rule type is exportable through the Saved Objects Management UI.
| `enabledInLicense`
| Whether the alert type is enabled or disabled based on the license.
| `actionGroups`
| An explicit list of groups for which the alert type can schedule actions, each with the action group's unique ID and human readable name. Alert `actions` validation will use this configuration to ensure that groups are valid. Use `kbn-i18n` to translate the names of the action group when registering the alert type.
| `recoveryActionGroup`
| An action group to use when an alert instance goes from an active state, to an inactive one. Do not specify this action group under the `actionGroups` property. If `recoveryActionGroup` is not specified, the default `recovered` action group is used.
| `defaultActionGroupId`
| The default ID for the alert type group.
| `actionVariables`
| An explicit list of action variables that the alert type makes available via context and state in action parameter templates, and a short human readable description. The Alert UI will use this information to prompt users for these variables in action parameter editors. Use `kbn-i18n` to translate the descriptions.
| `producer`
| The ID of the application producing this alert type.
| `authorizedConsumers`
| The list of the plugins IDs that have access to the alert type.
|===

49
docs/api/alerting/legacy/mute.asciidoc
View file

@ -1,49 +0,0 @@
[[alerts-api-mute]]
=== Legacy mute alert instance API
++++
<titleabbrev>Legacy mute alert instance</titleabbrev>
++++
deprecated::[7.13.0,Use <<mute-alert-api>> instead.]
Mute an alert instance.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[alerts-api-mute-request]]
==== Request
`POST <kibana host>:<port>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_mute`
`POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_mute`
[[alerts-api-mute-path-params]]
==== Path parameters
`id`::
(Required, string) The ID of the alert whose instance you want to mute.
`alert_instance_id`::
(Required, string) The ID of the alert instance that you want to mute.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-mute-response-codes]]
==== Response code
`200`::
Indicates a successful call.
==== Example
Mute alert instance with ID:
[source,sh]
--------------------------------------------------
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_mute
--------------------------------------------------
// KIBANA

46
docs/api/alerting/legacy/mute_all.asciidoc
View file

@ -1,46 +0,0 @@
[[alerts-api-mute-all]]
=== Legacy mute all alert instances API
++++
<titleabbrev>Legacy mute all alert instances</titleabbrev>
++++
deprecated::[7.13.0,Use <<mute-all-alerts-api>> instead.]
Mute all alert instances.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[alerts-api-mute-all-request]]
==== Request
`POST <kibana host>:<port>/api/alerts/alert/<id>/_mute_all`
`POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_mute_all`
[[alerts-api-mute-all-path-params]]
==== Path parameters
`id`::
(Required, string) The ID of the alert whose instances you want to mute.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-mute-all-response-codes]]
==== Response code
`200`::
Indicates a successful call.
==== Example
Mute all alert instances with ID:
[source,sh]
--------------------------------------------------
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_mute_all
--------------------------------------------------
// KIBANA

49
docs/api/alerting/legacy/unmute.asciidoc
View file

@ -1,49 +0,0 @@
[[alerts-api-unmute]]
=== Legacy unmute alert instance API
++++
<titleabbrev>Legacy unmute alert instance</titleabbrev>
++++
deprecated::[7.13.0,Use <<unmute-alert-api>> instead.]
Unmute an alert instance.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[alerts-api-unmute-request]]
==== Request
`POST <kibana host>:<port>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_unmute`
`POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/alert_instance/<alert_instance_id>/_unmute`
[[alerts-api-unmute-path-params]]
==== Path parameters
`id`::
(Required, string) The ID of the alert whose instance you want to mute..
`alert_instance_id`::
(Required, string) The ID of the alert instance that you want to unmute.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-unmute-response-codes]]
==== Response code
`200`::
Indicates a successful call.
==== Example
Unmute alert instance with ID:
[source,sh]
--------------------------------------------------
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/alert_instance/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_unmute
--------------------------------------------------
// KIBANA

46
docs/api/alerting/legacy/unmute_all.asciidoc
View file

@ -1,46 +0,0 @@
[[alerts-api-unmute-all]]
=== Legacy unmute all alert instances API
++++
<titleabbrev>Legacy unmute all alert instances</titleabbrev>
++++
deprecated::[7.13.0,Use <<unmute-all-alerts-api>> instead.]
Unmute all alert instances.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[alerts-api-unmute-all-request]]
==== Request
`POST <kibana host>:<port>/api/alerts/alert/<id>/_unmute_all`
`POST <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>/_unmute_all`
[[alerts-api-unmute-all-path-params]]
==== Path parameters
`id`::
(Required, string) The ID of the alert whose instances you want to unmute.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-unmute-all-response-codes]]
==== Response code
`200`::
Indicates a successful call.
==== Example
Unmute all alert instances with ID:
[source,sh]
--------------------------------------------------
$ curl -X POST api/alerts/alert/41893910-6bca-11eb-9e0d-85d233e3ee35/_unmute_all
--------------------------------------------------
// KIBANA

146
docs/api/alerting/legacy/update.asciidoc
View file

@ -1,146 +0,0 @@
[[alerts-api-update]]
=== Legacy update alert API
++++
<titleabbrev>Legacy update alert</titleabbrev>
++++
deprecated::[7.13.0,Use <<update-rule-api>> instead.]
Update the attributes for an existing alert.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[alerts-api-update-request]]
==== Request
`PUT <kibana host>:<port>/api/alerts/alert/<id>`
`PUT <kibana host>:<port>/s/<space_id>/api/alerts/alert/<id>`
[[alerts-api-update-path-params]]
==== Path parameters
`id`::
(Required, string) The ID of the alert that you want to update.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[alerts-api-update-request-body]]
==== Request body
`name`::
(Required, string) A name to reference and search.
`tags`::
(Optional, string array) A list of keywords to reference and search.
`schedule`::
(Required, object) When to run this alert. Use one of the available schedule formats.
+
._Schedule Formats_.
[%collapsible%open]
=====
A schedule uses a key: value format. {kib} currently supports the _Interval format_ , which specifies the interval in seconds, minutes, hours, or days at which to execute the alert.
Example: `{ interval: "10s" }`, `{ interval: "5m" }`, `{ interval: "1h" }`, `{ interval: "1d" }`.
=====
`throttle`::
(Optional, string) How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a `schedule` of 1 minute stays in a triggered state for 90 minutes, setting a `throttle` of `10m` or `1h` will prevent it from sending 90 notifications during this period.
`notifyWhen`::
(Required, string) The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`.
`params`::
(Required, object) The parameters to pass to the alert type executor `params` value. This will also validate against the alert type params validator, if defined.
`actions`::
(Optional, object array) An array of the following action objects.
+
.Properties of the action objects:
[%collapsible%open]
=====
`group`:::
(Required, string) Grouping actions is recommended for escalations for different types of alert instances. If you don't need this, set the value to `default`.
`id`:::
(Required, string) The ID of the action that saved object executes.
`actionTypeId`:::
(Required, string) The id of the <<action-types,action type>>.
`params`:::
(Required, object) The map to the `params` that the <<action-types,action type>> will receive. `params` are handled as Mustache templates and passed a default set of context.
=====
[[alerts-api-update-errors-codes]]
==== Response code
`200`::
Indicates a successful call.
[[alerts-api-update-example]]
==== Example
Update an alert with ID `ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74` with a different name:
[source,sh]
--------------------------------------------------
$ curl -X PUT api/alerts/alert/ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74
{
"notifyWhen": "onActionGroupChange",
"params": {
"aggType": "avg",
},
"schedule": {
"interval": "1m"
},
"actions": [],
"tags": [],
"name": "new name",
"throttle": null,
}
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"id": "ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74",
"notifyWhen": "onActionGroupChange",
"params": {
"aggType": "avg",
},
"consumer": "alerts",
"alertTypeId": "test.alert.type",
"schedule": {
"interval": "1m"
},
"actions": [],
"tags": [],
"name": "new name",
"enabled": true,
"throttle": null,
"apiKeyOwner": "elastic",
"createdBy": "elastic",
"updatedBy": "elastic",
"muteAll": false,
"mutedInstanceIds": [],
"updatedAt": "2021-02-10T05:37:19.086Z",
"createdAt": "2021-02-10T05:37:19.086Z",
"scheduledTaskId": "0b092d90-6b62-11eb-9e0d-85d233e3ee35",
"executionStatus": {
"lastExecutionDate": "2021-02-10T17:55:14.262Z",
"status": "ok"
}
}
--------------------------------------------------

204
docs/api/alerting/list_rule_types.asciidoc
View file

@ -1,204 +0,0 @@
[[list-rule-types-api]]
== Get rule types API
++++
<titleabbrev>Get rule types</titleabbrev>
++++
Retrieve a list of rule types that the user is authorized to access.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[list-rule-types-api-request]]
=== {api-request-title}
`GET <kibana host>:<port>/api/alerting/rule_types`
`GET <kibana host>:<port>/s/<space_id>/api/alerting/rule_types`
=== {api-prereq-title}
If you have `read` privileges for one or more {kib} features, the API response
contains information about the appropriate rule types. For example, there are
rule types associated with the *Management* > *Stack Rules* feature,
*Analytics* > *Discover* and *{ml-app}* features, *{observability}*, and
*Security* features. To get rule types associated with the
*{stack-monitor-app}* feature, use the `monitoring_user` built-in role.
For more details, refer to <<kibana-feature-privileges>>.
=== {api-description-title}
Each rule type includes a list of authorized consumer features. For each feature,
users are authorized to perform either `read` or `all` operations on rules of
that type. This enables you to determine which rule types you can read, create,
or modify. If you want to create or edit a rule in {kib}, some rule types are
limited to specific features and apps.
[[list-rule-types-api-params]]
=== {api-path-parms-title}
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in
the URL, the default space is used.
[[list-rule-types-response]]
=== {api-response-body-title}
Each rule type has the following properties in the API response:
`action_groups`::
(array of objects) An explicit list of groups for which the rule type can
schedule actions, each with the action group's unique ID and human readable name.
Rule `actions` validation uses this configuration to ensure that groups are
valid.
`action_variables`::
(object) A list of action variables that the rule type makes available via
context and state in action parameter templates, and a short human readable
description. When you create a rule in {kib}, it uses this information to prompt
you for these variables in action parameter editors.
`alerts`::
(object) Details about alerts as data documents for this rule type, including any custom mappings.
`authorized_consumers`::
(object) The list of the plugins IDs that have access to the rule type.
`category`::
(string) The rule category, which is used by features such as category-specific maintenance windows.
`default_action_group_id`::
(string) The default ID for the rule type group.
`does_set_recovery_context`::
(boolean) Indicates whether the rule passes context variables to its recovery
action.
`enabled_in_license`::
(boolean) Indicates whether the rule type is enabled or disabled based on the
subscription.
`has_alerts_mappings`::
(boolean) Indicates whether the rule type has custom mappings for the alert data.
// `has_fields_for_a_a_d`:: TBD
`id`::
(string) The unique identifier for the rule type.
`is_exportable`::
(boolean) Indicates whether the rule type is exportable in *{stack-manage-app}*
> *Saved Objects*.
`minimum_license_required`::
(string) The {subscriptions}[subscriptions] required to use the rule type.
`name`::
(string) The descriptive name of the rule type.
`producer`::
(string) An identifier for the application that produces this rule type.
`recovery_action_group`::
(object) An action group to use when an alert goes from an active state to an
inactive one.
[[list-rule-types-api-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
[[list-rule-types-api-example]]
=== {api-examples-title}
[source,sh]
--------------------------------------------------
GET api/alerting/rule_types
--------------------------------------------------
// KIBANA
For example, if you have `read` privileges for the {observability} {logs-app},
the API returns the following:
[source,sh]
--------------------------------------------------
[
{
"id":"logs.alert.document.count",
"name":"Log threshold",
"category": "observability",
"producer":"logs",
"alerts": {
"context": "observability.logs",
"mappings": {
"fieldMap": {
"kibana.alert.evaluation.threshold": {
"type": "scaled_float",
"scaling_factor": 100,
"required": false
},
"kibana.alert.evaluation.value": {
"type": "scaled_float",
"scaling_factor": 100,
"required": false
},
...
}
},
"useEcs": true,
"useLegacyAlerts": true
},
"enabled_in_license":true,
"recovery_action_group":{
"id":"recovered",
"name":"Recovered"
},
"action_groups":[
{
"id":"logs.threshold.fired",
"name":"Fired"
},
{
"id":"recovered",
"name":"Recovered"
}
],
"default_action_group_id":"logs.threshold.fired",
"minimum_license_required":"basic",
"is_exportable":true,
"rule_task_timeout":"5m",
"action_variables":{
"context":[
{
"name":"timestamp",
"description":"UTC timestamp of when the alert was triggered"
},
{
"name":"matchingDocuments",
"description":"The number of log entries that matched the conditions provided"
},
{
"name":"conditions",
"description":"The conditions that log entries needed to fulfill"
},
...
],
"state":[],
"params":[]
},
"authorized_consumers":{
"logs":{"read":true,"all":false},
"alerts":{"read":true,"all":false}
},
"does_set_recovery_context":true,
"has_alerts_mappings": true,
"has_fields_for_a_a_d": true
},
....
]
--------------------------------------------------

55
docs/api/alerting/mute_alert.asciidoc
View file

@ -1,55 +0,0 @@
[[mute-alert-api]]
== Mute alert API
++++
<titleabbrev>Mute alert</titleabbrev>
++++
Mute an alert.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[mute-alert-api-request]]
=== {api-request-title}
`POST <kibana host>:<port>/api/alerting/rule/<rule_id>/alert/<alert_id>/_mute`
`POST <kibana host>:<port>/s/<space_id>/api/alerting/rule/<rule_id>/alert/<alert_id>/_mute`
=== {api-prereq-title}
You must have `all` privileges for the appropriate {kib} features, depending on
the `consumer` and `rule_type_id` of the rule. For example, the
*Management* > *Stack Rules* feature, *Analytics* > *Discover* and *{ml-app}*
features, *{observability}*, and *Security* features. If the rule has `actions`,
you must also have `read` privileges for the *Management* >
*{connectors-feature}* feature. For more details, refer to
<<kibana-feature-privileges>>.
[[mute-alert-api-path-params]]
=== {api-path-parms-title}
`alert_id`::
(Required, string) The ID of the alert that you want to mute. The `alert_id` is generated by the rule and might be any arbitrary string.
`rule_id`::
(Required, string) The ID of the rule whose alert you want to mute.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[mute-alert-api-response-codes]]
=== {api-response-codes-title}
`204`::
Indicates a successful call.
=== {api-examples-title}
[source,sh]
--------------------------------------------------
POST api/alerting/rule/41893910-6bca-11eb-9e0d-85d233e3ee35/alert/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_mute
--------------------------------------------------
// KIBANA

57
docs/api/alerting/mute_all_alerts.asciidoc
View file

@ -1,57 +0,0 @@
[[mute-all-alerts-api]]
== Mute all alerts API
++++
<titleabbrev>Mute all alerts</titleabbrev>
++++
Mute all alerts.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[mute-all-alerts-api-request]]
=== {api-request-title}
`POST <kibana host>:<port>/api/alerting/rule/<id>/_mute_all`
`POST <kibana host>:<port>/s/<space_id>/api/alerting/rule/<id>/_mute_all`
=== {api-prereq-title}
You must have `all` privileges for the appropriate {kib} features, depending on
the `consumer` and `rule_type_id` of the rule. For example, the
*Management* > *Stack Rules* feature, *Analytics* > *Discover* and *{ml-app}*
features, *{observability}*, and *Security* features. If the rule has `actions`,
you must also have `read` privileges for the *Management* >
*{connectors-feature}* feature. For more details, refer to
<<kibana-feature-privileges>>.
=== {api-description-title}
This API snoozes the notifications for the rule indefinitely. The rule checks
continue to occur but alerts will not trigger any actions.
[[mute-all-alerts-api-path-params]]
=== {api-path-parms-title}
`id`::
(Required, string) The ID of the rule whose alerts you want to mute.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[mute-all-alerts-api-response-codes]]
=== {api-response-codes-title}
`204`::
Indicates a successful call.
=== {api-examples-title}
[source,sh]
--------------------------------------------------
POST api/alerting/rule/41893910-6bca-11eb-9e0d-85d233e3ee35/_mute_all
--------------------------------------------------
// KIBANA

55
docs/api/alerting/unmute_alert.asciidoc
View file

@ -1,55 +0,0 @@
[[unmute-alert-api]]
== Unmute alert API
++++
<titleabbrev>Unmute alert</titleabbrev>
++++
Unmute an alert.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[unmute-alert-api-request]]
=== {api-request-title}
`POST <kibana host>:<port>/api/alerting/rule/<rule_id>/alert/<alert_id>/_unmute`
`POST <kibana host>:<port>/s/<space_id>/api/alerting/rule/<rule_id>/alert/<alert_id>/_unmute`
=== {api-prereq-title}
You must have `all` privileges for the appropriate {kib} features, depending on
the `consumer` and `rule_type_id` of the rule. For example, the
*Management* > *Stack Rules* feature, *Analytics* > *Discover* and *{ml-app}*
features, *{observability}*, and *Security* features. If the rule has `actions`,
you must also have `read` privileges for the *Management* >
*{connectors-feature}* feature. For more details, refer to
<<kibana-feature-privileges>>.
[[unmute-alert-api-path-params]]
=== {api-path-parms-title}
`alert_id`::
(Required, string) The ID of the alert that you want to unmute. The `alert_id` is generated by the rule and might be any arbitrary string.
`rule_id`::
(Required, string) The ID of the rule whose alert you want to mute.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[unmute-alert-api-response-codes]]
=== {api-response-codes-title}
`204`::
Indicates a successful call.
=== {api-examples-title}
[source,sh]
--------------------------------------------------
POST api/alerting/rule/41893910-6bca-11eb-9e0d-85d233e3ee35/alert/dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2/_unmute
--------------------------------------------------
// KIBANA

57
docs/api/alerting/unmute_all_alerts.asciidoc
View file

@ -1,57 +0,0 @@
[[unmute-all-alerts-api]]
== Unmute all alerts API
++++
<titleabbrev>Unmute all alerts</titleabbrev>
++++
Unmute all alerts.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[unmute-all-alerts-api-all-request]]
=== {api-request-title}
`POST <kibana host>:<port>/api/alerting/rule/<id>/_unmute_all`
`POST <kibana host>:<port>/s/<space_id>/api/alerting/rule/<id>/_unmute_all`
=== {api-prereq-title}
You must have `all` privileges for the appropriate {kib} features, depending on
the `consumer` and `rule_type_id` of the rule. For example, the
*Management* > *Stack Rules* feature, *Analytics* > *Discover* and *{ml-app}*
features, *{observability}*, and *Security* features. If the rule has `actions`,
you must also have `read` privileges for the *Management* >
*{connectors-feature}* feature. For more details, refer to
<<kibana-feature-privileges>>.
=== {api-description-title}
If the rule has its notifications snoozed indefinitely, this API cancels the
snooze.
[[unmute-all-alerts-api-path-params]]
=== {api-path-parms-title}
`id`::
(Required, string) The ID of the rule whose alerts you want to unmute.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in the URL, the default space is used.
[[unmute-all-alerts-api-response-codes]]
=== {api-response-codes-title}
`204`::
Indicates a successful call.
=== {api-examples-title}
[source,sh]
--------------------------------------------------
POST api/alerting/rule/41893910-6bca-11eb-9e0d-85d233e3ee35/_unmute_all
--------------------------------------------------
// KIBANA

196
docs/api/alerting/update_rule.asciidoc
View file

@ -1,196 +0,0 @@
[[update-rule-api]]
== Update rule API
++++
<titleabbrev>Update rule</titleabbrev>
++++
Update the attributes for an existing rule.
[NOTE]
====
For the latest details, refer to {api-kibana}/group/endpoint-alerting[alerting APIs].
====
[[update-rule-api-request]]
=== {api-request-title}
`PUT <kibana host>:<port>/api/alerting/rule/<id>`
`PUT <kibana host>:<port>/s/<space_id>/api/alerting/rule/<id>`
=== {api-prereq-title}
You must have `all` privileges for the appropriate {kib} features, depending on
the `consumer` and `rule_type_id` of the rule you're updating. For example, the
*Management* > *Stack Rules* feature, *Analytics* > *Discover* and *{ml-app}*
features, *{observability}*, or *Security* features. If the rule has
`actions`, you must also have `read` privileges for the *Management* >
*{connectors-feature}* feature. For more details, refer to
<<kibana-feature-privileges>>.
[[update-rule-api-path-params]]
=== {api-path-parms-title}
`id`::
(Required, string) The ID of the rule that you want to update.
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in
the URL, the default space is used.
[role="child_attributes"]
[[update-rule-api-request-body]]
=== {api-request-body-title}
`actions`::
(Optional, object array) An array of action objects. The default value is an
empty array (`[]`).
+
.Properties of the action objects:
[%collapsible%open]
=====
`group`:::
(Required, string) Grouping actions is recommended for escalations for different
types of alerts. If you don't need this, set the value to `default`.
`id`:::
(Required, string) The identifier of the action.
`params`:::
(Required, object) The map to the `params` that the
<<action-types,connector type>> will receive. The `params` are handled as
Mustache templates and passed a default set of context.
=====
`name`::
(Required, string) A name to reference and search.
`notify_when`::
(Required, string) The condition for throttling the notification:
`onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`.
`params`::
(Required, object) The parameters to pass to the rule type executor `params`
value. This will also validate against the rule type params validator, if defined.
`schedule`::
(Required, object) When to run this rule. Use one of the available schedule formats.
+
.Schedule formats
[%collapsible%open]
=====
A schedule uses a `key: value` format. {kib} currently supports the
_interval format_, which specifies the interval in seconds, minutes, hours, or
days at which to run the rule. For example: `{ "interval": "10s" }`,
`{ "interval": "5m" }`, `{ "interval": "1h" }`, or `{ "interval": "1d" }`.
=====
`tags`::
(Optional, string array) A list of keywords to reference and search. The default
value is an empty array (`[]`).
`throttle`::
(Optional, string) How often this rule should fire the same actions. This will
prevent the rule from sending out the same notification over and over. For
example, if a rule with a `schedule` of 1 minute stays in a triggered state for
90 minutes, setting a `throttle` of `10m` or `1h` will prevent it from sending
90 notifications during this period. The default value is `null`.
[[update-rule-api-response-codes]]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
[[update-rule-api-example]]
=== {api-examples-title}
Update an index threshold rule with ID `ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74`:
[source,sh]
--------------------------------------------------
PUT api/alerting/rule/ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74
{
"notify_when": "onActionGroupChange",
"params": {
"index":[".test-index"],
"timeField":"@timestamp",
"groupBy":"top",
"aggType":"avg",
"timeWindowSize":5,
"timeWindowUnit":"m",
"thresholdComparator":">",
"threshold":[1000],
"aggField":"sheet.version",
"termField":"name.keyword",
"termSize":6
},
"schedule": {
"interval": "1m"
},
"actions": [],
"tags": [],
"name": "new name",
"throttle": null
}
--------------------------------------------------
// KIBANA
The API returns the following:
[source,sh]
--------------------------------------------------
{
"id": "ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74",
"consumer": "alerts",
"tags": [],
"name": "new name",
"enabled": true,
"throttle": null,
"schedule": {
"interval": "1m"
},
"params": {
"index": [".updated-index"],
"timeField": "@timestamp",
"groupBy": "top",
"aggType": "avg",
"timeWindowSize": 5,
"timeWindowUnit": "m",
"thresholdComparator": ">",
"threshold": [1000],
"aggField": "sheet.version",
"termField": "name.keyword",
"termSize": 6
},
"api_key_owner": "elastic",
"created_by": "elastic",
"updated_by": "elastic",
"rule_type_id": ".index-threshold",
"scheduled_task_id": "4c5eda00-e74f-11ec-b72f-5b18752ff9ea",
"created_at": "2022-12-12T22:43:20.578Z",
"updated_at": "2022-12-12T22:44:21.783Z",
"notify_when": "onActionGroupChange",
"mute_all": false,
"muted_alert_ids": [],
"execution_status": {
"status": "ok",
"last_execution_date": "2022-12-12T22:43:21.723Z",
"last_duration": 125
},
"actions":[],
"last_run":{
"alerts_count": {
"new": 0,
"ignored": 0,
"recovered": 0,
"active": 0
},
"outcome_msg" :null,
"warning": null,
"outcome": "succeeded"
},
"next_run": "2022-12-12T22:44:21.653Z"
}
--------------------------------------------------

32
docs/api/cases.asciidoc
View file

@ -1,34 +1,4 @@
[[cases-api]]
== Cases APIs
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[case APIs].
//ADD
include::cases/cases-api-add-comment.asciidoc[leveloffset=+1]
//CREATE
include::cases/cases-api-create.asciidoc[leveloffset=+1]
//DELETE
include::cases/cases-api-delete-cases.asciidoc[leveloffset=+1]
include::cases/cases-api-delete-comments.asciidoc[leveloffset=+1]
//FIND
include::cases/cases-api-find-case-activity.asciidoc[leveloffset=+1]
include::cases/cases-api-find-cases.asciidoc[leveloffset=+1]
include::cases/cases-api-find-connectors.asciidoc[leveloffset=+1]
//GET
include::cases/cases-api-get-alerts.asciidoc[leveloffset=+1]
include::cases/cases-api-get-case-activity.asciidoc[leveloffset=+1]
include::cases/cases-api-get-case.asciidoc[leveloffset=+1]
include::cases/cases-api-get-status.asciidoc[leveloffset=+1]
include::cases/cases-api-get-cases-by-alert.asciidoc[leveloffset=+1]
include::cases/cases-api-get-comments.asciidoc[leveloffset=+1]
include::cases/cases-api-get-configuration.asciidoc[leveloffset=+1]
include::cases/cases-api-get-reporters.asciidoc[leveloffset=+1]
include::cases/cases-api-get-tags.asciidoc[leveloffset=+1]
//PUSH
include::cases/cases-api-push.asciidoc[leveloffset=+1]
//SET
include::cases/cases-api-set-configuration.asciidoc[leveloffset=+1]
//UPDATE
include::cases/cases-api-update.asciidoc[leveloffset=+1]
include::cases/cases-api-update-comment.asciidoc[leveloffset=+1]
include::cases/cases-api-update-configuration.asciidoc[leveloffset=+1]
For the latest details, refer to {api-kibana}/group/endpoint-cases[case APIs].

178
docs/api/cases/cases-api-add-comment.asciidoc
View file

@ -1,178 +0,0 @@
[[cases-api-add-comment]]
== Add comment to case API
++++
<titleabbrev>Add comment</titleabbrev>
++++
Adds a comment or alert to a case.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`POST <kibana host>:<port>/api/cases/<case_id>/comments`
`POST <kibana host>:<port>/s/<space_id>/api/cases/<case_id>/comments`
=== {api-prereq-title}
You must have `all` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the case you're updating.
=== {api-description-title}
NOTE: Each case can have a maximum of 1,000 alerts.
=== {api-path-parms-title}
`<case_id>`::
(Required,string) The identifier for the case. To retrieve case IDs, use
<<cases-api-find-cases>>.
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
[role="child_attributes"]
=== {api-request-body-title}
`alertId`::
(Required*, string or array of strings) The alert identifiers. It is required
only when `type` is `alert`. You can use an array of strings to add multiple
alerts to a case, provided that they all relate to the same rule; `index` must
also be an array with the same length or number of elements. Adding multiple
alerts in this manner is recommended rather than calling the API multiple times.
preview:[]
`comment`::
(Required*, string) The new comment. It is required only when `type` is `user`.
`index`::
(Required*, string or array of strings) The alert indices. It is required only
when `type` is `alert`. If you are adding multiple alerts to a case, use an array
of strings; the position of each index name in the array must match the position
of the corresponding alert identifier in the `alertId` array. preview:[]
`owner`::
(Required, string) The application that owns the case. Valid values are:
`cases`, `observability`, or `securitySolution`.
`rule`::
(Required*, object) The rule that is associated with the alerts. It is required
only when `type` is `alert`. preview:[]
+
.Properties of `rule`
[%collapsible%open]
====
`id`::
(Required, string) The rule identifier. preview:[]
`name`::
(Required, string) The rule name. preview:[]
====
`type`::
(Required, string) The comment type, which must be `user` or `alert`.
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Add a comment to case ID `293f1bc0-74f6-11ea-b83a-553aecdb28b6`:
[source,sh]
--------------------------------------------------
POST api/cases/293f1bc0-74f6-11ea-b83a-553aecdb28b6/comments
{
"type": "user",
"comment": "A new comment.",
"owner": "cases"
}
--------------------------------------------------
// KIBANA
The API returns details about the case and its comments. For example:
[source,json]
--------------------------------------------------
{
"comments":[
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"version": "WzIwNDMxLDFd",
"type": "user",
"owner": "cases",
"comment": "A new comment.",
"created_at": "2022-03-24T00:49:47.716Z",
"created_by": {
"email": null,
"full_name": null,
"username": "elastic"
},
"pushed_at": null,
"pushed_by": null,
"updated_at": null,
"updated_by": null
}
],
"totalAlerts": 0,
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"version": "WzIzMzgsMV0=",
"totalComment": 1,
"title": "Case title 1",
"tags": ["tag 1"],
"description": "A case description.",
"settings": {
"syncAlerts": false
},
"owner": "cases",
"duration": null,
"severity": "low",
"closed_at": null,
"closed_by": null,
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"full_name": null,
"username": "elastic"
},
"status": "open",
"updated_at": "2022-03-24T00:49:47.716Z",
"updated_by": {
"email": null,
"full_name": null,
"username": "elastic"
},
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"external_service": null
}
--------------------------------------------------
Add an alert to the case:
[source,sh]
--------------------------------------------------
POST api/cases/293f1bc0-74f6-11ea-b83a-553aecdb28b6/comments
{
"alertId": "6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42",
"index": ".internal.alerts-security.alerts-default-000001",
"type": "alert",
"owner": "cases",
"rule": {
"id":"94d80550-aaf4-11ec-985f-97e55adae8b9",
"name":"security_rule"
}
}
--------------------------------------------------
// KIBANA

255
docs/api/cases/cases-api-create.asciidoc
View file

@ -1,255 +0,0 @@
[[cases-api-create]]
== Create case API
++++
<titleabbrev>Create case</titleabbrev>
++++
Creates a case.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`POST <kibana host>:<port>/api/cases`
`POST <kibana host>:<port>/s/<space_id>/api/cases`
=== {api-prereq-title}
You must have `all` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the case you're creating.
=== {api-path-parms-title}
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
[role="child_attributes"]
=== {api-request-body-title}
`assignees`::
(Optional, array of objects) Array containing users that are assigned to the case.
+
.Properties of assignee objects
[%collapsible%open]
=====
`uid`::
(Required, string) A unique identifier for the user profile. These identifiers
can be found by using the
{ref}/security-api-suggest-user-profile.html[suggest user profile API].
=====
`connector`::
(Required, object) An object that contains the connector configuration.
+
.Properties of `connector`
[%collapsible%open]
====
`fields`::
(Required, object) An object containing the connector fields. To create a case
without a connector, specify `null`. If you want to omit any individual field,
specify `null` as its value.
+
.Properties of `fields`
[%collapsible%open]
=====
For {ibm-r} connectors, specify:
`issueTypes`:::
(Required, array of strings) The type of the incident.
`severityCode`:::
(Required, string) The severity code of the incident.
For {jira} connectors, specify:
`issueType`:::
(Required, string) The type of the issue.
`parent`:::
(Required, string) The key of the parent issue, when the issue type is `Sub-task`.
`priority`:::
(Required, string) The priority of the issue.
For {sn-itsm} connectors, specify:
`category`:::
(Required, string) The category of the incident.
`impact`:::
(Required, string) The effect an incident had on business.
`severity`:::
(Required, string) The severity of the incident.
`subcategory`:::
(Required, string) The subcategory of the incident.
`urgency`:::
(Required, string) The extent to which the incident resolution can be delayed.
For {sn-sir} connectors, specify:
`category`:::
(Required, string) The category of the incident.
`destIp`:::
(Required, string) A comma separated list of destination IPs.
`malwareHash`:::
(Required, string) A comma separated list of malware hashes.
`malwareUrl`:::
(Required, string) A comma separated list of malware URLs.
`priority`:::
(Required, string) The priority of the incident.
`sourceIp`:::
(Required, string) A comma separated list of source IPs.
`subcategory`:::
(Required, string) The subcategory of the incident.
For {swimlane} connectors, specify:
`caseId`:::
(Required, string) The case ID.
For {webhook-cm} connectors, specify `null`.
=====
`id`::
(Required, string) The identifier for the connector. To create a case without a
connector, use `none`. To retrieve connector IDs, use
<<cases-api-find-connectors>>.
`name`::
(Required, string) The name of the connector. To create a case without a
connector, use `none`.
`type`::
(Required, string) The type of the connector. Valid values are: `.cases-webhook`,
`.jira`, `.none`, `.resilient`,`.servicenow`, `.servicenow-sir`, and `.swimlane`.
To create a case without a connector, use `.none`.
====
`description`::
(Required, string) The description for the case.
`owner`::
(Required, string) The application that owns the case. Valid values are:
`cases`, `observability`, or `securitySolution`. This value affects
whether the case is visible in the {stack-manage-app}, {observability}, or
{security-app}.
`settings`::
(Required, object)
An object that contains the case settings.
+
.Properties of `settings`
[%collapsible%open]
====
`syncAlerts`::
(Required, boolean) Turns alert syncing on or off.
====
`severity`::
(Optional,string) The severity of the case. Valid values are: `critical`, `high`,
`low`, and `medium`.
`tags`::
(Required, string array) The words and phrases that help
categorize cases. It can be an empty array.
`title`::
(Required, string) A title for the case.
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
[source,sh]
--------------------------------------------------
POST api/cases
{
"description": "A case description.",
"title": "Case title 1",
"tags": [ "tag 1" ],
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"issueType": "10006",
"priority": "High",
"parent": null
}
},
"settings": {
"syncAlerts": true
},
"owner": "cases"
}
--------------------------------------------------
// KIBANA
The API returns a JSON object that includes the user who created the case and
the case identifier, version, and creation time. For example:
[source,json]
--------------------------------------------------
{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192", <1>
"version": "WzUzMiwxXQ==",
"comments": [],
"totalComment": 0,
"totalAlerts": 0,
"title": "Case title 1",
"tags": [ "tag 1" ],
"assignees": [],
"settings": {
"syncAlerts": true
},
"owner": "cases",
"description": "A case description.",
"duration": null,
"severity": "low",
"closed_at": null,
"closed_by": null,
"created_at": "2022-05-13T09:16:17.416Z",
"created_by": {
"email": null,
"full_name": null,
"username": "elastic"
},
"status": "open",
"updated_at": null,
"updated_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498", <2>
"name": "My connector",
"type": ".jira",
"fields": {
"issueType": "10006",
"parent": null,
"priority": "High"
}
},
"external_service": null <3>
}
--------------------------------------------------
<1> The case identifier is also its saved object ID (`savedObjectId`), which is
used when pushing cases to external systems.
<2> The default connector used to push cases to external services.
<3> The `external_service` object stores information about the incident after it
is pushed to an external incident management system.

54
docs/api/cases/cases-api-delete-cases.asciidoc
View file

@ -1,54 +0,0 @@
[[cases-api-delete-cases]]
== Delete cases API
++++
<titleabbrev>Delete cases</titleabbrev>
++++
Deletes one or more cases.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`DELETE <kibana host>:<port>/api/cases?ids=["<case ID1>","<case ID2>"]`
`DELETE <kibana host>:<port>/s/<space_id>/api/cases?ids=["<case ID1>","<case ID2>"]`
=== {api-prereq-title}
You must have `read` or `all` privileges and the `delete` sub-feature privilege
for the *Cases* feature in the *Management*, *{observability}*, or *Security*
section of the <<kibana-feature-privileges,{kib} feature privileges>>, depending
on the `owner` of the cases you're deleting.
=== {api-path-parms-title}
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-query-parms-title}
`ids`::
(Required, string) The cases that you want to remove. To retrieve case IDs, use
<<cases-api-find-cases>>.
+
NOTE: All non-ASCII characters must be URL encoded.
=== {api-response-codes-title}
`204`::
Indicates a successful call.
=== {api-examples-title}
Delete cases with these IDs:
* `2e3a54f0-6754-11ea-a1c2-e3a8bc9f7aca`
* `40b9a450-66a0-11ea-be1b-2bd3fef48984`
[source,console]
--------------------------------------------------
DELETE api/cases?ids=%5B%222e3a54f0-6754-11ea-a1c2-e3a8bc9f7aca%22%2C%2240b9a450-66a0-11ea-be1b-2bd3fef48984%22%5D
--------------------------------------------------
// KIBANA

65
docs/api/cases/cases-api-delete-comments.asciidoc
View file

@ -1,65 +0,0 @@
[[cases-api-delete-comments]]
== Delete comments from case API
++++
<titleabbrev>Delete comments</titleabbrev>
++++
Deletes one or all comments and alerts from a case.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`DELETE <kibana host>:<port>/api/cases/<case_id>/comments`
`DELETE <kibana host>:<port>/api/cases/<case_id>/comments/<comment_id>`
`DELETE <kibana host>:<port>/s/<space_id>/api/cases/<case_id>/comments`
`DELETE <kibana host>:<port>/s/<space_id>/api/cases/<case_id>/comments/<comment_id>`
=== {api-prereq-title}
You must have `read` or `all` privileges and the `delete` sub-feature privilege
for the *Cases* feature in the *Management*, *{observability}*, or *Security*
section of the <<kibana-feature-privileges,{kib} feature privileges>>, depending
on the `owner` of the cases you're updating.
=== {api-path-parms-title}
`<case_id>`::
(Required, string) The identifier for the case. To retrieve case IDs, use
<<cases-api-find-cases>>.
`<comment_id>`::
(Optional, string) The identifier for the comment. To retrieve comment IDs, use
<<cases-api-get-case>> or <<cases-api-find-cases>>. If it is not specified, all
comments are deleted.
<space_id>::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-response-codes-title}
`204`::
Indicates a successful call.
=== {api-examples-title}
Delete all comments from case ID `9c235210-6834-11ea-a78c-6ffb38a34414`:
[source,console]
--------------------------------------------------
DELETE api/cases/a18b38a0-71b0-11ea-a0b2-c51ea50a58e2/comments
--------------------------------------------------
// KIBANA
Delete comment ID `71ec1870-725b-11ea-a0b2-c51ea50a58e2` from case ID
`a18b38a0-71b0-11ea-a0b2-c51ea50a58e2`:
[source,sh]
--------------------------------------------------
DELETE api/cases/a18b38a0-71b0-11ea-a0b2-c51ea50a58e2/comments/71ec1870-725b-11ea-a0b2-c51ea50a58e2
--------------------------------------------------
// KIBANA

16
docs/api/cases/cases-api-find-case-activity.asciidoc
View file

@ -1,16 +0,0 @@
[[cases-api-find-case-activity]]
== Find case activity API
++++
<titleabbrev>Find case activity</titleabbrev>
++++
Finds user activity for a case.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`GET <kibana host>:<port>/api/cases/<case_id>/user_actions/_find`
`GET <kibana host>:<port>/s/<space_id>/api/cases/<case_id>/user_actions/_find`

167
docs/api/cases/cases-api-find-cases.asciidoc
View file

@ -1,167 +0,0 @@
[[cases-api-find-cases]]
== Find cases API
++++
<titleabbrev>Find cases</titleabbrev>
++++
Retrieves a paginated subset of cases.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`GET <kibana host>:<port>/api/cases/_find`
`GET <kibana host>:<port>/s/<space_id>/api/cases/_find`
=== {api-prereq-title}
You must have `read` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the cases you're seeking.
=== {api-path-parms-title}
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-query-parms-title}
`assignees`::
(Optional, string or array of strings) Filters the returned cases by assignees.
Valid values are `none` or unique identifiers for the user profiles. These
identifiers can be found by using the
{ref}/security-api-suggest-user-profile.html[suggest user profile API].
`defaultSearchOperator`::
(Optional, string) The default operator to use for the `simple_query_string`.
Defaults to `OR`.
`from`::
(Optional, string) Returns only cases that were created after a specific date. The date must be specified as a <<kuery-query,KQL>> data range or date match expression. preview:[]
`owner`::
(Optional, string or array of strings) A filter to limit the retrieved cases to
a specific set of applications. Valid values are: `cases`, `observability`,
and `securitySolution`. If this parameter is omitted, the response contains all
cases that the user has access to read.
`page`::
(Optional, integer) The page number to return. Defaults to `1`.
`perPage`::
(Optional, integer) The number of rules to return per page. Defaults to `20`.
`reporters`::
(Optional, string or array of strings) Filters the returned cases by the
reporter's `username`.
`search`::
(Optional, string) An {es}
{ref}/query-dsl-simple-query-string-query.html[simple_query_string] query that
filters the objects in the response.
`searchFields`::
(Optional, string or array of strings) The fields to perform the
`simple_query_string` parsed query against.
`severity`::
(Optional,string) The severity of the case. Valid values are: `critical`, `high`,
`low`, and `medium`.
`sortField`::
(Optional, string) Determines which field is used to sort the results,
`createdAt` or `updatedAt`. Defaults to `createdAt`.
+
NOTE: Even though the JSON case object uses `created_at` and `updated_at`
fields, you must use `createdAt` and `updatedAt` fields in the URL
query.
`sortOrder`::
(Optional, string) Determines the sort order, which can be `desc` or `asc`.
Defaults to `desc`.
`status`::
(Optional, string) Filters the returned cases by state, which can be `open`,
`in-progress`, or `closed`.
`tags`::
(Optional, string or array of strings) Filters the returned cases by tags.
`to`::
(Optional, string) Returns only cases that were created before a specific date. The date must be specified as a <<kuery-query,KQL>> data range or date match expression. preview:[]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Retrieve the first five cases with the `tag-1` tag, in ascending order by
last update time:
[source,sh]
--------------------------------------------------
GET api/cases/_find?page=1&perPage=5&sortField=updatedAt&sortOrder=asc&tags=tag-1
--------------------------------------------------
// KIBANA
The API returns a JSON object listing the retrieved cases. For example:
[source,json]
--------------------------------------------------
{
"page": 1,
"per_page": 5,
"total": 1,
"cases": [
{
"id": "abed3a70-71bd-11ea-a0b2-c51ea50a58e2",
"version": "WzExMCwxXQ==",
"comments": [],
"totalComment": 1,
"totalAlerts": 0,
"title": "Case title",
"tags": [ "tag-1" ],
"description": "Case description",
"settings": { "syncAlerts": true },
"owner": "securitySolution",
"duration": null, <1>
"severity": "low",
"closed_at": null,
"closed_by": null,
"created_at": "2022-05-12T00:16:36.371Z",
"created_by": {
"email": "jdoe@email.com",
"full_name": "Jane Doe",
"username": "jdoe"
},
"status": "open",
"updated_at": "2022-05-12T00:27:58.162Z",
"updated_by": {
"email": "jsmith@email.com",
"full_name": "Joe Smith",
"username": "jsmith"
},
"assignees": [],
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"external_service": null
}
],
"count_open_cases": 1,
"count_in_progress_cases":0,
"count_closed_cases": 0
}
--------------------------------------------------
<1> Duration represents the elapsed time from the creation of the case to its
closure (in seconds). If the case has not been closed, the duration is set to
`null`. If the case was closed after less than half a second, the duration is
rounded down to zero.

63
docs/api/cases/cases-api-find-connectors.asciidoc
View file

@ -1,63 +0,0 @@
[[cases-api-find-connectors]]
== Find connectors API
++++
<titleabbrev>Find connectors</titleabbrev>
++++
Retrieves information about <<action-types,connectors>>.
In particular, only the connectors that are supported for use in cases are
returned. Refer to the list of supported external incident management systems in
<<case-connectors>>.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`GET <kibana host>:<port>/api/cases/configure/connectors/_find`
`GET <kibana host>:<port>/s/<space_id>/api/cases/configure/connectors/_find`
=== {api-prereq-title}
You must have `read` privileges for the *{connectors-feature}* feature in the
*Management* section of the
<<kibana-feature-privileges,{kib} feature privileges>>.
=== {api-path-parms-title}
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
[source,sh]
--------------------------------------------------
GET api/cases/configure/connectors/_find
--------------------------------------------------
// KIBANA
The API returns a JSON object describing the connectors and their settings:
[source,json]
--------------------------------------------------
[{
"id":"61787f53-4eee-4741-8df6-8fe84fa616f7",
"actionTypeId": ".jira",
"name":"my-Jira",
"isMissingSecrets":false,
"config": {
"apiUrl":"https://elastic.atlassian.net/",
"projectKey":"ES"
},
"isPreconfigured":false,
"isDeprecated": false,
"referencedByCount":0
}]
--------------------------------------------------

62
docs/api/cases/cases-api-get-alerts.asciidoc
View file

@ -1,62 +0,0 @@
[[cases-api-get-alerts]]
== Get alerts attached to case API
++++
<titleabbrev>Get alerts</titleabbrev>
++++
preview::[]
Gets all alerts attached to a case.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`GET <kibana host>:<port>/api/cases/<case_id>/alerts`
`GET <kibana host>:<port>/s/<space_id>/api/cases/<case_id>/alerts`
=== {api-prereq-title}
You must have `read` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the cases you're seeking.
=== {api-path-parms-title}
`<case_id>`::
(Required, string) The identifier for the case. To retrieve case IDs, use
<<cases-api-find-cases>>.
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Return all alerts attached to case `a8b26350-0c55-11ed-918a-2d2edf3e58bc`:
[source,sh]
--------------------------------------------------
GET api/cases/a8b26350-0c55-11ed-918a-2d2edf3e58bc/alerts
--------------------------------------------------
// KIBANA
The API returns a JSON array listing the alerts. For example:
[source,json]
--------------------------------------------------
[
{
"id": "f6a7d0c3-d52d-432c-b2e6-447cd7fce04d",
"index": ".alerts-observability.logs.alerts-default",
"attached_at": "2022-07-25T20:09:40.963Z"
}
]
--------------------------------------------------

107
docs/api/cases/cases-api-get-case-activity.asciidoc
View file

@ -1,107 +0,0 @@
[[cases-api-get-case-activity]]
== Get case activity API
++++
<titleabbrev>Get case activity</titleabbrev>
++++
Returns all user activity for a case.
deprecated::[8.1.0,Use <<cases-api-find-case-activity>> instead.]
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`GET <kibana host>:<port>/api/cases/<case ID>/user_actions`
`GET <kibana host>:<port>/s/<space_id>/api/cases/<case ID>/user_actions`
=== {api-prereq-title}
You must have `read` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the case you're seeking.
=== {api-path-parms-title}
`<case_id>`::
(Required, string) An identifier for the case to retrieve. Use
<<cases-api-find-cases>> to retrieve case IDs.
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Gets all activity for case ID `22df07d0-03b1-11ed-920c-974bfa104448`:
[source,sh]
--------------------------------------------------
GET api/cases/22df07d0-03b1-11ed-920c-974bfa104448/user_actions
--------------------------------------------------
// KIBANA
The API returns a JSON object with all the activity for the case. For example:
[source,json]
--------------------------------------------------
[
{
"created_at":"2022-07-14T20:11:24.947Z",
"created_by":{
"username":"elastic",
"email":null,
"full_name":null
},
"owner":"cases",
"action":"create",
"payload":{
"description":"A case description",
"title":"Case title 1",
"tags":["tag 1"],
"connector":{
"name":"none",
"type":".none",
"fields":null,
"id":"none"
},
"settings":{"syncAlerts":true},
"owner":"cases",
"severity":"low",
"status":"open"
},
"type":"create_case",
"action_id":"22fd3e30-03b1-11ed-920c-974bfa104448",
"case_id":"22df07d0-03b1-11ed-920c-974bfa104448",
"comment_id":null
},
{
"created_at":"2022-07-14T20:12:53.354Z",
"created_by":{
"username":"elastic",
"email":null,
"full_name":null
},
"owner":"cases",
"action":"create",
"payload":{
"comment":{
"type":"user",
"owner":"cases",
"comment":"A new comment"
}
},
"type":"comment",
"action_id":"57af14a0-03b1-11ed-920c-974bfa104448",
"case_id":"22df07d0-03b1-11ed-920c-974bfa104448",
"comment_id":"578608d0-03b1-11ed-920c-974bfa104448"
}
]
--------------------------------------------------

99
docs/api/cases/cases-api-get-case.asciidoc
View file

@ -1,99 +0,0 @@
[[cases-api-get-case]]
== Get case API
++++
<titleabbrev>Get case</titleabbrev>
++++
Returns information about a case.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`GET <kibana host>:<port>/api/cases/<case ID>`
`GET <kibana host>:<port>/s/<space_id>/api/cases/<case ID>`
=== {api-prereq-title}
You must have `read` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the case you're seeking.
=== {api-path-parms-title}
`<case_id>`::
(Required, string) An identifier for the case to retrieve. Use
<<cases-api-find-cases>> to retrieve case IDs.
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-query-parms-title}
`includeComments`::
(Optional, boolean) Determines whether case comments are returned. Defaults to
`true`. deprecated:[8.1.0, "The `includeComments` query parameter is deprecated and will be removed in a future release."]
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Returns case ID `31cdada0-02c1-11ed-85f2-4f7c222ca2fa`:
[source,sh]
--------------------------------------------------
GET api/cases/31cdada0-02c1-11ed-85f2-4f7c222ca2fa
--------------------------------------------------
// KIBANA
The API returns a JSON object with the retrieved case. For example:
[source,json]
--------------------------------------------------
{
"id":"31cdada0-02c1-11ed-85f2-4f7c222ca2fa",
"version":"WzM2LDFd",
"comments":[{
"id":"2134c1d0-02c2-11ed-85f2-4f7c222ca2fa",
"version":"WzM3LDFd",
"type":"user",
"owner":"cases",
"comment":"A new comment",
"created_at":"2022-07-13T15:40:32.335Z",
"created_by":{"email":null,"full_name":null,"username":"elastic"},
"pushed_at":null,
"pushed_by":null,
"updated_at":null,
"updated_by":null
}],
"totalComment":1,
"totalAlerts":0,
"title":"Case title 1",
"tags":["tag 1"],
"settings":{"syncAlerts":true},
"owner":"cases",
"description":"A case description",
"duration":null, <1>
"severity":"low",
"closed_at":null,
"closed_by":null,
"created_at":"2022-07-13T15:33:50.604Z",
"created_by":{"username":"elastic","email":null,"full_name":null},
"status":"open",
"updated_at":"2022-07-13T15:40:32.335Z",
"updated_by":{"full_name":null,"email":null,"username":"elastic"},
"assignees":[{"uid":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"}],
"connector":{"id":"none","name":"none","type":".none","fields":null},
"external_service":null
}
--------------------------------------------------
<1> Duration represents the elapsed time from the creation of the case to its
closure (in seconds). If the case has not been closed, the duration is set to
`null`. If the case was closed after less than half a second, the duration is
rounded down to zero.

71
docs/api/cases/cases-api-get-cases-by-alert.asciidoc
View file

@ -1,71 +0,0 @@
[[cases-api-get-cases-by-alert]]
== Get cases by alert API
++++
<titleabbrev>Get cases by alert</titleabbrev>
++++
preview::[]
Returns the cases associated with a specific alert.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`GET <kibana host>:<port>/api/cases/alerts/<alert_id>`
`GET <kibana host>:<port>/s/<space_id>/api/cases/alerts/<alert_id>`
=== {api-prereq-title}
You must have `read` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the cases you're seeking.
=== {api-path-parms-title}
`<alert_id>`::
(Required, string) The alert identifier.
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-query-parms-title}
`owner`::
(Optional, string or array of strings) A filter to limit the retrieved cases to
a specific set of applications. Valid values are: `cases`, `observability`,
and `securitySolution`. If this parameter is omitted, the response contains all
cases that the user has access to read.
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Return cases associated with the alert ID
`09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540`:
[source,sh]
--------------------------------------------------
GET api/cases/alerts/09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540
--------------------------------------------------
// KIBANA
The API returns a JSON array containing the identifier and title of the cases.
For example:
[source,json]
--------------------------------------------------
[
{
"id": "06116b80-e1c3-11ec-be9b-9b1838238ee6",
"title":"security_case"
}
]
--------------------------------------------------

82
docs/api/cases/cases-api-get-comments.asciidoc
View file

@ -1,82 +0,0 @@
[[cases-api-get-comments]]
== Get comments API
++++
<titleabbrev>Get comments</titleabbrev>
++++
Gets a comment or all comments for a case.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`GET <kibana host>:<port>/api/cases/<case ID>/comments/<comment ID>`
`GET <kibana host>:<port>/s/<space_id>/api/cases/<case ID>/comments/<comment ID>`
`GET <kibana host>:<port>/api/cases/<case_id>/comments` deprecated:[8.1.0]
`GET <kibana host>:<port>/s/<space_id>/api/cases/<case_id>/comments` deprecated:[8.1.0]
=== {api-prereq-title}
You must have `read` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the cases with the comments you're seeking.
=== {api-path-parms-title}
`<case_id>`::
(Required, string) The identifier for the case. To retrieve case IDs, use
<<cases-api-find-cases>>.
`<comment_id>`::
(Optional, string) The identifier for the comment. To retrieve comment IDs, use
<<cases-api-get-case>>.
+
If it is not specified, all comments are retrieved.
deprecated:[8.1.0,The comment identifier will no longer be optional.]
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Retrieves comment ID `8048b460-fe2b-11ec-b15d-779a7c8bbcc3` from case ID
`ecbf8a20-fe2a-11ec-b15d-779a7c8bbcc3`:
[source,sh]
--------------------------------------------------
GET api/cases/ecbf8a20-fe2a-11ec-b15d-779a7c8bbcc3/comments/8048b460-fe2b-11ec-b15d-779a7c8bbcc3
--------------------------------------------------
// KIBANA
The API returns the requested comment JSON object. For example:
[source,json]
--------------------------------------------------
{
"id":"8048b460-fe2b-11ec-b15d-779a7c8bbcc3",
"version":"WzIzLDFd",
"type":"user",
"owner":"cases",
"comment":"A new comment",
"created_at":"2022-07-07T19:32:13.104Z",
"created_by":{
"email":null,
"full_name":null,
"username":"elastic"
},
"pushed_at":null,
"pushed_by":null,
"updated_at":null,
"updated_by":null
}
--------------------------------------------------

97
docs/api/cases/cases-api-get-configuration.asciidoc
View file

@ -1,97 +0,0 @@
[[cases-get-configuration]]
== Get case configuration API
++++
<titleabbrev>Get configuration</titleabbrev>
++++
Retrieves external connection details, such as the closure type and
default connector for cases.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`GET <kibana host>:<port>/api/cases/configure`
`GET <kibana host>:<port>/s/<space_id>/api/cases/configure`
=== {api-prereq-title}
You must have `read` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the case configuration.
=== {api-path-parms-title}
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-query-parms-title}
`owner`::
(Optional, string or array of strings) A filter to limit the retrieved
details to a specific set of applications. Valid values are: `cases`,
`observability`, and `securitySolution`. If this parameter is omitted, the
response contains information for all applications that the user has access to
read.
=== Response code
`200`::
Indicates a successful call.
=== Example
[source,sh]
--------------------------------------------------
GET api/cases/configure?owner=cases
--------------------------------------------------
// KIBANA
The API returns the following type of information:
[source,json]
--------------------------------------------------
[
{
"closure_type": "close-by-user",
"owner": "cases",
"created_at": "2022-06-01T17:07:17.767Z",
"created_by": {
"email": "null",
"full_name": "null",
"username": "elastic"
},
"updated_at": null,
"updated_by": null,
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "my-jira-connector",
"type": ".jira",
"fields": null
},
"mappings": [
{
"source": "title",
"target": "summary",
"action_type": "overwrite"
},
{
"source": "description",
"target": "description",
"action_type": "overwrite"
},
{
"source": "comments",
"target": "comments",
"action_type": "append"
}
],
"version": "WzE3NywxXQ==",
"error": null,
"id": "7349772f-421a-4de3-b8bb-2d9b22ccee30"
}
]
--------------------------------------------------

63
docs/api/cases/cases-api-get-reporters.asciidoc
View file

@ -1,63 +0,0 @@
[[cases-api-get-reporters]]
== Get reporters API
++++
<titleabbrev>Get reporters</titleabbrev>
++++
Returns information about the users who opened cases.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`GET <kibana host>:<port>/api/cases/reporters`
`GET <kibana host>:<port>/s/api/cases/reporters`
=== {api-prereq-title}
You must have `read` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the cases.
=== {api-description-title}
The API returns information about the users as they existed at the time of the
case creation, including their name, full name, and email address. If any of
those details change thereafter or if a user is deleted, the information
returned by this API is unchanged.
=== {api-query-parms-title}
`owner`::
(Optional, string or array of strings) A filter to limit the retrieved reporters
to a specific set of applications. If this parameter is omitted, the response
will contain all reporters from cases that the user has access to read.
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Returns all case reporters:
[source,sh]
--------------------------------------------------
GET api/cases/reporters
--------------------------------------------------
// KIBANA
The API returns a JSON object with the retrieved reporters. For example:
[source,json]
--------------------------------------------------
[
{"username":"elastic","full_name":null,"email":null},
{"username":"user1","full_name":"User 1","email":"user1@elastic.co"},
{"username":"user2","full_name":"User 2","email":"user2@elastic.co"}
]
--------------------------------------------------

62
docs/api/cases/cases-api-get-status.asciidoc
View file

@ -1,62 +0,0 @@
[[cases-api-get-status]]
== Get case status API
++++
<titleabbrev>Get case status</titleabbrev>
++++
Returns the number of cases that are open, closed, and in progress.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
deprecated::[8.1.0]
=== {api-request-title}
`GET <kibana host>:<port>/api/cases/status`
`GET <kibana host>:<port>/s/<space_id>/api/cases/status`
=== {api-prereq-title}
You must have `read` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the cases you're seeking.
=== {api-path-parms-title}
<space_id>::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-query-parms-title}
`owner`::
(Optional, string or array of strings) A filter to limit the retrieved case
statistics to a specific set of applications. Valid values are: `cases`,
`observability`, and `securitySolution`. If this parameter is omitted, the
response contains all cases that the user has access to read.
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
[source,sh]
--------------------------------------------------
GET api/cases/status
--------------------------------------------------
// KIBANA
The API returns the following type of information:
[source,json]
--------------------------------------------------
{
"count_open_cases": 27,
"count_in_progress_cases": 50,
"count_closed_cases": 1198,
}
--------------------------------------------------

62
docs/api/cases/cases-api-get-tags.asciidoc
View file

@ -1,62 +0,0 @@
[[cases-api-get-tag]]
== Get tags API
++++
<titleabbrev>Get tags</titleabbrev>
++++
Aggregates and returns a list of case tags.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`GET <kibana host>:<port>/api/cases/tags`
`GET <kibana host>:<port>/s/<space_id>/api/cases/tags`
=== {api-prereq-title}
You must have `read` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the cases you're seeking.
=== {api-path-parms-title}
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-query-parms-title}
`owner`::
(Optional, string or array of strings) A filter to limit the retrieved tags to a
specific set of applications. Valid values are: `cases`, `observability`, and
`securitySolution`. If this parameter is omitted, the response contains tags
from all cases that the user has access to read.
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
[source,sh]
--------------------------------------------------
GET api/cases/tags
--------------------------------------------------
// KIBANA
The API returns a JSON object with tags from all the cases that the user has
access to read. For example:
[source,json]
--------------------------------------------------
[
"observability",
"security",
"tag 1",
"tag 2"
]
--------------------------------------------------

116
docs/api/cases/cases-api-push.asciidoc
View file

@ -1,116 +0,0 @@
[[cases-api-push]]
== Push case API
++++
<titleabbrev>Push case</titleabbrev>
++++
Pushes a case to an external service.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`POST <kibana host>:<port>/api/cases/<case_id>/connector/<connector_id>/_push`
`POST <kibana host>:<port>/s/<space_id>/api/cases/<case_id>/connector/<connector_id>/_push`
=== {api-prereq-title}
You must have `all` privileges for the *{connectors-feature}* feature in the
*Management* section of the
<<kibana-feature-privileges,{kib} feature privileges>>. You must also have `all`
privileges for the *Cases* feature in the *Management*, *{observability}*, or
*Security* section of the {kib} feature privileges, depending on the
`owner` of the case you're pushing.
=== {api-path-parms-title}
`<case_id>`::
(Required, string) The identifier for the case. To retrieve case IDs, use
<<cases-api-find-cases>>.
`<connector_id>`::
(Required, string) The identifier for the connector. To retrieve connector IDs,
use <<cases-api-find-connectors>>.
<space_id>::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Push the case to an external service:
[source,sh]
--------------------------------------------------
POST api/cases/b917f300-0ed9-11ed-bd18-65557fe66949/connector/09f8c0b0-0eda-11ed-bd18-65557fe66949/_push
{}
--------------------------------------------------
// KIBANA
The API returns a JSON object representing the pushed case. For example:
[source,json]
--------------------------------------------------
{
"id": "b917f300-0ed9-11ed-bd18-65557fe66949",
"version": "WzE3NjgsM10=",
"comments": [],
"totalComment": 0,
"totalAlerts": 0,
"description": "A case description.",
"title": "Case title 1",
"tags": [
"tag 1"
],
"settings": {
"syncAlerts": true
},
"owner": "cases",
"duration": null,
"severity": "low",
"closed_at": null,
"closed_by": null,
"created_at": "2022-07-29T00:59:39.444Z",
"created_by": {
"username": "elastic",
"email": null,
"full_name": null
},
"status": "open",
"updated_at": "2022-07-29T01:20:58.436Z",
"updated_by": {
"username": "elastic",
"full_name": null,
"email": null
},
"connector": {
"id": "09f8c0b0-0eda-11ed-bd18-65557fe66949",
"name": "My connector",
"type": ".jira",
"fields": {
"issueType": "10006",
"parent": null,
"priority": "Low"
}
},
"external_service": {
"pushed_at": "2022-07-29T01:20:58.436Z",
"pushed_by": {
"username": "elastic",
"full_name": null,
"email": null
},
"connector_name": "My connector",
"external_id": "71926",
"external_title": "ES-554",
"external_url": "https://cases.jira.com",
"connector_id": "09f8c0b0-0eda-11ed-bd18-65557fe66949"
}
}
--------------------------------------------------

166
docs/api/cases/cases-api-set-configuration.asciidoc
View file

@ -1,166 +0,0 @@
[[cases-api-set-configuration]]
== Set case configuration API
++++
<titleabbrev>Set configuration</titleabbrev>
++++
Sets external connection details, such as the closure type and
default connector for cases.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`POST <kibana host>:<port>/api/cases/configure`
`POST <kibana host>:<port>/s/<space_id>/api/cases/configure`
=== {api-prereq-title}
You must have `all` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the case configuration.
=== {api-description-title}
Connectors are used to interface with external systems. You must create a
connector before you can use it in your cases. Refer to <<case-connectors>>.
If you set a default connector, it is automatically selected when you create
cases in {kib}. If you use the <<cases-api-create,create case API>>, however,
you must still specify all of the connector details.
=== {api-path-parms-title}
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
[role="child_attributes"]
=== {api-request-body-title}
`closure_type`::
(Required, string) Specifies whether a case is automatically closed when it is
pushed to external systems.
+
--
Valid values are:
* `close-by-pushing`: Cases are automatically closed when they are pushed.
* `close-by-user`: Cases are not automatically closed.
--
`connector`::
(Required, object) An object that contains the connector configuration.
+
.Properties of `connector`
[%collapsible%open]
====
`fields`::
(Required, object) An object that contains the connector fields.
+
--
TIP: The fields specified in the case configuration are not used and are not
propagated to individual cases, therefore it is recommended to set it to `null`.
--
`id`::
(Required, string) The identifier for the connector. If you do not want a
default connector, use `none`. To retrieve connector IDs, use
<<cases-api-find-connectors>>.
`name`::
(Required, string) The name of the connector. If you do not want a default
connector, use `none`. To retrieve connector names, use
<<cases-api-find-connectors>>.
`type`::
(Required, string) The type of the connector. Valid values are: `.cases-webhook`,
`.jira`, `.none`, `.resilient`,`.servicenow`, `.servicenow-sir`, and `.swimlane`.
====
`owner`::
(Required, string) The application that owns the case configuration. Valid
values are: `cases`, `observability`, or `securitySolution`. This value affects
whether you're setting case configuration details for {stack-manage-app},
{observability}, or {security-app}.
`settings`::
(Optional, object)
An object that contains the case settings.
+
.Properties of `settings`
[%collapsible%open]
====
`syncAlerts`::
(Required, boolean) Turns alert syncing on or off.
====
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Sets the closure type and default connector for cases in **{stack-manage-app}**:
[source,sh]
--------------------------------------------------
POST api/cases/configure
{
"owner": "cases",
"connector": {
"id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
"name": "my-jira-connector",
"type": ".jira",
"fields": null,
},
"closure_type": "close-by-user"
}
--------------------------------------------------
The API returns the following response:
[source,json]
--------------------------------------------------
{
"closure_type": "close-by-user",
"owner": "cases",
"created_at": "2022-06-01T17:07:17.767Z",
"created_by": {
"username": "elastic",
"email": null,
"full_name": null
},
"updated_at": null,
"updated_by": null,
"connector": {
"id": "5e656730-e1ca-11ec-be9b-9b1838238ee6",
"name": "my-jira-connector",
"type": ".jira",
"fields": null
},
"mappings": [
{
"source": "title",
"target": "summary",
"action_type": "overwrite"
},
{
"source": "description",
"target": "description",
"action_type": "overwrite"
},
{
"source": "comments",
"target": "comments",
"action_type": "append"
}
],
"version": "WzIwNzMsMV0=",
"error": null,
"id": "4a97a440-e1cd-11ec-be9b-9b1838238ee6"
}
--------------------------------------------------

193
docs/api/cases/cases-api-update-comment.asciidoc
View file

@ -1,193 +0,0 @@
[[cases-api-update-comment]]
== Update case comment API
++++
<titleabbrev>Update comment</titleabbrev>
++++
Updates a comment or alert in a case.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`PATCH <kibana host>:<port>/api/cases/<case_id>/comments`
`PATCH <kibana host>:<port>/s/<space_id>/api/cases/<case_id>/comments`
=== {api-prereq-title}
You must have `all` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the case you're updating.
=== {api-path-parms-title}
`<case_id>`::
The identifier for the case. To retrieve case IDs, use
<<cases-api-find-cases>>.
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
[role="child_attributes"]
=== {api-request-body-title}
`alertId`::
(Required*, string or array of strings) The alert identifiers. It is
required only when `type` is `alert`. If you are adding multiple alerts to a
case, use an array of strings; `index` must also be an array with the same
length or number of elements in that case. Addings multiple alerts in this manner
is recommended rather than calling the API multiple times.
`comment`::
(Required*, string) The updated comment. It is required only when `type` is
`user`.
`id`::
(Required, string) The identifier for the comment. To retrieve comment IDs, use
<<cases-api-get-comments>>.
`index`::
(Required*, string or array of strings) The alert indices. It is required only
when `type` is `alert`. If you are adding multiple alerts to a case, use an
array of strings; `alertId` must also be an array with the same length or number
of elements. preview:[]
`owner`::
(Required, string) The application that owns the case. It can be `cases`,
`observability`, or `securitySolution`.
+
NOTE: You cannot change the owner of a comment.
`rule`::
(Required*, object)
The rule that is associated with the alert. It is required only when `type` is
`alert`. preview:[]
+
.Properties of `rule`
[%collapsible%open]
====
`id`::
(Required, string) The rule identifier. preview:[]
`name`::
(Required, string) The rule name. preview:[]
====
`type`::
(Required, string) The comment type, which must be `user` or `alert`.
+
NOTE: You cannot change the comment type.
`version`::
(Required, string) The current comment version. To retrieve version values, use
<<cases-api-get-comments>>.
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Update comment ID `8af6ac20-74f6-11ea-b83a-553aecdb28b6` (associated with case
ID `293f1bc0-74f6-11ea-b83a-553aecdb28b6`):
[source,sh]
--------------------------------------------------
PATCH api/cases/293f1bc0-74f6-11ea-b83a-553aecdb28b6/comments
{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"version": "Wzk1LDFd",
"type": "user",
"comment": "An updated comment."
}
--------------------------------------------------
// KIBANA
The API returns details about the case and its comments. For example:
[source,json]
--------------------------------------------------
{
"comments":[{
"id": "8af6ac20-74f6-11ea-b83a-553aecdb28b6",
"version": "WzIwNjM3LDFd",
"comment": "An updated comment.",
"type": "user",
"owner": "cases",
"created_at": "2022-03-24T00:37:10.832Z",
"created_by": {
"email": null,
"full_name": null,
"username": "elastic"
},
"pushed_at": null,
"pushed_by": null,
"updated_at": "2022-03-24T01:27:06.210Z",
"updated_by": {
"email": null,
"full_name": null,
"username": "elastic"
}
}
],
"totalAlerts": 0,
"id": "293f1bc0-74f6-11ea-b83a-553aecdb28b6",
"version": "WzIwNjM2LDFd",
"totalComment": 1,
"title": "Case title 1",
"tags": ["tag 1"],
"description": "A case description.",
"settings": {"syncAlerts":false},
"owner": "cases",
"duration": null,
"severity": "low",
"closed_at": null,
"closed_by": null,
"created_at": "2022-03-24T00:37:03.906Z",
"created_by": {
"email": null,
"full_name": null,
"username": "elastic"
},
"status": "open",
"updated_at": "2022-03-24T01:27:06.210Z",
"updated_by": {
"email": null,
"full_name": null,
"username": "elastic"
},
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"external_service": null
}
--------------------------------------------------
Update an alert in the case:
[source,sh]
--------------------------------------------------
PATCH api/cases/293f1bc0-74f6-11ea-b83a-553aecdb28b6/comments
{
"id": "73362370-ab1a-11ec-985f-97e55adae8b9",
"version": "WzMwNDgsMV0=",
"type": "alert",
"owner": "cases",
"alertId": "c8789278659fdf88b7bf7709b90a082be070d0ba4c23c9c4b552e476c2a667c4",
"index": ".internal.alerts-security.alerts-default-000001",
"rule":
{
"id":"94d80550-aaf4-11ec-985f-97e55adae8b9",
"name":"security_rule"
}
}
--------------------------------------------------
// KIBANA

132
docs/api/cases/cases-api-update-configuration.asciidoc
View file

@ -1,132 +0,0 @@
[[cases-api-update-configuration]]
== Update case configuration API
++++
<titleabbrev>Update configuration</titleabbrev>
++++
Updates external connection details, such as the closure type and default
connector for cases.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`PATCH <kibana host>:<port>/api/cases/configure/<configuration_id>`
`PATCH <kibana host>:<port>/s/<space_id>/api/cases/configure/<configuration_id>`
=== {api-prereq-title}
You must have `all` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the case configuration.
=== {api-description-title}
Connectors are used to interface with external systems. You must create a
connector before you can it in your cases. Refer to <<case-connectors>>.
=== {api-path-parms-title}
`<configuration_id>`::
The identifier for the configuration. To retrieve the configuration IDs, use
<<cases-get-configuration>>.
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
[role="child_attributes"]
=== Request body
`closure_type`::
(Optional, string) Determines whether a case is automatically closed when it is
pushed to external systems. Valid values are:
+
--
* `close-by-pushing`: Cases are automatically closed when they
are pushed.
* `close-by-user`: Cases are not automatically closed.
--
`connector`::
(Optional, object) An object that contains the connector configuration.
+
.Properties of `connector`
[%collapsible%open]
====
`fields`::
(Required, object) An object that contains the connector fields.
+
--
TIP: The fields specified in the case configuration are not used and are not
propagated to individual cases, therefore it is recommended to set it to `null`.
--
`id`::
(Required, string) The identifier for the connector. To retrieve connector IDs,
use <<cases-api-find-connectors>>.
`name`::
(Required, string) The name of the connector.
`type`::
(Required, string) The type of the connector. Valid values are: `.cases-webhook`,
`.jira`, `.none`, `.resilient`,`.servicenow`, `.servicenow-sir`, and `.swimlane`.
====
`version`::
(Required, string) The version of the connector. To retrieve the version value,
use <<cases-get-configuration>>.
=== Response code
`200`::
Indicates a successful call.
=== Example
Change the closure type configuration option:
[source,sh]
--------------------------------------------------
PATCH api/cases/configure/3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9
{
"closure_type": "close-by-pushing",
"version": "WzIwMiwxXQ=="
}
--------------------------------------------------
// KIBANA
The API returns the following:
[source,json]
--------------------------------------------------
{
"closure_type": "close-by-pushing",
"owner": "cases",
"created_at": "2022-06-01T17:07:17.767Z",
"created_by": {
"email": "null",
"full_name": "null",
"username": "elastic"
},
"updated_at": "2022-06-01T19:58:48.169Z",
"updated_by": {
"email": "null",
"full_name": "null",
"username": "elastic"
},
"connector": {
"id": "none",
"name": "none",
"type": ".none",
"fields": null
},
"mappings": [],
"version": "WzkwNiw1XQ==",
"error": null,
"id": "3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9"
}
--------------------------------------------------

285
docs/api/cases/cases-api-update.asciidoc
View file

@ -1,285 +0,0 @@
[[cases-api-update]]
== Update cases API
++++
<titleabbrev>Update cases</titleabbrev>
++++
Updates one or more cases.
NOTE: For the latest details, refer to {api-kibana}/group/endpoint-cases[cases APIs].
=== {api-request-title}
`PATCH <kibana host>:<port>/api/cases`
`PATCH <kibana host>:<port>/s/<space_id>/api/cases`
=== {api-prereq-title}
You must have `all` privileges for the *Cases* feature in the *Management*,
*{observability}*, or *Security* section of the
<<kibana-feature-privileges,{kib} feature privileges>>, depending on the
`owner` of the cases you're updating.
=== {api-path-parms-title}
`<space_id>`::
(Optional, string) An identifier for the space. If it is not specified, the
default space is used.
[role="child_attributes"]
=== {api-request-body-title}
`cases`::
(Required, array of objects) Array containing one or more case objects.
+
.Properties of `cases` objects
[%collapsible%open]
====
`assignees`::
(Optional, array of objects) Array containing users that are assigned to the case.
+
.Properties of assignee objects
[%collapsible%open]
=====
`uid`::
(Required, string) A unique identifier for the user profile. These identifiers
can be found by using the
{ref}/security-api-suggest-user-profile.html[suggest user profile API].
=====
`connector`::
(Optional, object) An object that contains the connector configuration.
+
.Properties of `connector`
[%collapsible%open]
=====
`fields`::
(Required, object) An object containing the connector fields. To remove the
connector, specify `null`. If you want to omit any individual field, specify
`null` as its value.
+
.Properties of `fields`
[%collapsible%open]
=======
For {ibm-r} connectors, specify:
`issueTypes`:::
(Required, array of strings) The issue types of the issue.
`severityCode`:::
(Required, string) The severity code of the issue.
For {jira} connectors, specify:
`issueType`:::
(Required, string) The issue type of the issue.
`parent`:::
(Required, string) The key of the parent issue, when the issue type is
`Sub-task`.
`priority`:::
(Required, string) The priority of the issue.
For {sn-itsm} connectors, specify:
`category`:::
(Required, string) The category of the incident.
`impact`:::
(Required, string) The effect an incident had on business.
`severity`:::
(Required, string) The severity of the incident.
`subcategory`:::
(Required, string) The subcategory of the incident.
`urgency`:::
(Required, string) The extent to which the incident resolution can be delayed.
For {sn-sir} connectors, specify:
`category`:::
(Required, string) The category of the incident.
`destIp`:::
(Required, string) A comma separated list of destination IPs.
`malwareHash`:::
(Required, string) A comma separated list of malware hashes.
`malwareUrl`:::
(Required, string) A comma separated list of malware URLs.
`priority`:::
(Required, string) The priority of the incident.
`sourceIp`:::
(Required, string) A comma separated list of source IPs.
`subcategory`:::
(Required, string) The subcategory of the incident.
For {swimlane} connectors, specify:
`caseId`:::
(Required, string) The identifier for the case.
For {webhook-cm} connectors, specify `null`.
=======
`id`::
(Required, string) The identifier for the connector. To remove the connector,
use `none`. To retrieve connector IDs, use <<cases-api-find-connectors>>).
`name`::
(Required, string) The name of the connector. To remove the connector, use
`none`.
`type`::
(Required, string) The type of the connector. Valid values are: `.cases-webhook`,
`.jira`, `.none`, `.resilient`,`.servicenow`, `.servicenow-sir`, and `.swimlane`.
To remove the connector, use `.none`.
=====
`description`::
(Optional, string) The updated case description.
`id`::
(Required, string) The identifier for the case.
`settings`::
(Optional, object)
An object that contains the case settings.
+
.Properties of `settings`
[%collapsible%open]
=====
`syncAlerts`::
(Required, boolean) Turn on or off synching with alerts.
=====
`severity`::
(Optional,string) The severity of the case. Valid values are: `critical`, `high`,
`low`, and `medium`.
`status`::
(Optional, string) The case status. Valid values are: `closed`, `in-progress`,
and `open`.
`tags`::
(Optional, string array) The words and phrases that help categorize cases.
`title`::
(Optional, string) A title for the case.
`version`::
(Required, string) The current version of the case. To determine this value, use
<<cases-api-get-case>> or <<cases-api-find-cases>>.
====
=== {api-response-codes-title}
`200`::
Indicates a successful call.
=== {api-examples-title}
Update the description, tags, and connector of case ID
`a18b38a0-71b0-11ea-a0b2-c51ea50a58e2`:
[source,sh]
--------------------------------------------------
PATCH api/cases
{
"cases": [
{
"id": "a18b38a0-71b0-11ea-a0b2-c51ea50a58e2",
"version": "WzIzLDFd",
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"issueType": "10006",
"priority": null,
"parent": null
}
},
"description": "A new description.",
"tags": [ "tag-1", "tag-2" ],
"assignees": [],
"settings": {
"syncAlerts": true
}
}
]
}
--------------------------------------------------
// KIBANA
The API returns the updated case with a new `version` value. For example:
[source,json]
--------------------------------------------------
[
{
"id": "66b9aa00-94fa-11ea-9f74-e7e108796192",
"version": "WzU0OCwxXQ==",
"comments": [],
"totalComment": 0,
"totalAlerts": 0,
"title": "Case title 1",
"tags": [ "tag-1", "tag-2" ],
"settings": {
"syncAlerts": true
},
"owner": "cases",
"description": "A new description.",
"duration": null,
"severity": "low",
"closed_at": null,
"closed_by": null,
"created_at": "2022-05-13T09:16:17.416Z",
"created_by": {
"email": null,
"full_name": null,
"username": "elastic"
},
"status": "open",
"updated_at": "2022-05-13T09:48:33.043Z",
"updated_by": {
"email": null,
"full_name": null,
"username": "elastic"
},
"connector": {
"id": "131d4448-abe0-4789-939d-8ef60680b498",
"name": "My connector",
"type": ".jira",
"fields": {
"issueType": "10006",
"parent": null,
"priority": null,
}
},
"external_service": {
"external_title": "IS-4",
"pushed_by": {
"full_name": null,
"email": null,
"username": "elastic"
},
"external_url": "https://hms.atlassian.net/browse/IS-4",
"pushed_at": "2022-05-13T09:20:40.672Z",
"connector_id": "05da469f-1fde-4058-99a3-91e4807e2de8",
"external_id": "10003",
"connector_name": "Jira"
}
}
]
--------------------------------------------------

9
docs/api/machine-learning.asciidoc
View file

@ -1,11 +1,4 @@
[[machine-learning-api]]
== {ml-cap} APIs
//Manage {kib} saved objects, including dashboards, visualizations, and more.
The following {ml} API is available:
* <<machine-learning-api-sync, Sync API>>
//to retrieve a single {kib} saved object by ID
include::machine-learning/sync.asciidoc[]
For the latest details, refer to {api-kibana}/group/endpoint-ml[machine learning APIs].

95
docs/api/machine-learning/sync.asciidoc
View file

@ -1,95 +0,0 @@
[[machine-learning-api-sync]]
=== Sync {ml} saved objects API
++++
<titleabbrev>Sync {ml} saved objects</titleabbrev>
++++
Synchronizes {kib} saved objects for {ml} jobs and trained models.
[NOTE]
====
For the most up-to-date API details, refer to the
{kib-repo}/tree/{branch}/x-pack/plugins/ml/common/openapi[open API specification].
====
[[machine-learning-api-sync-request]]
==== {api-request-title}
`GET <kibana host>:<port>/api/ml/saved_objects/sync`
`GET <kibana host>:<port>/s/<space_id>/api/ml/saved_objects/sync`
[[machine-learning-api-sync-prereq]]
==== {api-prereq-title}
You must have `all` privileges for the *Machine Learning* feature in the *Analytics* section of the
<<kibana-feature-privileges,{kib} feature privileges>>.
[[machine-learning-api-sync-desc]]
==== {api-description-title}
This API runs automatically when you start {kib} and periodically thereafter.
[[machine-learning-api-sync-path-params]]
==== {api-path-parms-title}
`space_id`::
(Optional, string) An identifier for the space. If `space_id` is not provided in
the URL the default space is used.
[[machine-learning-api-sync-query-params]]
==== {api-query-parms-title}
`simulate`::
(Optional, boolean) When `true`, simulates the synchronization by only returning
the list actions that _would_ be performed.
[[machine-learning-api-sync-response-body]]
==== {api-response-body-title}
`datafeedsAdded`::
(array) If a saved object for an {anomaly-job} is missing a {dfeed} identifier,
it is added. This list contains the {dfeed} identifiers and indicates whether
the synchronization was successful.
`datafeedsRemoved`::
(array) If a saved object for an anomaly detection job references a datafeed
that no longer exists, it is deleted. This list contains the {dfeed} identifiers
and indicates whether the synchronization was successful.
`savedObjectsCreated`::
(array) If saved objects are missing for {ml} jobs or trained models, they are
created. This list contains the job and model identifiers and indicates whether
the synchronization was successful.
`savedObjectsDeleted`::
(array) If saved objects exist for {ml} jobs or trained models that no longer
exist, they are deleted. This list contains the job and model identifiers and
indicates whether the synchronization was successful.
[[machine-learning-api-sync-codes]]
==== {api-response-codes-title}
`200`::
Indicates a successful call.
[[machine-learning-api-sync-example]]
==== {api-examples-title}
Retrieve the list of {ml} saved objects that require synchronization:
[source,sh]
--------------------------------------------------
GET api/ml/saved_objects/sync?simulate=true
--------------------------------------------------
// KIBANA
If there are two jobs that need to be synchronized, for example, the API returns
the following response:
[source,sh]
--------------------------------------------------
{"savedObjectsCreated":{"anomaly_detector":{"myjob1":{"success":true},"myjob2":{"success":true}}},"savedObjectsDeleted":{},"datafeedsAdded":{},"datafeedsRemoved":{}}
--------------------------------------------------
To perform the synchronization, re-run the API and omit the `simulate` parameter.

5
docs/management/connectors/action-types/bedrock.asciidoc
View file

@ -9,7 +9,7 @@
:frontmatter-tags-user-goals: [configure]
The {bedrock} connector uses https://github.com/axios/axios[axios] to send a POST request to {bedrock}. The connector uses the <<execute-connector-api,run connector API>> to send the request.
The {bedrock} connector uses https://github.com/axios/axios[axios] to send a POST request to {bedrock}.
[float]
[[define-bedrock-ui]]
@ -37,8 +37,7 @@ Secret:: The secret for authentication.
[[bedrock-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/bedrock-params.png[{bedrock} params test]

3
docs/management/connectors/action-types/cases-webhook.asciidoc
View file

@ -192,8 +192,7 @@ The username for HTTP basic authentication.
[[cases-webhook-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/cases-webhook-test.gif[{webhook-cm} params test]

5
docs/management/connectors/action-types/d3security.asciidoc
View file

@ -8,7 +8,7 @@
:frontmatter-tags-content-type: [how-to]
:frontmatter-tags-user-goals: [configure]
The D3 Security connector uses https://github.com/axios/axios[axios] to send a POST request to a D3 Security endpoint. The connector uses the <<execute-connector-api,run connector API>> to send the request. You can use the connector for rule actions.
The D3 Security connector uses https://github.com/axios/axios[axios] to send a POST request to a D3 Security endpoint. You can use the connector for rule actions.
To create this connector, you must first configure a webhook key in your D3 SOAR environment. For configuration tips, refer to <<configure-d3security>>.
@ -35,8 +35,7 @@ Token:: The D3 Security token.
[[d3security-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/d3security-params-test.png[D3 Security params test]

5
docs/management/connectors/action-types/gemini.asciidoc
View file

@ -9,7 +9,7 @@
:frontmatter-tags-user-goals: [configure]
The {gemini} connector uses https://github.com/axios/axios[axios] to send a POST request to {gemini}. The connector uses the <<execute-connector-api,run connector API>> to send the request.
The {gemini} connector uses https://github.com/axios/axios[axios] to send a POST request to {gemini}.
[float]
[[define-gemini-ui]]
@ -38,8 +38,7 @@ Credentials JSON:: The GCP service account JSON file for authentication.
[[gemini-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/gemini-params.png[{gemini} params test]

3
docs/management/connectors/action-types/jira.asciidoc
View file

@ -43,8 +43,7 @@ API token:: Jira API authentication token for HTTP Basic authentication.
[[jira-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/jira-params-test.png[Jira params test]

6
docs/management/connectors/action-types/openai.asciidoc
View file

@ -9,8 +9,7 @@
:frontmatter-tags-user-goals: [configure]
The OpenAI connector uses https://github.com/axios/axios[axios] to send a POST request to an OpenAI provider, either OpenAI or Azure OpenAI. The connector uses the <<execute-connector-api,run connector API>> to send the request.
The OpenAI connector uses https://github.com/axios/axios[axios] to send a POST request to an OpenAI provider, either OpenAI or Azure OpenAI.
[float]
[[define-gen-ai-ui]]
=== Create connectors in {kib}
@ -48,8 +47,7 @@ API key:: The OpenAI or Azure OpenAI API key for authentication.
[[gen-ai-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/gen-ai-params-test.png[OpenAI params test]

3
docs/management/connectors/action-types/servicenow-itom.asciidoc
View file

@ -61,8 +61,7 @@ The username for HTTP basic authentication.
[[servicenow-itom-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/servicenow-itom-params-test.png[{sn-itom} params test]

3
docs/management/connectors/action-types/servicenow-sir.asciidoc
View file

@ -61,8 +61,7 @@ The username for HTTP basic authentication.
[[servicenow-sir-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/servicenow-sir-params-test.png[{sn-sir} params test]

3
docs/management/connectors/action-types/swimlane.asciidoc
View file

@ -35,8 +35,7 @@ API token:: Swimlane API authentication token for HTTP basic authentication.
[[swimlane-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/swimlane-params-test.png[Swimlane params test]

3
docs/management/connectors/action-types/thehive.asciidoc
View file

@ -36,8 +36,7 @@ API Key:: TheHive API key for authentication.
[[TheHive-action-configuration]]
=== Test connectors
You can test connectors for creating a case or an alert with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/thehive-params-case-test.png[TheHive case params test]

3
docs/management/connectors/action-types/tines.asciidoc
View file

@ -35,8 +35,7 @@ API Token:: A Tines API token created by the user. For more information, refer
[[tines-action-parameters]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/tines-params-test.png[Tines params test]

3
docs/management/connectors/action-types/torq.asciidoc
View file

@ -35,8 +35,7 @@ Torq authentication header secret:: Secret of the webhook authentication header.
[[torq-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/torq-connector-test.png[Torq connector test]

3
docs/management/connectors/action-types/webhook.asciidoc
View file

@ -55,8 +55,7 @@ Controls the certificate verification.
[[webhook-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/webhook-params-test.png[Webhook params test]

3
docs/management/connectors/action-types/xmatters.asciidoc
View file

@ -44,8 +44,7 @@ Password:: Password for HTTP basic authentication.
[[xmatters-action-configuration]]
=== Test connectors
You can test connectors with the <<execute-connector-api,run connector API>> or
as you're creating or editing the connector in {kib}. For example:
You can test connectors as you're creating or editing the connector in {kib}. For example:
[role="screenshot"]
image::management/connectors/images/xmatters-params-test.png[xMatters params test]

2
docs/management/maintenance-windows/maintenance-windows.asciidoc
View file

@ -46,7 +46,7 @@ image::images/create-maintenance-window.png[The Create Maintenance Window user i
By default, maintenance windows affect all categories of rules.
The category-specific maintenance window options alter this behavior.
For the definitive list of rule types in each category, refer to the <<list-rule-types-api,get rule types API>>.
For the definitive list of rule types in each category, refer to the {api-kibana}/group/endpoint-alerting[get rule types API].
If you turn on *Filter alerts*, you can use KQL to filter the alerts affected by the maintenance window:

220
docs/redirects.asciidoc
View file

@ -765,3 +765,223 @@ Refer to {observability-guide}/apm-agent-key-api.html[APM agent Key API].
Refer to {observability-guide}/apm-app-troubleshooting.html[Troubleshooting].
:!apm-docs-move-notice:
[role="exclude",id="create-rule-api"]
== Create rule API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="delete-rule-api"]
== Delete rule API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="disable-rule-api"]
== Disable rule API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="enable-rule-api"]
== Enable rule API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="find-rules-api"]
== Find rules API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="get-rule-api"]
== Get rule API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="get-alerting-framework-health-api"]
== Get alerting framework health API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="list-rule-types-api"]
== Get rule types API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="mute-alert-api"]
== Mute alert API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="mute-all-alerts-api"]
== Mute all alerts API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="unmute-alert-api"]
== Unmute alert API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="unmute-all-alerts-api"]
== Unmute all alerts API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="update-rule-api"]
== Update rule API
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="alerts-api"]
== Deprecated 7.x APIs
Refer to {api-kibana}/group/endpoint-alerting[alerting API].
[role="exclude",id="update-connector-api"]
== Update connector API
Refer to {api-kibana}/group/endpoint-connectors[connectors API].
[role="exclude",id="list-connector-types-api"]
== List connector types API
Refer to {api-kibana}/group/endpoint-connectors[connectors API].
[role="exclude",id="get-connector-api"]
== Get connector API
Refer to {api-kibana}/group/endpoint-connectors[connectors API].
[role="exclude",id="get-all-connectors-api"]
== Get all connectors API
Refer to {api-kibana}/group/endpoint-connectors[connectors API].
[role="exclude",id="execute-connector-api"]
== Run connector API
Refer to {api-kibana}/group/endpoint-connectors[connectors API].
[role="exclude",id="delete-connector-api"]
== Delete connector API
Refer to {api-kibana}/group/endpoint-connectors[connectors API].
[role="exclude",id="create-connector-api"]
== Create connector API
Refer to {api-kibana}/group/endpoint-connectors[connectors API].
[role="exclude",id="actions-and-connectors-legacy-apis"]
== Deprecated 7.x APIs
Refer to {api-kibana}/group/endpoint-connectors[connectors API].
[role="exclude",id="cases-api-add-comment"]
== Add comment to case API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-create"]
== Create case API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-delete-cases"]
== Delete cases API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-delete-comments"]
== Delete comments from case API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-find-case-activity"]
== Find case activity API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-find-cases"]
== Find cases API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-find-connectors"]
== Find connectors API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-get-alerts"]
== Get alerts attached to case API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-get-case-activity"]
== Get case activity API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-get-case"]
== Get case API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-get-cases-by-alert"]
== Get cases by alert API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-get-comments"]
== Get comments API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-get-configuration"]
== Get case configuration API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-get-reporters"]
== Get reporters API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-get-status"]
== Get case status API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-get-tag"]
== Get tags API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-push"]
== Push case API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-set-configuration"]
== Set case configuration API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-update-comment"]
== Update case comment API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-update-configuration"]
== Update case configuration API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="cases-api-update"]
== Update cases API
Refer to {api-kibana}/group/endpoint-cases[cases API].
[role="exclude",id="machine-learning-api-sync"]
== Sync {ml} saved objects API
Refer to {api-kibana}/group/endpoint-ml[machine learning APIs].

5
docs/user/alerting/alerting-troubleshooting.asciidoc
View file

@ -55,7 +55,7 @@ Diagnosing these may be difficult - but there may be log messages for error cond
=== Use the REST APIs
There is a rich set of HTTP endpoints to introspect and manage rules and connectors.
One of the HTTP endpoints available for actions is the <<execute-connector-api,run connector API>>. You can use this to “test” an action. For instance, if you have a server log action created, you can run it via curling the endpoint:
One of the HTTP endpoints available for actions is the run connector API. You can use this to “test” an action. For instance, if you have a server log action created, you can run it via curling the endpoint:
[source, txt]
--------------------------------------------------
curl -X POST -k \
@ -219,8 +219,7 @@ the {kib} {alert-features}:
If you create a rule in the {observability} or {security-app}, its alerts are
not visible in *{stack-manage-app} > {rules-ui}*. You can view them only in the
{kib} app where you created the rule. If you use the
<<create-rule-api,create rule API>>, the visibility of the alerts is related to
{kib} app where you created the rule. If you use the create rule API, the visibility of the alerts is related to
the `consumer` property.
include::troubleshooting/alerting-common-issues.asciidoc[]

2
docs/user/alerting/troubleshooting/alerting-common-issues.asciidoc
View file

@ -239,7 +239,7 @@ This query returns the following:
<1> Most run durations fall within the first bucket (0 - 1 seconds).
<2> A single rule with id `41893910-6bca-11eb-9e0d-85d233e3ee35` took between 30 and 31 seconds to run.
Use the <<get-rule-api,get rule API>> to retrieve additional information about rules that take a long time to run.
Use the get rule API to retrieve additional information about rules that take a long time to run.
[float]
[[rule-cannot-decrypt-api-key]]