openapi: 3.0.3 info: contact: name: Kibana Team description: | The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation. To interact with Kibana APIs, use the following operations: - GET: Fetches the information. - PATCH: Applies partial modifications to the existing information. - POST: Adds new information. - PUT: Updates the existing information. - DELETE: Removes the information. You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**. For example: ``` GET kbn:/api/data_views ``` For more information about the console, refer to [Run API requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console). NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs. ## Documentation source and versions This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). This documentation contains work-in-progress information for future Elastic Stack releases. title: Kibana APIs version: 1.0.2 x-doc-license: name: Attribution-NonCommercial-NoDerivatives 4.0 International url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: - url: https://{kibana_url} variables: kibana_url: default: localhost:5601 security: - apiKeyAuth: [] - basicAuth: [] tags: - name: alerting description: | Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. externalDocs: description: Alerting documentation url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts x-displayName: Alerting - description: | Adjust APM agent configuration without need to redeploy your application. name: APM agent configuration - description: | Configure APM agent keys to authorize requests from APM agents to the APM Server. name: APM agent keys - description: | Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. name: APM annotations - description: Create APM fleet server schema. name: APM server schema - description: | Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur. name: APM sourcemaps - description: | Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors. name: cases externalDocs: description: Cases documentation url: https://www.elastic.co/docs/explore-analyze/alerts-cases/cases x-displayName: Cases - name: CCR Remote synced integrations - name: connectors description: | Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. externalDocs: description: Connector documentation url: https://www.elastic.co/docs/reference/kibana/connectors-kibana x-displayName: Connectors - name: Data streams - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. name: data views x-displayName: Data views - name: Elastic Agent actions - name: Elastic Agent binary download sources - name: Elastic Agent policies - name: Elastic Agent status - name: Elastic Agents - name: Elastic Package Manager (EPM) - name: Fleet enrollment API keys - name: Fleet internals - name: Fleet outputs - name: Fleet package policies - name: Fleet proxies - name: Fleet Server hosts - name: Fleet service tokens - name: Fleet uninstall tokens - description: | Programmatically integrate with Logstash configuration management. > warn > Do not directly access the `.logstash` index. The structure of the `.logstash` index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs. externalDocs: description: Centralized pipeline management url: https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management name: logstash x-displayName: Logstash configuration management - name: maintenance-window description: | You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. externalDocs: description: Maintenance window documentation url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows x-displayName: Maintenance windows - name: Message Signing Service - description: Machine learning name: ml x-displayName: Machine learning - name: roles x-displayName: Roles description: Manage the roles that grant Elasticsearch and Kibana privileges. externalDocs: description: Kibana role management url: https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles - name: saved objects x-displayName: Saved objects description: | Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs. To manage a specific type of saved object, use the corresponding APIs. For example, use: * [Data views](../group/endpoint-data-views) * [Spaces](../group/endpoint-spaces) * [Short URLs](../group/endpoint-short-url) Warning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions - description: Manage and interact with Security Assistant resources. name: Security AI Assistant API x-displayName: Security AI assistant - description: | Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. This API supports both key-based authentication and basic authentication. To use key-based authentication, create an API key, then specify the key in the header of your API calls. To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. In both cases, the API key is subsequently used for authorization when the rule runs. > warn > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. name: Security Detections API x-displayName: Security detections - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. name: Security Endpoint Exceptions API x-displayName: Security endpoint exceptions - description: Interact with and manage endpoints running the Elastic Defend integration. name: Security Endpoint Management API x-displayName: Security endpoint management - description: '' name: Security Entity Analytics API x-displayName: Security entity analytics - description: | Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. Exceptions are made up of: * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. > info > You cannot use lists with endpoint rule exceptions. > info > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. ## Exceptions requirements Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). name: Security Exceptions API x-displayName: Security exceptions - description: | Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. Lists are made up of: * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: * `boolean` * `byte` * `date` * `date_nanos` * `date_range` * `double` * `double_range` * `float` * `float_range` * `half_float` * `integer` * `integer_range` * `ip` * `ip_range` * `keyword` * `long` * `long_range` * `short` * `text` * **List items**: The values used to determine whether the exception prevents an alert from being generated. All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: 1. `192.168.1.1` 2. `192.168.1.3` 3. `192.168.1.18` 4. `192.168.1.12` 5. `192.168.1.7` To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. > info > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. ## Lists requirements Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements. name: Security Lists API x-displayName: Security lists - description: Run live queries, manage packs and saved queries. name: Security Osquery API x-displayName: Security Osquery - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. name: Security Timeline API x-displayName: Security timeline - description: Manage Kibana short URLs. name: short url x-displayName: Short URLs - description: SLO APIs enable you to define, manage and track service-level objectives name: slo x-displayName: Service level objectives - name: spaces x-displayName: Spaces description: Manage your Kibana spaces. externalDocs: url: https://www.elastic.co/docs/deploy-manage/manage-spaces description: Space overview - name: streams description: | Streams is a new and experimental way to manage your data in Kibana (currently experimental - expect changes). x-displayName: Streams - name: synthetics x-displayName: Synthetics externalDocs: description: Synthetic monitoring url: https://www.elastic.co/docs/solutions/observability/synthetics - name: system x-displayName: System description: | Get information about the system status, resource usage, features, and installed plugins. - description: | Get information about the system status, resource usage, features, and installed plugins. name: system x-displayName: System - externalDocs: description: Task manager url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management name: task manager x-displayName: Task manager - description: The assistant helps you prepare for the next major version of Elasticsearch. name: upgrade x-displayName: Upgrade assistant - externalDocs: description: Uptime monitoring url: https://www.elastic.co/docs/solutions/observability/uptime name: uptime x-displayName: Uptime - name: user session x-displayName: User session management paths: /api/actions/connector_types: get: description: You do not need any Kibana feature privileges to run this API. operationId: get-actions-connector-types parameters: - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). in: query name: feature_id required: false schema: type: string responses: '200': description: Indicates a successful call. content: application/json: examples: getConnectorTypesServerlessResponse: $ref: '#/components/examples/get_connector_types_generativeai_response' summary: Get connector types tags: - connectors /api/actions/connector/{id}: delete: description: 'WARNING: When you delete a connector, it cannot be recovered.' operationId: delete-actions-connector-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. summary: Delete a connector tags: - connectors get: operationId: get-actions-connector-id parameters: - description: An identifier for the connector. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the rule.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action examples: getConnectorResponse: $ref: '#/components/examples/get_connector_response' description: Indicates a successful call. summary: Get connector information tags: - connectors post: operationId: post-actions-connector-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: connector_type_id: description: The type of connector. type: string name: description: The display name for the connector. type: string config: additionalProperties: {} default: {} description: The connector configuration details. oneOf: - $ref: '#/components/schemas/bedrock_config' - $ref: '#/components/schemas/crowdstrike_config' - $ref: '#/components/schemas/d3security_config' - $ref: '#/components/schemas/email_config' - $ref: '#/components/schemas/gemini_config' - $ref: '#/components/schemas/resilient_config' - $ref: '#/components/schemas/index_config' - $ref: '#/components/schemas/jira_config' - $ref: '#/components/schemas/genai_azure_config' - $ref: '#/components/schemas/genai_openai_config' - $ref: '#/components/schemas/genai_openai_other_config' - $ref: '#/components/schemas/opsgenie_config' - $ref: '#/components/schemas/pagerduty_config' - $ref: '#/components/schemas/sentinelone_config' - $ref: '#/components/schemas/servicenow_config' - $ref: '#/components/schemas/servicenow_itom_config' - $ref: '#/components/schemas/slack_api_config' - $ref: '#/components/schemas/swimlane_config' - $ref: '#/components/schemas/thehive_config' - $ref: '#/components/schemas/tines_config' - $ref: '#/components/schemas/torq_config' - $ref: '#/components/schemas/webhook_config' - $ref: '#/components/schemas/cases_webhook_config' - $ref: '#/components/schemas/xmatters_config' secrets: additionalProperties: {} default: {} oneOf: - $ref: '#/components/schemas/bedrock_secrets' - $ref: '#/components/schemas/crowdstrike_secrets' - $ref: '#/components/schemas/d3security_secrets' - $ref: '#/components/schemas/email_secrets' - $ref: '#/components/schemas/gemini_secrets' - $ref: '#/components/schemas/resilient_secrets' - $ref: '#/components/schemas/jira_secrets' - $ref: '#/components/schemas/defender_secrets' - $ref: '#/components/schemas/teams_secrets' - $ref: '#/components/schemas/genai_secrets' - $ref: '#/components/schemas/opsgenie_secrets' - $ref: '#/components/schemas/pagerduty_secrets' - $ref: '#/components/schemas/sentinelone_secrets' - $ref: '#/components/schemas/servicenow_secrets' - $ref: '#/components/schemas/slack_api_secrets' - $ref: '#/components/schemas/swimlane_secrets' - $ref: '#/components/schemas/thehive_secrets' - $ref: '#/components/schemas/tines_secrets' - $ref: '#/components/schemas/torq_secrets' - $ref: '#/components/schemas/webhook_secrets' - $ref: '#/components/schemas/cases_webhook_secrets' - $ref: '#/components/schemas/xmatters_secrets' required: - name - connector_type_id examples: createEmailConnectorRequest: $ref: '#/components/examples/create_email_connector_request' createIndexConnectorRequest: $ref: '#/components/examples/create_index_connector_request' createWebhookConnectorRequest: $ref: '#/components/examples/create_webhook_connector_request' createXmattersConnectorRequest: $ref: '#/components/examples/create_xmatters_connector_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the rule.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action examples: createEmailConnectorResponse: $ref: '#/components/examples/create_email_connector_response' createIndexConnectorResponse: $ref: '#/components/examples/create_index_connector_response' createWebhookConnectorResponse: $ref: '#/components/examples/create_webhook_connector_response' createXmattersConnectorResponse: $ref: '#/components/examples/get_connector_response' description: Indicates a successful call. summary: Create a connector tags: - connectors put: operationId: put-actions-connector-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: name: description: The display name for the connector. type: string config: additionalProperties: {} default: {} description: The connector configuration details. oneOf: - $ref: '#/components/schemas/bedrock_config' - $ref: '#/components/schemas/crowdstrike_config' - $ref: '#/components/schemas/d3security_config' - $ref: '#/components/schemas/email_config' - $ref: '#/components/schemas/gemini_config' - $ref: '#/components/schemas/resilient_config' - $ref: '#/components/schemas/index_config' - $ref: '#/components/schemas/jira_config' - $ref: '#/components/schemas/defender_config' - $ref: '#/components/schemas/genai_azure_config' - $ref: '#/components/schemas/genai_openai_config' - $ref: '#/components/schemas/opsgenie_config' - $ref: '#/components/schemas/pagerduty_config' - $ref: '#/components/schemas/sentinelone_config' - $ref: '#/components/schemas/servicenow_config' - $ref: '#/components/schemas/servicenow_itom_config' - $ref: '#/components/schemas/slack_api_config' - $ref: '#/components/schemas/swimlane_config' - $ref: '#/components/schemas/thehive_config' - $ref: '#/components/schemas/tines_config' - $ref: '#/components/schemas/torq_config' - $ref: '#/components/schemas/webhook_config' - $ref: '#/components/schemas/cases_webhook_config' - $ref: '#/components/schemas/xmatters_config' secrets: additionalProperties: {} default: {} oneOf: - $ref: '#/components/schemas/bedrock_secrets' - $ref: '#/components/schemas/crowdstrike_secrets' - $ref: '#/components/schemas/d3security_secrets' - $ref: '#/components/schemas/email_secrets' - $ref: '#/components/schemas/gemini_secrets' - $ref: '#/components/schemas/resilient_secrets' - $ref: '#/components/schemas/jira_secrets' - $ref: '#/components/schemas/teams_secrets' - $ref: '#/components/schemas/genai_secrets' - $ref: '#/components/schemas/opsgenie_secrets' - $ref: '#/components/schemas/pagerduty_secrets' - $ref: '#/components/schemas/sentinelone_secrets' - $ref: '#/components/schemas/servicenow_secrets' - $ref: '#/components/schemas/slack_api_secrets' - $ref: '#/components/schemas/swimlane_secrets' - $ref: '#/components/schemas/thehive_secrets' - $ref: '#/components/schemas/tines_secrets' - $ref: '#/components/schemas/torq_secrets' - $ref: '#/components/schemas/webhook_secrets' - $ref: '#/components/schemas/cases_webhook_secrets' - $ref: '#/components/schemas/xmatters_secrets' required: - name examples: updateIndexConnectorRequest: $ref: '#/components/examples/update_index_connector_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the rule.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action description: Indicates a successful call. summary: Update a connector tags: - connectors /api/actions/connector/{id}/_execute: post: description: You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. operationId: post-actions-connector-id-execute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: params: additionalProperties: {} oneOf: - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' - $ref: '#/components/schemas/run_documents' - $ref: '#/components/schemas/run_message_email' - $ref: '#/components/schemas/run_message_serverlog' - $ref: '#/components/schemas/run_message_slack' - $ref: '#/components/schemas/run_trigger_pagerduty' - $ref: '#/components/schemas/run_addevent' - $ref: '#/components/schemas/run_closealert' - $ref: '#/components/schemas/run_closeincident' - $ref: '#/components/schemas/run_createalert' - $ref: '#/components/schemas/run_fieldsbyissuetype' - $ref: '#/components/schemas/run_getagentdetails' - $ref: '#/components/schemas/run_getagents' - $ref: '#/components/schemas/run_getchoices' - $ref: '#/components/schemas/run_getfields' - $ref: '#/components/schemas/run_getincident' - $ref: '#/components/schemas/run_issue' - $ref: '#/components/schemas/run_issues' - $ref: '#/components/schemas/run_issuetypes' - $ref: '#/components/schemas/run_postmessage' - $ref: '#/components/schemas/run_pushtoservice' - $ref: '#/components/schemas/run_validchannelid' required: - params examples: runIndexConnectorRequest: $ref: '#/components/examples/run_index_connector_request' runJiraConnectorRequest: $ref: '#/components/examples/run_jira_connector_request' runServerLogConnectorRequest: $ref: '#/components/examples/run_servicenow_itom_connector_request' runSlackConnectorRequest: $ref: '#/components/examples/run_slack_api_connector_request' runSwimlaneConnectorRequest: $ref: '#/components/examples/run_swimlane_connector_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the rule.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action examples: runIndexConnectorResponse: $ref: '#/components/examples/run_index_connector_response' runJiraConnectorResponse: $ref: '#/components/examples/run_jira_connector_response' runServerLogConnectorResponse: $ref: '#/components/examples/run_server_log_connector_response' runServiceNowITOMConnectorResponse: $ref: '#/components/examples/run_servicenow_itom_connector_response' runSlackConnectorResponse: $ref: '#/components/examples/run_slack_api_connector_response' runSwimlaneConnectorResponse: $ref: '#/components/examples/run_swimlane_connector_response' description: Indicates a successful call. summary: Run a connector tags: - connectors /api/actions/connectors: get: operationId: get-actions-connectors parameters: [] responses: '200': description: Indicates a successful call. content: application/json: examples: getConnectorsResponse: $ref: '#/components/examples/get_connectors_response' summary: Get all connectors tags: - connectors /api/alerting/_health: get: description: | You must have `read` privileges for the **Management > Stack Rules** feature or for at least one of the **Analytics > Discover**, **Analytics > Machine Learning**, **Observability**, or **Security** features. operationId: getAlertingHealth responses: '200': content: application/json: examples: getAlertingHealthResponse: $ref: '#/components/examples/Alerting_get_health_response' schema: type: object properties: alerting_framework_health: description: | Three substates identify the health of the alerting framework: `decryption_health`, `execution_health`, and `read_health`. type: object properties: decryption_health: description: The timestamp and status of the rule decryption. type: object properties: status: enum: - error - ok - warn example: ok type: string timestamp: example: '2023-01-13T01:28:00.280Z' format: date-time type: string execution_health: description: The timestamp and status of the rule run. type: object properties: status: enum: - error - ok - warn example: ok type: string timestamp: example: '2023-01-13T01:28:00.280Z' format: date-time type: string read_health: description: The timestamp and status of the rule reading events. type: object properties: status: enum: - error - ok - warn example: ok type: string timestamp: example: '2023-01-13T01:28:00.280Z' format: date-time type: string has_permanent_encryption_key: description: If `false`, the encrypted saved object plugin does not have a permanent encryption key. example: true type: boolean is_sufficiently_secure: description: If `false`, security is enabled but TLS is not. example: true type: boolean description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Get the alerting framework health tags: - alerting /api/alerting/rule_types: get: description: | If you have `read` privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the **Management > Stack Rules** feature, **Analytics > Discover** and **Machine Learning** features, **Observability** features, and **Security** features. To get rule types associated with the **Stack Monitoring** feature, use the `monitoring_user` built-in role. operationId: getRuleTypes responses: '200': content: application/json: examples: getRuleTypesResponse: $ref: '#/components/examples/Alerting_get_rule_types_response' schema: items: type: object properties: action_groups: description: | An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid. items: type: object properties: id: type: string name: type: string type: array action_variables: description: | A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors. type: object properties: context: items: type: object properties: description: type: string name: type: string useWithTripleBracesInTemplates: type: boolean type: array params: items: type: object properties: description: type: string name: type: string type: array state: items: type: object properties: description: type: string name: type: string type: array alerts: description: | Details for writing alerts as data documents for this rule type. type: object properties: context: description: | The namespace for this rule type. enum: - ml.anomaly-detection - observability.apm - observability.logs - observability.metrics - observability.slo - observability.threshold - observability.uptime - security - stack type: string dynamic: description: Indicates whether new fields are added dynamically. enum: - 'false' - runtime - strict - 'true' type: string isSpaceAware: description: | Indicates whether the alerts are space-aware. If true, space-specific alert indices are used. type: boolean mappings: type: object properties: fieldMap: additionalProperties: $ref: '#/components/schemas/Alerting_fieldmap_properties' description: | Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation. type: object secondaryAlias: description: | A secondary alias. It is typically used to support the signals alias for detection rules. type: string shouldWrite: description: | Indicates whether the rule should write out alerts as data. type: boolean useEcs: description: | Indicates whether to include the ECS component template for the alerts. type: boolean useLegacyAlerts: default: false description: | Indicates whether to include the legacy component template for the alerts. type: boolean authorized_consumers: description: The list of the plugins IDs that have access to the rule type. type: object properties: alerts: type: object properties: all: type: boolean read: type: boolean apm: type: object properties: all: type: boolean read: type: boolean discover: type: object properties: all: type: boolean read: type: boolean infrastructure: type: object properties: all: type: boolean read: type: boolean logs: type: object properties: all: type: boolean read: type: boolean ml: type: object properties: all: type: boolean read: type: boolean monitoring: type: object properties: all: type: boolean read: type: boolean siem: type: object properties: all: type: boolean read: type: boolean slo: type: object properties: all: type: boolean read: type: boolean stackAlerts: type: object properties: all: type: boolean read: type: boolean uptime: type: object properties: all: type: boolean read: type: boolean category: description: The rule category, which is used by features such as category-specific maintenance windows. enum: - management - observability - securitySolution type: string default_action_group_id: description: The default identifier for the rule type group. type: string does_set_recovery_context: description: Indicates whether the rule passes context variables to its recovery action. type: boolean enabled_in_license: description: Indicates whether the rule type is enabled or disabled based on the subscription. type: boolean has_alerts_mappings: description: Indicates whether the rule type has custom mappings for the alert data. type: boolean has_fields_for_a_a_d: type: boolean id: description: The unique identifier for the rule type. type: string is_exportable: description: Indicates whether the rule type is exportable in **Stack Management > Saved Objects**. type: boolean minimum_license_required: description: The subscriptions required to use the rule type. example: basic type: string name: description: The descriptive name of the rule type. type: string producer: description: An identifier for the application that produces this rule type. example: stackAlerts type: string recovery_action_group: description: An action group to use when an alert goes from an active state to an inactive one. type: object properties: id: type: string name: type: string rule_task_timeout: example: 5m type: string type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Get the rule types tags: - alerting /api/alerting/rule/{id}: delete: operationId: delete-alerting-rule-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Delete a rule tags: - alerting get: operationId: get-alerting-rule-id parameters: - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id type: array investigation_guide: additionalProperties: false type: object properties: blob: description: User-created content that describes alert causes and remdiation. type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: {} type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Get rule details tags: - alerting post: operationId: post-alerting-rule-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. If it is omitted, an ID is randomly generated. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: createEsQueryEsqlRuleRequest: description: | Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. summary: Elasticsearch query rule (ES|QL) value: actions: - frequency: notify_when: onActiveAlert summary: false group: query matched id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 params: level: info message: |- Elasticsearch query rule '{{rule.name}}' is active: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} consumer: stackAlerts name: my Elasticsearch query ESQL rule params: esqlQuery: esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 searchType: esqlQuery size: 0 threshold: - 0 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d rule_type_id: .es-query schedule: interval: 1d createEsQueryKqlRuleRequest: description: Create an Elasticsearch query rule that uses Kibana query language (KQL). summary: Elasticsearch query rule (KQL) value: consumer: alerts name: my Elasticsearch query KQL rule params: aggType: count excludeHitsFromPreviousRun: true groupBy: all searchConfiguration: index: 90943e30-9a47-11e8-b64d-95841ca0b247 query: language: kuery query: '""geo.src : "US" ""' searchType: searchSource size: 100 threshold: - 1000 thresholdComparator: '>' timeWindowSize: 5 timeWindowUnit: m rule_type_id: .es-query schedule: interval: 1m createEsQueryRuleRequest: description: | Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. summary: Elasticsearch query rule (DSL) value: actions: - frequency: notify_when: onThrottleInterval summary: true throttle: 1d group: query matched id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. - frequency: notify_when: onActionGroupChange summary: false group: recovered id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: Recovered consumer: alerts name: my Elasticsearch query rule params: esQuery: '"""{"query":{"match_all" : {}}}"""' index: - kibana_sample_data_logs size: 100 threshold: - 100 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d rule_type_id: .es-query schedule: interval: 1d createIndexThresholdRuleRequest: description: | Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. summary: Index threshold rule value: actions: - frequency: notify_when: onActionGroupChange summary: false group: threshold met id: 48de3460-f401-11ed-9f8e-399c75a2deeb params: level: info message: |- Rule '{{rule.name}}' is active for group '{{context.group}}': - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} alert_delay: active: 3 consumer: alerts name: my rule params: aggField: sheet.version aggType: avg groupBy: top index: - .test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m rule_type_id: .index-threshold schedule: interval: 1m tags: - cpu createTrackingContainmentRuleRequest: description: | Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. summary: Tracking containment rule value: consumer: alerts name: my tracking rule params: boundaryGeoField: location boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc boundaryIndexTitle: boundary* boundaryNameField: name boundaryType: entireIndex dateField": '@timestamp' entity: agent.keyword geoField: geo.coordinates index: kibana_sample_data_logs indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 rule_type_id: .geo-containment schedule: interval: 1h schema: additionalProperties: false type: object properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 1000 type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string rule_type_id: description: The rule type identifier. type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string params: additionalProperties: {} default: {} description: The parameters for the rule. anyOf: - $ref: '#/components/schemas/params_property_apm_anomaly' - $ref: '#/components/schemas/params_property_apm_error_count' - $ref: '#/components/schemas/params_property_apm_transaction_duration' - $ref: '#/components/schemas/params_property_apm_transaction_error_rate' - $ref: '#/components/schemas/params_es_query_dsl_rule' - $ref: '#/components/schemas/params_es_query_esql_rule' - $ref: '#/components/schemas/params_es_query_kql_rule' - $ref: '#/components/schemas/params_index_threshold_rule' - $ref: '#/components/schemas/params_property_infra_inventory' - $ref: '#/components/schemas/params_property_log_threshold' - $ref: '#/components/schemas/params_property_infra_metric_threshold' - $ref: '#/components/schemas/params_property_slo_burn_rate' - $ref: '#/components/schemas/params_property_synthetics_uptime_tls' - $ref: '#/components/schemas/params_property_synthetics_monitor_status' required: - name - rule_type_id - consumer - schedule responses: '200': content: application/json: examples: createEsQueryEsqlRuleResponse: description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). summary: Elasticsearch query rule (ES|QL) value: actions: - connector_type_id: .server-log frequency: notify_when: onActiveAlert summary: false throttle: null group: query matched id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 params: level: info message: |- Elasticsearch query rule '{{rule.name}}' is active: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} uuid: bfe370a3-531b-4855-bbe6-ad739f578844 api_key_created_by_user: false api_key_owner: elastic consumer: stackAlerts created_at: '2023-11-01T19:00:10.453Z' created_by: elastic enabled: true execution_status: last_execution_date: '2023-11-01T19:00:10.453Z' status: pending id: e0d62360-78e8-11ee-9177-f7d404c8c945 mute_all: false muted_alert_ids: [] name: my Elasticsearch query ESQL rule notify_when: null params: aggType: count esqlQuery: esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 excludeHitsFromPreviousRun": true, groupBy: all searchType: esqlQuery size: 0 threshold: - 0 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d revision: 0 rule_type_id: .es-query running: false schedule: interval: 1d scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 tags: [] throttle: null updated_at: '2023-11-01T19:00:10.453Z' updated_by: elastic", createEsQueryKqlRuleResponse: description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). summary: Elasticsearch query rule (KQL) value: actions: [] api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2023-07-14T20:24:50.729Z' created_by: elastic enabled: true execution_status: last_execution_date: '2023-07-14T20:24:50.729Z' status: pending id: 7bd506d0-2284-11ee-8fad-6101956ced88 mute_all: false muted_alert_ids: [] name: my Elasticsearch query KQL rule" notify_when: null params: aggType: count excludeHitsFromPreviousRun: true groupBy: all searchConfiguration: index: 90943e30-9a47-11e8-b64d-95841ca0b247 query: language: kuery query: '""geo.src : "US" ""' searchType: searchSource size: 100 threshold: - 1000 thresholdComparator: '>' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .es-query running: false schedule: interval: 1m scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 tags: [] throttle: null updated_at: '2023-07-14T20:24:50.729Z' updated_by: elastic createEsQueryRuleResponse: description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). summary: Elasticsearch query rule (DSL) value: actions: - connector_type_id: .server-log frequency: notify_when: onThrottleInterval summary: true throttle: 1d group: query matched id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 - connector_type_id: .server-log frequency: notify_when: onActionGroupChange summary: false throttle: null group: recovered id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: Recovered uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2023-08-22T00:03:38.263Z' created_by: elastic enabled: true execution_status: last_execution_date: '2023-08-22T00:03:38.263Z' status: pending id: 58148c70-407f-11ee-850e-c71febc4ca7f mute_all: false muted_alert_ids: [] name: my Elasticsearch query rule notify_when: null params: aggType: count esQuery: '"""{"query":{"match_all" : {}}}"""' excludeHitsFromPreviousRun: true groupBy: all index: - kibana_sample_data_logs searchType: esQuery size: 100 threshold: - 100 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d revision: 0 rule_type_id: .es-query running: false schedule: interval: 1d scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f tags: [] throttle: null updated_at: '2023-08-22T00:03:38.263Z' updated_by: elastic createIndexThresholdRuleResponse: description: The response for successfully creating an index threshold rule. summary: Index threshold rule value: actions: - connector_type_id: .server-log frequency: notify_when: onActionGroupChange summary: false throttle: null group: threshold met id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 params: level: info message: |- Rule {{rule.name}} is active for group {{context.group} : - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d alert_delay: active: 3 api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2022-06-08T17:20:31.632Z' created_by: elastic enabled: true execution_status: last_execution_date: '2022-06-08T17:20:31.632Z' status: pending id: 41893910-6bca-11eb-9e0d-85d233e3ee35 mute_all: false muted_alert_ids: [] name: my rule notify_when: null params: aggField: sheet.version aggType: avg groupBy: top index: - .test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 0 rule_type_id: .index-threshold running: false schedule: interval: 1m scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 tags: - cpu throttle: null updated_at: '2022-06-08T17:20:31.632Z' updated_by: elastic createTrackingContainmentRuleResponse: description: The response for successfully creating a tracking containment rule. summary: Tracking containment rule value: actions: [] api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2024-02-14T19:52:55.920Z' created_by: elastic enabled: true execution_status: last_duration: 74 last_execution_date: '2024-02-15T03:25:38.125Z' status: ok id: b6883f9d-5f70-4758-a66e-369d7c26012f last_run: alerts_count: active: 0 ignored: 0 new: 0 recovered: 0 outcome: succeeded outcome_msg: null outcome_order: 0 warning: null mute_all: false muted_alert_ids: [] name: my tracking rule next_run: '2024-02-15T03:26:38.033Z' notify_when: null params: boundaryGeoField: location boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc boundaryIndexTitle: boundary* boundaryNameField: name boundaryType: entireIndex dateField: '@timestamp' entity: agent.keyword geoField: geo.coordinates index: kibana_sample_data_logs indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 revision: 1 rule_type_id: .geo-containment running: false schedule: interval: 1h scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f tags: [] throttle: null updated_at: '2024-02-15T03:24:32.574Z' updated_by: elastic schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id type: array investigation_guide: additionalProperties: false type: object properties: blob: description: User-created content that describes alert causes and remdiation. type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: {} type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '409': description: Indicates that the rule id is already in use. summary: Create a rule tags: - alerting put: operationId: put-alerting-rule-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: updateRuleRequest: description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. summary: Index threshold rule value: actions: - frequency: notify_when: onActionGroupChange summary: false group: threshold met id: 96b668d0-a1b6-11ed-afdf-d39a49596974 params: level: info message: |- Rule {{rule.name}} is active for group {{context.group}}: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} name: new name params: aggField: sheet.version aggType: avg groupBy: top index: - .updated-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m schedule: interval: 1m tags: [] schema: additionalProperties: false type: object properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id maxItems: 10 type: array investigation_guide: additionalProperties: false type: object properties: blob: maxLength: 1000 type: string required: - blob flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} default: {} description: The parameters for the rule. type: object schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] items: description: The tags for the rule. type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - schedule responses: '200': content: application/json: examples: updateRuleResponse: description: The response for successfully updating an index threshold rule. summary: Index threshold rule value: actions: - connector_type_id: .server-log frequency: notify_when: onActionGroupChange summary: false throttle: null group: threshold met id: 96b668d0-a1b6-11ed-afdf-d39a49596974 params: level: info message: |- Rule {{rule.name}} is active for group {{context.group}}: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date} uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2024-03-26T23:13:20.985Z' created_by: elastic enabled: true execution_status: last_duration: 52 last_execution_date: '2024-03-26T23:22:51.390Z' status: ok id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 last_run: alerts_count: active: 0 ignored: 0 new: 0 recovered: 0 outcome: succeeded outcome_msg: null warning: null mute_all: false muted_alert_ids: [] name: new name next_run: '2024-03-26T23:23:51.316Z' params: aggField: sheet.version aggType: avg groupBy: top index: - .updated-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 1 rule_type_id: .index-threshold running: false schedule: interval: 1m scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea tags: [] throttle: null updated_at: '2024-03-26T23:22:59.949Z' updated_by: elastic schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id type: array investigation_guide: additionalProperties: false type: object properties: blob: description: User-created content that describes alert causes and remdiation. type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: {} type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. '409': description: Indicates that the rule has already been updated by another user. summary: Update a rule tags: - alerting /api/alerting/rule/{id}/_disable: post: operationId: post-alerting-rule-id-disable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false nullable: true type: object properties: untrack: description: Defines whether this rule's alerts should be untracked. type: boolean x-oas-optional: true responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Disable a rule tags: - alerting /api/alerting/rule/{id}/_enable: post: operationId: post-alerting-rule-id-enable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Enable a rule tags: - alerting /api/alerting/rule/{id}/_mute_all: post: operationId: post-alerting-rule-id-mute-all parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Mute all alerts tags: - alerting /api/alerting/rule/{id}/_unmute_all: post: operationId: post-alerting-rule-id-unmute-all parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Unmute all alerts tags: - alerting /api/alerting/rule/{id}/_update_api_key: post: operationId: post-alerting-rule-id-update-api-key parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. '409': description: Indicates that the rule has already been updated by another user. summary: Update the API key for a rule tags: - alerting /api/alerting/rule/{id}/snooze_schedule: post: description: When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. operationId: post-alerting-rule-id-snooze-schedule parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: Identifier of the rule. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 type: number minItems: 1 type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 type: number minItems: 1 type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string minItems: 1 type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - schedule responses: '200': content: application/json: schema: additionalProperties: false type: object properties: body: additionalProperties: false type: object properties: schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 type: number minItems: 1 type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 type: number minItems: 1 type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string minItems: 1 type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration id: description: Identifier of the snooze schedule. type: string required: - id required: - schedule required: - body description: Indicates a successful call. '400': description: Indicates an invalid schema. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given id does not exist. summary: Schedule a snooze for the rule tags: - alerting x-state: Generally available; added in 8.19.0 /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: post: operationId: post-alerting-rule-rule-id-alert-alert-id-mute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: rule_id required: true schema: type: string - description: The identifier for the alert. in: path name: alert_id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule or alert with the given ID does not exist. summary: Mute an alert tags: - alerting /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: post: operationId: post-alerting-rule-rule-id-alert-alert-id-unmute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: rule_id required: true schema: type: string - description: The identifier for the alert. in: path name: alert_id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule or alert with the given ID does not exist. summary: Unmute an alert tags: - alerting /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}: delete: operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: ruleId required: true schema: type: string - description: The identifier for the snooze schedule. in: path name: scheduleId required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given id does not exist. summary: Delete a snooze schedule for a rule tags: - alerting x-state: Generally available; added in 8.19.0 /api/alerting/rules/_find: get: operationId: get-alerting-rules-find parameters: - description: The number of rules to return per page. in: query name: per_page required: false schema: default: 10 minimum: 0 type: number - description: The page number to return. in: query name: page required: false schema: default: 1 minimum: 1 type: number - description: An Elasticsearch simple_query_string query that filters the objects in the response. in: query name: search required: false schema: type: string - description: The default operator to use for the simple_query_string. in: query name: default_search_operator required: false schema: default: OR enum: - OR - AND type: string - description: The fields to perform the simple_query_string parsed query against. in: query name: search_fields required: false schema: anyOf: - items: type: string type: array - type: string - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. in: query name: sort_field required: false schema: type: string - description: Determines the sort order. in: query name: sort_order required: false schema: enum: - asc - desc type: string - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. in: query name: has_reference required: false schema: additionalProperties: false nullable: true type: object properties: id: type: string type: type: string required: - type - id - in: query name: fields required: false schema: items: description: The fields to return in the `attributes` key of the response. type: string type: array - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' in: query name: filter required: false schema: type: string - in: query name: filter_consumers required: false schema: items: description: List of consumers to filter. type: string type: array responses: '200': content: application/json: examples: findConditionalActionRulesResponse: description: A response that contains information about an index threshold rule. summary: Index threshold rule value: data: - actions: - frequency: notify_when: onActionGroupChange summary: false throttle: null group: threshold met id: 9dca3e00-74f5-11ed-9801-35303b735aef params: connector_type_id: .server-log level: info message: |- Rule {{rule.name}} is active for group {{context.group}}: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2022-12-05T23:40:33.132Z' created_by: elastic enabled: true execution_status: last_duration: 48 last_execution_date: '2022-12-06T01:44:23.983Z' status: ok id: 3583a470-74f6-11ed-9801-35303b735aef last_run: alerts_count: active: 0 ignored: 0 new: 0 recovered: 0 outcome: succeeded outcome_msg: null warning: null mute_all: false muted_alert_ids: [] name: my alert next_run: '2022-12-06T01:45:23.912Z' params: aggField: sheet.version aggType: avg groupBy: top index: - test-index termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m revision: 1 rule_type_id: .index-threshold schedule: interval: 1m scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef tags: - cpu throttle: null updated_at: '2022-12-05T23:40:33.132Z' updated_by: elastic page: 1 per_page: 10 total: 1 findRulesResponse: description: A response that contains information about a security rule that has conditional actions. summary: Security rule value: data: - actions: - alerts_filter: query: filters: - $state: store: appState meta: alias: null disabled: false field: client.geo.region_iso_code index: c4bdca79-e69e-4d80-82a1-e5192c621bea key: client.geo.region_iso_code negate: false params: query: CA-QC type: phrase query: match_phrase: client.geo.region_iso_code: CA-QC kql: '' timeframe: days: - 7 hours: end: '17:00' start: '08:00' timezone: UTC connector_type_id: .index frequency: notify_when: onActiveAlert summary: true throttle: null group: default id: 49eae970-f401-11ed-9f8e-399c75a2deeb params: documents: - alert_id: '[object Object]': null context_message: '[object Object]': null rule_id: '[object Object]': null rule_name: '[object Object]': null uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 api_key_created_by_user: false api_key_owner: elastic consumer: siem created_at: '2023-05-16T15:50:28.358Z' created_by: elastic enabled: true execution_status: last_duration: 166 last_execution_date: '2023-05-16T20:26:49.590Z' status: ok id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb last_run: alerts_count: active: 0 ignored: 0 new: 0 recovered: 0 outcome: succeeded outcome_msg: - Rule execution completed successfully outcome_order: 0 warning: null mute_all: false muted_alert_ids: [] name: security_rule next_run: '2023-05-16T20:27:49.507Z' notify_when: null params: author: [] description: A security threshold rule. exceptionsList: [] falsePositives: [] filters: [] from: now-3660s immutable: false index: - kibana_sample_data_logs language: kuery license: '' maxSignals: 100 meta: from: 1h kibana_siem_app_url: https://localhost:5601/app/security outputIndex: '' query: '*' references: [] riskScore: 21 riskScoreMapping: [] ruleId: an_internal_rule_id severity: low severityMapping: [] threat: [] threshold: cardinality: [] field: - bytes value: 1 to: now type: threshold version: 1 revision: 1 rule_type_id: siem.thresholdRule running: false schedule: interval: 1m scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb tags: [] throttle: null updated_at: '2023-05-16T20:25:42.559Z' updated_by: elastic page: 1 per_page: 10 total: 1 schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string artifacts: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string required: - id type: array investigation_guide: additionalProperties: false type: object properties: blob: description: User-created content that describes alert causes and remdiation. type: string required: - blob consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: {} type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. summary: Get information about rules tags: - alerting /api/apm/agent_keys: post: description: | Create a new agent key for APM. The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server. operationId: createAgentKey parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: createAgentKeyRequest1: $ref: '#/components/examples/APM_UI_agent_keys_object_post_request1' schema: $ref: '#/components/schemas/APM_UI_agent_keys_object' required: true responses: '200': content: application/json: examples: createAgentKeyResponse1: $ref: '#/components/examples/APM_UI_agent_keys_object_post_200_response1' schema: $ref: '#/components/schemas/APM_UI_agent_keys_response' description: Agent key created successfully '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response summary: Create an APM agent key tags: - APM agent keys /api/apm/fleet/apm_server_schema: post: operationId: saveApmServerSchema parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: schema: type: object properties: schema: additionalProperties: true description: Schema object example: foo: bar type: object required: true responses: '200': content: application/json: schema: additionalProperties: false type: object description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Save APM server schema tags: - APM server schema /api/apm/services/{serviceName}/annotation: post: description: Create a new annotation for a specific service. operationId: createAnnotation parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - description: The name of the service in: path name: serviceName required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/APM_UI_create_annotation_object' required: true responses: '200': content: application/json: examples: createAnnotationResponse1: $ref: '#/components/examples/APM_UI_annotation_object_post_200_response1' schema: $ref: '#/components/schemas/APM_UI_create_annotation_response' description: Annotation created successfully '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Create a service annotation tags: - APM annotations x-codeSamples: - lang: Curl source: | curl -X POST \ http://localhost:5601/api/apm/services/opbeans-java/annotation \ -H 'Content-Type: application/json' \ -H 'kbn-xsrf: true' \ -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ -d '{ "@timestamp": "2020-05-08T10:31:30.452Z", "service": { "version": "1.2" }, "message": "Deployment 1.2" }' /api/apm/services/{serviceName}/annotation/search: get: description: Search for annotations related to a specific service. operationId: getAnnotation parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: The name of the service in: path name: serviceName required: true schema: type: string - description: The environment to filter annotations by in: query name: environment required: false schema: type: string - description: The start date for the search in: query name: start required: false schema: type: string - description: The end date for the search in: query name: end required: false schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_annotation_search_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response summary: Search for annotations tags: - APM annotations /api/apm/settings/agent-configuration: delete: operationId: deleteAgentConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: deleteAgentConfigurationRequest1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_delete_request1' schema: $ref: '#/components/schemas/APM_UI_service_object' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Delete agent configuration tags: - APM agent configuration get: operationId: getAgentConfigurations parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' responses: '200': content: application/json: examples: getAgentConfigurationsResponseExample1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_get_200_response1' schema: $ref: '#/components/schemas/APM_UI_agent_configurations_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get a list of agent configurations tags: - APM agent configuration put: operationId: createUpdateAgentConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - description: If the config exists ?overwrite=true is required in: query name: overwrite schema: type: boolean requestBody: content: application/json: examples: createUpdateAgentConfigurationRequestExample1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_put_request1' schema: $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' required: true responses: '200': content: application/json: schema: additionalProperties: false type: object description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Create or update agent configuration tags: - APM agent configuration /api/apm/settings/agent-configuration/agent_name: get: description: Retrieve `agentName` for a service. operationId: getAgentNameForService parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: The name of the service example: node in: query name: serviceName required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_service_agent_name_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get agent name for service tags: - APM agent configuration /api/apm/settings/agent-configuration/environments: get: operationId: getEnvironmentsForService parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: The name of the service in: query name: serviceName schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_service_environments_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get environments for service tags: - APM agent configuration /api/apm/settings/agent-configuration/search: post: description: | This endpoint enables you to search for a single agent configuration and update the 'applied_by_agent' field. operationId: searchSingleConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: examples: searchSingleConfigurationRequest1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_request1' schema: $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' required: true responses: '200': content: application/json: examples: searchSingleConfigurationResponse1: $ref: '#/components/examples/APM_UI_agent_configuration_intake_object_search_200_response1' schema: $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Lookup single agent configuration tags: - APM agent configuration /api/apm/settings/agent-configuration/view: get: operationId: getSingleAgentConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: Service name example: node in: query name: name schema: type: string - description: Service environment example: prod in: query name: environment schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get single agent configuration tags: - APM agent configuration /api/apm/sourcemaps: get: description: | Get an array of Fleet artifacts, including source map uploads. You must have `read` or `all` Kibana privileges for the APM and User Experience feature. operationId: getSourceMaps parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: Page number in: query name: page schema: type: number - description: Number of records per page in: query name: perPage schema: type: number responses: '200': content: application/json: examples: getSourceMapsResponse1: $ref: '#/components/examples/APM_UI_source_maps_get_200_response1' schema: $ref: '#/components/schemas/APM_UI_source_maps_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response '501': content: application/json: schema: $ref: '#/components/schemas/APM_UI_501_response' description: Not Implemented response summary: Get source maps tags: - APM sourcemaps x-codeSamples: - lang: Curl source: | curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ -H 'Content-Type: application/json' \ -H 'kbn-xsrf: true' \ -H 'Authorization: ApiKey ${YOUR_API_KEY}' post: description: | Upload a source map for a specific service and version. You must have `all` Kibana privileges for the APM and User Experience feature. The maximum payload size is `1mb`. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the `server.maxPayload` variable. operationId: uploadSourceMap parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: multipart/form-data: schema: $ref: '#/components/schemas/APM_UI_upload_source_map_object' required: true responses: '200': content: application/json: examples: uploadSourceMapResponse1: $ref: '#/components/examples/APM_UI_source_maps_upload_200_response1' schema: $ref: '#/components/schemas/APM_UI_upload_source_maps_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response '501': content: application/json: schema: $ref: '#/components/schemas/APM_UI_501_response' description: Not Implemented response summary: Upload a source map tags: - APM sourcemaps x-codeSamples: - lang: Curl source: | curl -X POST "http://localhost:5601/api/apm/sourcemaps" \ -H 'Content-Type: multipart/form-data' \ -H 'kbn-xsrf: true' \ -H 'Authorization: ApiKey ${YOUR_API_KEY}' \ -F 'service_name="foo"' \ -F 'service_version="1.0.0"' \ -F 'bundle_filepath="/test/e2e/general-usecase/bundle.js"' \ -F 'sourcemap="{\"version\":3,\"file\":\"static/js/main.chunk.js\",\"sources\":[\"fleet-source-map-client/src/index.css\",\"fleet-source-map-client/src/App.js\",\"webpack:///./src/index.css?bb0a\",\"fleet-source-map-client/src/index.js\",\"fleet-source-map-client/src/reportWebVitals.js\"],\"sourcesContent\":[\"content\"],\"mappings\":\"mapping\",\"sourceRoot\":\"\"}"' /api/apm/sourcemaps/{id}: delete: description: | Delete a previously uploaded source map. You must have `all` Kibana privileges for the APM and User Experience feature. operationId: deleteSourceMap parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - description: Source map identifier in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response '501': content: application/json: schema: $ref: '#/components/schemas/APM_UI_501_response' description: Not Implemented response summary: Delete source map tags: - APM sourcemaps x-codeSamples: - lang: Curl source: | curl -X DELETE "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ -H 'Content-Type: application/json' \ -H 'kbn-xsrf: true' \ -H 'Authorization: ApiKey ${YOUR_API_KEY}' /api/asset_criticality: delete: description: Delete the asset criticality record for a specific entity. operationId: DeleteAssetCriticalityRecord parameters: - description: The ID value of the asset. example: my_host in: query name: id_value required: true schema: type: string - description: The field representing the ID. example: host.name in: query name: id_field required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - description: If 'wait_for' the request will wait for the index refresh. in: query name: refresh required: false schema: enum: - wait_for type: string responses: '200': content: application/json: schema: type: object properties: deleted: description: True if the record was deleted or false if the record did not exist. type: boolean record: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' description: The deleted record if it existed. required: - deleted description: Successful response '400': description: Invalid request summary: Delete an asset criticality record tags: - Security Entity Analytics API get: description: Get the asset criticality record for a specific entity. operationId: GetAssetCriticalityRecord parameters: - description: The ID value of the asset. example: my_host in: query name: id_value required: true schema: type: string - description: The field representing the ID. example: host.name in: query name: id_field required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' description: Successful response '400': description: Invalid request '404': description: Criticality record not found summary: Get an asset criticality record tags: - Security Entity Analytics API post: description: | Create or update an asset criticality record for a specific entity. If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. operationId: CreateAssetCriticalityRecord requestBody: content: application/json: schema: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' - type: object properties: refresh: description: If 'wait_for' the request will wait for the index refresh. enum: - wait_for type: string example: criticality_level: high_impact id_field: host.name id_value: my_host required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' description: Successful response '400': description: Invalid request summary: Upsert an asset criticality record tags: - Security Entity Analytics API /api/asset_criticality/bulk: post: description: | Bulk upsert up to 1000 asset criticality records. If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. operationId: BulkUpsertAssetCriticalityRecords requestBody: content: application/json: schema: example: records: - criticality_level: low_impact id_field: host.name id_value: host-1 - criticality_level: medium_impact id_field: host.name id_value: host-2 type: object properties: records: items: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - type: object properties: criticality_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload' required: - criticality_level maxItems: 1000 minItems: 1 type: array required: - records responses: '200': content: application/json: schema: example: errors: - index: 0 message: Invalid ID field stats: failed: 1 successful: 1 total: 2 type: object properties: errors: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' type: array stats: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' required: - errors - stats description: Bulk upload successful '413': description: File too large summary: Bulk upsert asset criticality records tags: - Security Entity Analytics API /api/asset_criticality/list: get: description: List asset criticality records, paging, sorting and filtering as needed. operationId: FindAssetCriticalityRecords parameters: - description: The field to sort by. in: query name: sort_field required: false schema: enum: - id_value - id_field - criticality_level - \@timestamp type: string - description: The order to sort by. in: query name: sort_direction required: false schema: enum: - asc - desc type: string - description: The page number to return. in: query name: page required: false schema: minimum: 1 type: integer - description: The number of records to return per page. in: query name: per_page required: false schema: maximum: 1000 minimum: 1 type: integer - description: The kuery to filter by. in: query name: kuery required: false schema: type: string responses: '200': content: application/json: schema: example: page: 1 per_page: 10 records: - '@timestamp': '2024-08-02T14:40:35.705Z' asset: criticality: medium_impact criticality_level: medium_impact host: asset: criticality: medium_impact name: my_other_host id_field: host.name id_value: my_other_host - '@timestamp': '2024-08-02T11:15:34.290Z' asset: criticality: high_impact criticality_level: high_impact host: asset: criticality: high_impact name: my_host id_field: host.name id_value: my_host total: 2 type: object properties: page: minimum: 1 type: integer per_page: maximum: 1000 minimum: 1 type: integer records: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' type: array total: minimum: 0 type: integer required: - records - page - per_page - total description: Successfully retrieved asset criticality records summary: List asset criticality records tags: - Security Entity Analytics API /api/cases: delete: description: | You must have `read` or `all` privileges and the `delete` sub-feature privilege for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. operationId: deleteCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_ids' responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Delete cases tags: - cases patch: description: | You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. operationId: updateCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' requestBody: content: application/json: examples: updateCaseRequest: $ref: '#/components/examples/Cases_update_case_request' schema: $ref: '#/components/schemas/Cases_update_case_request' responses: '200': content: application/json: examples: updateCaseResponse: $ref: '#/components/examples/Cases_update_case_response' schema: items: $ref: '#/components/schemas/Cases_case_response_properties' type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Update cases tags: - cases post: description: | You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. operationId: createCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' requestBody: content: application/json: examples: createCaseRequest: $ref: '#/components/examples/Cases_create_case_request' schema: $ref: '#/components/schemas/Cases_create_case_request' required: true responses: '200': content: application/json: examples: createCaseResponse: $ref: '#/components/examples/Cases_create_case_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Create a case tags: - cases /api/cases/_find: get: description: | You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: findCasesDefaultSpace parameters: - $ref: '#/components/parameters/Cases_assignees_filter' - $ref: '#/components/parameters/Cases_category' - $ref: '#/components/parameters/Cases_defaultSearchOperator' - $ref: '#/components/parameters/Cases_from' - $ref: '#/components/parameters/Cases_owner_filter' - $ref: '#/components/parameters/Cases_page_index' - $ref: '#/components/parameters/Cases_page_size' - $ref: '#/components/parameters/Cases_reporters' - $ref: '#/components/parameters/Cases_search' - $ref: '#/components/parameters/Cases_searchFields' - $ref: '#/components/parameters/Cases_severity' - $ref: '#/components/parameters/Cases_sortField' - $ref: '#/components/parameters/Cases_sort_order' - $ref: '#/components/parameters/Cases_status' - $ref: '#/components/parameters/Cases_tags' - $ref: '#/components/parameters/Cases_to' responses: '200': content: application/json: examples: findCaseResponse: $ref: '#/components/examples/Cases_find_case_response' schema: type: object properties: cases: items: $ref: '#/components/schemas/Cases_case_response_properties' maxItems: 10000 type: array count_closed_cases: type: integer count_in_progress_cases: type: integer count_open_cases: type: integer page: type: integer per_page: type: integer total: type: integer description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Search cases tags: - cases /api/cases/{caseId}: get: description: | You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. operationId: getCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' responses: '200': content: application/json: examples: getDefaultCaseResponse: $ref: '#/components/examples/Cases_get_case_response' getDefaultObservabilityCaseReponse: $ref: '#/components/examples/Cases_get_case_observability_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get case information tags: - cases /api/cases/{caseId}/alerts: get: description: | You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: getCaseAlertsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' responses: '200': content: application/json: examples: getCaseAlertsResponse: $ref: '#/components/examples/Cases_get_case_alerts_response' schema: items: $ref: '#/components/schemas/Cases_alert_response_properties' type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get all alerts for a case tags: - cases x-state: Technical preview /api/cases/{caseId}/comments: delete: description: | Deletes all comments and alerts from a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. operationId: deleteCaseCommentsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Delete all case comments and alerts tags: - cases patch: description: | You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment. operationId: updateCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' requestBody: content: application/json: examples: updateCaseCommentRequest: $ref: '#/components/examples/Cases_update_comment_request' schema: $ref: '#/components/schemas/Cases_update_case_comment_request' required: true responses: '200': content: application/json: examples: updateCaseCommentResponse: $ref: '#/components/examples/Cases_update_comment_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Update a case comment or alert tags: - cases post: description: | You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts. operationId: addCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' requestBody: content: application/json: examples: createCaseCommentRequest: $ref: '#/components/examples/Cases_add_comment_request' schema: $ref: '#/components/schemas/Cases_add_case_comment_request' required: true responses: '200': content: application/json: examples: createCaseCommentResponse: $ref: '#/components/examples/Cases_add_comment_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Add a case comment or alert tags: - cases /api/cases/{caseId}/comments/_find: get: description: | Retrieves a paginated list of comments for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. operationId: findCaseCommentsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_page_index' - $ref: '#/components/parameters/Cases_page_size' - $ref: '#/components/parameters/Cases_sort_order' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Find case comments and alerts tags: - cases /api/cases/{caseId}/comments/{commentId}: delete: description: | You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. operationId: deleteCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_comment_id' responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Delete a case comment or alert tags: - cases get: description: | You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. operationId: getCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_comment_id' responses: '200': content: application/json: examples: getCaseCommentResponse: $ref: '#/components/examples/Cases_get_comment_response' schema: oneOf: - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - $ref: '#/components/schemas/Cases_user_comment_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get a case comment or alert tags: - cases /api/cases/{caseId}/connector/{connectorId}/_push: post: description: | You must have `all` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. You must also have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're pushing. operationId: pushCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_connector_id' - $ref: '#/components/parameters/Cases_kbn_xsrf' requestBody: content: application/json: schema: nullable: true type: object responses: '200': content: application/json: examples: pushCaseResponse: $ref: '#/components/examples/Cases_push_case_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Push a case to an external service tags: - cases /api/cases/{caseId}/files: post: description: | Attach a file to a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include: - The `Content-Type: multipart/form-data` HTTP header. - The location of the file that is being uploaded. operationId: addCaseFileDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' requestBody: content: multipart/form-data: schema: $ref: '#/components/schemas/Cases_add_case_file_request' required: true responses: '200': content: application/json: examples: addCaseFileResponse: $ref: '#/components/examples/Cases_add_comment_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Attach a file to a case tags: - cases /api/cases/{caseId}/user_actions/_find: get: description: | Retrives a paginated list of user activity for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. operationId: findCaseActivityDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_page_index' - $ref: '#/components/parameters/Cases_page_size' - $ref: '#/components/parameters/Cases_sort_order' - $ref: '#/components/parameters/Cases_user_action_types' responses: '200': content: application/json: examples: findCaseActivityResponse: $ref: '#/components/examples/Cases_find_case_activity_response' schema: type: object properties: page: type: integer perPage: type: integer total: type: integer userActions: items: $ref: '#/components/schemas/Cases_user_actions_find_response_properties' maxItems: 10000 type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Find case activity tags: - cases /api/cases/alerts/{alertId}: get: description: | You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: getCasesByAlertDefaultSpace parameters: - $ref: '#/components/parameters/Cases_alert_id' - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: schema: example: - id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 title: security_case items: type: object properties: id: description: The case identifier. type: string title: description: The case title. type: string maxItems: 10000 type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get cases for an alert tags: - cases x-state: Technical preview /api/cases/configure: get: description: | Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the cases were created. operationId: getCaseConfigurationDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: examples: getConfigurationResponse: $ref: '#/components/examples/Cases_get_case_configuration_response' schema: items: type: object properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' created_at: example: '2022-06-01T17:07:17.767Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username customFields: description: Custom fields configuration details. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean type: array error: example: null nullable: true type: string id: example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 type: string mappings: items: type: object properties: action_type: example: overwrite type: string source: example: title type: string target: example: summary type: string type: array owner: $ref: '#/components/schemas/Cases_owner' templates: $ref: '#/components/schemas/Cases_templates' updated_at: example: '2022-06-01T19:58:48.169Z' format: date-time nullable: true type: string updated_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username version: example: WzIwNzMsMV0= type: string type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get case settings tags: - cases post: description: | Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where you are creating cases. operationId: setCaseConfigurationDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' requestBody: content: application/json: examples: setCaseConfigRequest: $ref: '#/components/examples/Cases_set_case_configuration_request' schema: $ref: '#/components/schemas/Cases_set_case_configuration_request' responses: '200': content: application/json: examples: setCaseConfigResponse: $ref: '#/components/examples/Cases_set_case_configuration_response' schema: type: object properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' created_at: example: '2022-06-01T17:07:17.767Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username customFields: description: Custom fields configuration details. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean type: array error: example: null nullable: true type: string id: example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 type: string mappings: items: type: object properties: action_type: example: overwrite type: string source: example: title type: string target: example: summary type: string type: array owner: $ref: '#/components/schemas/Cases_owner' templates: $ref: '#/components/schemas/Cases_templates' updated_at: example: '2022-06-01T19:58:48.169Z' format: date-time nullable: true type: string updated_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username version: example: WzIwNzMsMV0= type: string description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Add case settings tags: - cases /api/cases/configure/{configurationId}: patch: description: | Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the case was created. operationId: updateCaseConfigurationDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_configuration_id' requestBody: content: application/json: examples: updateCaseConfigurationRequest: $ref: '#/components/examples/Cases_update_case_configuration_request' schema: $ref: '#/components/schemas/Cases_update_case_configuration_request' responses: '200': content: application/json: examples: updateCaseConfigurationResponse: $ref: '#/components/examples/Cases_update_case_configuration_response' schema: type: object properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' created_at: example: '2022-06-01T17:07:17.767Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username customFields: description: Custom fields configuration details. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean type: array error: example: null nullable: true type: string id: example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 type: string mappings: items: type: object properties: action_type: example: overwrite type: string source: example: title type: string target: example: summary type: string type: array owner: $ref: '#/components/schemas/Cases_owner' templates: $ref: '#/components/schemas/Cases_templates' updated_at: example: '2022-06-01T19:58:48.169Z' format: date-time nullable: true type: string updated_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username version: example: WzIwNzMsMV0= type: string description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Update case settings tags: - cases /api/cases/configure/connectors/_find: get: description: | Get information about connectors that are supported for use in cases. You must have `read` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. operationId: findCaseConnectorsDefaultSpace responses: '200': content: application/json: examples: findConnectorResponse: $ref: '#/components/examples/Cases_find_connector_response' schema: items: type: object properties: actionTypeId: $ref: '#/components/schemas/Cases_connector_types' config: additionalProperties: true type: object properties: apiUrl: type: string projectKey: type: string id: type: string isDeprecated: type: boolean isMissingSecrets: type: boolean isPreconfigured: type: boolean name: type: string referencedByCount: type: integer maxItems: 1000 type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get case connectors tags: - cases /api/cases/reporters: get: description: | Returns information about the users who opened cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged. operationId: getCaseReportersDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: examples: getReportersResponse: $ref: '#/components/examples/Cases_get_reporters_response' schema: items: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username maxItems: 10000 type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get case creators tags: - cases /api/cases/tags: get: description: | Aggregates and returns a list of case tags. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: getCaseTagsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: examples: getTagsResponse: $ref: '#/components/examples/Cases_get_tags_response' schema: items: type: string maxItems: 10000 type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get case tags tags: - cases /api/data_views: get: operationId: getAllDataViewsDefault responses: '200': content: application/json: examples: getAllDataViewsResponse: $ref: '#/components/examples/Data_views_get_data_views_response' schema: type: object properties: data_view: items: type: object properties: id: type: string name: type: string namespaces: items: type: string type: array title: type: string typeMeta: type: object type: array description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Get all data views tags: - data views /api/data_views/data_view: post: operationId: createDataViewDefaultw parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: createDataViewRequest: $ref: '#/components/examples/Data_views_create_data_view_request' schema: $ref: '#/components/schemas/Data_views_create_data_view_request_object' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Create a data view tags: - data views /api/data_views/data_view/{viewId}: delete: description: | WARNING: When you delete a data view, it cannot be recovered. operationId: deleteDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' responses: '204': description: Indicates a successful call. '404': content: application/json: schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Delete a data view tags: - data views get: operationId: getDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_view_id' responses: '200': content: application/json: examples: getDataViewResponse: $ref: '#/components/examples/Data_views_get_data_view_response' schema: $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. '404': content: application/json: schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Get a data view tags: - data views post: operationId: updateDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: updateDataViewRequest: $ref: '#/components/examples/Data_views_update_data_view_request' schema: $ref: '#/components/schemas/Data_views_update_data_view_request_object' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Update a data view tags: - data views /api/data_views/data_view/{viewId}/fields: post: description: | Update fields presentation metadata such as count, customLabel, customDescription, and format. operationId: updateFieldsMetadataDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: updateFieldsMetadataRequest: $ref: '#/components/examples/Data_views_update_field_metadata_request' schema: type: object properties: fields: description: The field object. type: object required: - fields required: true responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Update data view fields metadata tags: - data views /api/data_views/data_view/{viewId}/runtime_field: post: operationId: createRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: createRuntimeFieldRequest: $ref: '#/components/examples/Data_views_create_runtime_field_request' schema: type: object properties: name: description: | The name for a runtime field. type: string runtimeField: description: | The runtime field definition object. type: object required: - name - runtimeField required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. summary: Create a runtime field tags: - data views put: operationId: createUpdateRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - description: | The ID of the data view fields you want to update. in: path name: viewId required: true schema: type: string requestBody: content: application/json: examples: updateRuntimeFieldRequest: $ref: '#/components/examples/Data_views_create_runtime_field_request' schema: type: object properties: name: description: | The name for a runtime field. type: string runtimeField: description: | The runtime field definition object. type: object required: - name - runtimeField required: true responses: '200': content: application/json: schema: type: object properties: data_view: type: object fields: items: type: object type: array description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Create or update a runtime field tags: - data views /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: delete: operationId: deleteRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_field_name' - $ref: '#/components/parameters/Data_views_view_id' responses: '200': description: Indicates a successful call. '404': content: application/json: schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Delete a runtime field from a data view tags: - data views get: operationId: getRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_field_name' - $ref: '#/components/parameters/Data_views_view_id' responses: '200': content: application/json: examples: getRuntimeFieldResponse: $ref: '#/components/examples/Data_views_get_runtime_field_response' schema: type: object properties: data_view: type: object fields: items: type: object type: array description: Indicates a successful call. '404': content: application/json: schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Get a runtime field tags: - data views post: operationId: updateRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_field_name' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: updateRuntimeFieldRequest: $ref: '#/components/examples/Data_views_update_runtime_field_request' schema: type: object properties: runtimeField: description: | The runtime field definition object. You can update following fields: - `type` - `script` type: object required: - runtimeField required: true responses: '200': description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Update a runtime field tags: - data views /api/data_views/default: get: operationId: getDefaultDataViewDefault responses: '200': content: application/json: examples: getDefaultDataViewResponse: $ref: '#/components/examples/Data_views_get_default_data_view_response' schema: type: object properties: data_view_id: type: string description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Get the default data view tags: - data views post: operationId: setDefaultDatailViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: setDefaultDataViewRequest: $ref: '#/components/examples/Data_views_set_default_data_view_request' schema: type: object properties: data_view_id: description: | The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. nullable: true type: string force: default: false description: Update an existing default data view identifier. type: boolean required: - data_view_id required: true responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Set the default data view tags: - data views /api/data_views/swap_references: post: description: | Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended. operationId: swapDataViewsDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: swapDataViewRequest: $ref: '#/components/examples/Data_views_swap_data_view_request' schema: $ref: '#/components/schemas/Data_views_swap_data_view_request_object' required: true responses: '200': content: application/json: schema: type: object properties: deleteStatus: type: object properties: deletePerformed: type: boolean remainingRefs: type: integer result: items: type: object properties: id: description: A saved object identifier. type: string type: description: The saved object type. type: string type: array description: Indicates a successful call. summary: Swap saved object references tags: - data views /api/data_views/swap_references/_preview: post: description: | Preview the impact of swapping saved object references from one data view identifier to another. operationId: previewSwapDataViewsDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: previewSwapDataViewRequest: $ref: '#/components/examples/Data_views_preview_swap_data_view_request' schema: $ref: '#/components/schemas/Data_views_swap_data_view_request_object' required: true responses: '200': content: application/json: schema: type: object properties: result: items: type: object properties: id: description: A saved object identifier. type: string type: description: The saved object type. type: string type: array description: Indicates a successful call. summary: Preview a saved object reference swap tags: - data views /api/detection_engine/index: delete: operationId: DeleteAlertsIndex responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not enough permissions response '404': content: application/json: schema: type: string description: Index does not exist response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Delete an alerts index tags: - Security Detections API get: operationId: ReadAlertsIndex responses: '200': content: application/json: examples: success: value: index_mapping_outdated: false name: .alerts-security.alerts-default schema: type: object properties: index_mapping_outdated: nullable: true type: boolean name: type: string required: - name - index_mapping_outdated description: Successful response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not enough permissions response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Reads the alert index name if it exists tags: - Security Detections API post: operationId: CreateAlertsIndex responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not enough permissions response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Create an alerts index tags: - Security Detections API /api/detection_engine/privileges: get: description: | Retrieves whether or not the user is authenticated, and the user's Kibana space and index privileges, which determine if the user can create an index for the Elastic Security alerts generated by detection engine rules. operationId: ReadPrivileges responses: '200': content: application/json: examples: success: value: application: {} cluster: all: true manage: true manage_api_key: true manage_index_templates: true manage_ml: true manage_own_api_key: true manage_pipeline: true manage_security: true manage_transform: true monitor: true monitor_ml: true monitor_transform: true has_all_requested: true has_encryption_key: true index: .alerts-security.alerts-default: all: true create: true create_doc: true create_index: true delete: true delete_index: true index: true maintenance: true manage: true monitor: true read: true view_index_metadata: true write: true is_authenticated: true username: elastic schema: type: object properties: has_encryption_key: type: boolean is_authenticated: type: boolean required: - is_authenticated - has_encryption_key description: Successful response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Returns user privileges for the Kibana space tags: - Security Detections API /api/detection_engine/rules: delete: description: | Delete a detection rule using the `rule_id` or `id` field. The URL query must include one of the following: * `id` - `DELETE /api/detection_engine/rules?id=` * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. operationId: DeleteRule parameters: - description: The rule's `id` value. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - description: The rule's `rule_id` value. in: query name: rule_id required: false schema: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Delete a detection rule tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl \ --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" get: description: | Retrieve a detection rule using the `rule_id` or `id` field. The URL query must include one of the following: * `id` - `GET /api/detection_engine/rules?id=` * `rule_id` - `GET /api/detection_engine/rules?rule_id=` The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. operationId: ReadRule parameters: - description: The rule's `id` value. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - description: The rule's `rule_id` value. in: query name: rule_id required: false schema: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' responses: '200': content: application/json: examples: example1: summary: Example response for a retrieved rule value: created_at: '2020-02-03T11:19:04.259Z' created_by: elastic description: Process started by MS Office program in user folder enabled: false execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: [] filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-4200s id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 immutable: false interval: 1h language: kuery max_signals: 100 name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: process.name type: keyword - ecs: true name: process.parent.name type: keyword risk_score: 21 rule_id: process_started_by_ms_office_user_folder setup: '' severity: low tags: - child process - ms office threat: - framework: MITRE ATT&CK tactic: id: TA0001 name: Initial Access reference: https://attack.mitre.org/tactics/TA0001 technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193 to: now-300s type: query updated_at: '2020-02-03T11:19:04.462Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: | Indicates a successful call. > info > These fields are under development and their usage or schema may change: execution_summary. summary: Retrieve a detection rule tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl \ --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" patch: description: | Update specific fields of an existing detection rule using the `rule_id` or `id` field. The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: PatchRule requestBody: content: application/json: examples: example1: summary: Patch query rule value: id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 name: New name example2: summary: Patch EQL rule value: rule_id: process_started_by_ms_office_program_possible_payload threat: - framework: MITRE ATT&CK tactic: id: TA0001 name: Initial Access reference: https://attack.mitre.org/tactics/TA0001 technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193 example3: summary: Patch threshold rule value: id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' threshold: cardinality: [] field: [] value: 600 example4: summary: Patch new terms rule value: history_window_start: now-3d id: 569aac91-40dc-4807-a8ae-a2c8698089c4 new_terms_fields: - Endpoint.policy.applied.artifacts.global.identifiers.name example5: summary: Patch esql rule value: id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd query: | FROM logs-abc* | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) | KEEP event_rate example6: summary: Patch indicator match rule value: id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' example7: summary: Patch machine learning rule value: anomaly_threshold: 50 id: 60b13926-289b-41b1-a537-197ef1fa5059 machine_learning_job_id: - auth_high_count_logon_events schema: $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' description: | > info > You cannot modify the `id` or `rule_id` values. required: true responses: '200': content: application/json: examples: example1: summary: Example response for an updated rule value: actions: [] created_at: '2020-04-07T14:51:09.755Z' created_by: elastic description: Updated description for the rule. enabled: false false_positives: [] filters: - query: null from: now-70m id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 immutable: false interval: 1h language: kuery max_signals: 100 name: Updated Rule Name query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 required_fields: - name: process.parent.name risk_score: 50 rule_id: process_started_by_ms_office_program setup: '' severity: low tags: - child process - ms office threat: [] to: now type: query updated_at: '2020-04-07T14:51:09.970Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Patch a detection rule tags: - Security Detections API post: description: | Create a new detection rule. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. You can create the following types of rules: * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. > info > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: ```json ... "job_id": "linux_anomalous_network_activity_ecs", "job_type": "anomaly_detector", "job_version": "7.7.0", "groups": [ "auditbeat", "process", "siem" ], ... ``` Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: * Slack * Email * PagerDuty * Webhook * Microsoft Teams * IBM Resilient * Jira * ServiceNow ITSM > info > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/guide/en/kibana/current/saved-objects-api-find.html) with `"type": "action"` in the request payload. For detailed information on Kibana actions and alerting, and additional API calls, see: * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) * [Alerting and Actions framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html) * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) operationId: CreateRule requestBody: content: application/json: examples: example1: description: Query rule that searches for processes started by MS Office summary: Query rule value: description: Process started by MS Office program - possible payload enabled: false filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-70m interval: 1h language: kuery name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE related_integrations: - package: o365 version: ^2.3.2 required_fields: - name: process.parent.name type: keyword risk_score: 50 rule_id: process_started_by_ms_office_program severity: low tags: - child process - ms office type: query example2: description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address summary: Threshold rule value: description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. enabled: true exceptions_list: - id: int-ips namespace_type: single type: detection from: now-180s index: - winlogbeat-* interval: 2m name: Windows server prml-19 query: host.name:prml-19 and event.category:authentication and event.outcome:failure required_fields: - name: source.ip type: ip risk_score: 30 rule_id: liv-win-ser-logins severity: low severity_mapping: - field: source.geo.city_name operator: equals severity: low value: Manchester - field: source.geo.city_name operator: equals severity: medium value: London - field: source.geo.city_name operator: equals severity: high value: Birmingham - field: source.geo.city_name operator: equals severity: critical value: Wallingford tags: - Brute force threshold: field: source.ip value: 20 type: threshold example3: description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. summary: Machine learning rule value: actions: - action_type_id: .slack group: default id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 params: message: 'Urgent: {{context.rule.description}}' anomaly_threshold: 70 description: Generates alerts when the job discovers anomalies over 70 enabled: true from: now-6m interval: 5m machine_learning_job_id: linux_anomalous_network_activity_ecs name: Anomalous Linux network activity note: Shut down the internet. risk_score: 70 rule_id: ml_linux_network_high_threshold setup: This rule requires data coming in from Elastic Defend. severity: high tags: - machine learning - Linux type: machine_learning example4: description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections summary: EQL rule value: description: Unusual rundll32.exe network connection language: eql name: rundll32.exe network connection query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] required_fields: - name: event.type type: keyword - name: process.args type: keyword - name: process.args_count type: long - name: process.entity_id type: keyword - name: process.name type: keyword - name: process.pe.original_file_name type: keyword risk_score: 21 rule_id: eql-outbound-rundll32-connections severity: low tags: - EQL - Windows - rundll32.exe type: eql example5: description: | Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. summary: Indicator match rule value: actions: [] description: Checks for bad IP addresses listed in the ip-threat-list index index: - packetbeat-* name: Bad IP threat match query: destination.ip:* or host.ip:* required_fields: - name: destination.ip type: ip - name: destination.port type: long - name: host.ip type: ip risk_score: 50 severity: medium threat_index: - ip-threat-list threat_mapping: - entries: - field: destination.ip type: mapping value: destination.ip - field: destination.port type: mapping value: destination.port - entries: - field: source.ip type: mapping value: host.ip threat_query: '*:*' type: threat_match example6: description: New terms rule that creates alerts a new IP address is detected for a user summary: New terms rule value: description: Detects a user associated with a new IP address history_window_start: now-30d index: - auditbeat* language: kuery name: New User IP Detected new_terms_fields: - user.id - source.ip query: '*' required_fields: - name: user.id type: keyword - name: source.ip type: ip risk_score: 21 severity: medium type: new_terms example7: description: esql rule that creates alerts from events that match an Excel parent process summary: Esql rule value: description: Find Excel events enabled: false from: now-360s interval: 5m language: esql name: Find Excel events query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" required_fields: - name: process.parent.name type: keyword risk_score: 21 severity: low tags: [] to: now type: esql example8: description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period summary: Query rule 2 value: alert_suppression: duration: unit: h value: 5 group_by: - process.parent.name missing_fields_strategy: suppress description: Process started by MS Office program - possible payload enabled: false filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-70m interval: 1h language: kuery name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE risk_score: 50 rule_id: process_started_by_ms_office_program severity: low tags: - child process - ms office type: query schema: $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' required: true responses: '200': content: application/json: examples: example1: description: Example response for a query rule summary: Query rule response value: actions: [] created_at: '2020-04-07T14:51:09.755Z' created_by: elastic description: Process started by MS Office program - possible payload enabled: false false_positives: [] filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-70m id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 immutable: false interval: 1h language: kuery max_signals: 100 name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 version: ^2.3.2 - integration: graphactivitylogs package: azure version: ^1.11.4 required_fields: - ecs: true name: process.parent.name type: keyword risk_score: 50 rule_id: process_started_by_ms_office_program setup: '' severity: low tags: - child process - ms office threat: [] to: now type: query updated_at: '2020-04-07T14:51:09.970Z' updated_by: elastic version: 1 example2: description: Example response for a machine learning job rule summary: Machine learning response value: actions: - action_type_id: .slack frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 params: message: 'Urgent: {{context.rule.description}}' anomaly_threshold: 70 created_at: '2020-04-07T14:45:15.679Z' created_by: elastic description: Generates alerts when the job discovers anomalies over 70 enabled: true false_positives: [] from: now-6m id: 83876f66-3a57-4a99-bf37-416494c80f3b immutable: false interval: 5m machine_learning_job_id: linux_anomalous_network_activity_ecs max_signals: 100 name: Anomalous Linux network activity note: Shut down the internet. references: [] related_integrations: [] required_fields: [] risk_score: 70 rule_id: ml_linux_network_high_threshold setup: '' severity: high status: going to run status_date: '2020-04-07T14:45:21.685Z' tags: - machine learning - Linux threat: [] to: now type: machine_learning updated_at: '2020-04-07T14:45:15.892Z' updated_by: elastic version: 1 example3: description: Example response for a threshold rule summary: Threshold rule response value: actions: [] author: [] created_at: '2020-07-22T10:27:23.486Z' created_by: elastic description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. enabled: true exceptions_list: - id: int-ips namespace_type: single type: detection false_positives: [] from: now-180s id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 immutable: false index: - winlogbeat-* interval: 2m language: kuery max_signals: 100 name: Windows server prml-19 query: host.name:prml-19 and event.category:authentication and event.outcome:failure references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: source.ip type: ip risk_score: 30 risk_score_mapping: [] rule_id: liv-win-ser-logins setup: '' severity: low severity_mapping: - field: source.geo.city_name operator: equals severity: low value: Manchester - field: source.geo.city_name operator: equals severity: medium value: London - field: source.geo.city_name operator: equals severity: high value: Birmingham - field: source.geo.city_name operator: equals severity: critical value: Wallingford tags: - Brute force threat: [] threshold: field: source.ip value: 20 to: now type: threshold updated_at: '2020-07-22T10:27:23.673Z' updated_by: elastic version: 1 example4: description: Example response for an EQL rule summary: EQL rule response value: author: [] created_at: '2020-10-05T09:06:16.392Z' created_by: elastic description: Unusual rundll32.exe network connection enabled: true exceptions_list: [] false_positives: [] from: now-6m id: 93808cae-b05b-4dc9-8479-73574b50f8b1 immutable: false interval: 5m language: eql max_signals: 100 name: rundll32.exe network connection query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: event.type type: keyword - ecs: true name: process.args type: keyword - ecs: true name: process.args_count type: long - ecs: true name: process.entity_id type: keyword - ecs: true name: process.name type: keyword - ecs: true name: process.pe.original_file_name type: keyword risk_score: 21 risk_score_mapping: [] rule_id: eql-outbound-rundll32-connections setup: '' severity: low severity_mapping: [] tags: - EQL - Windows - rundll32.exe threat: [] throttle: no_actions to: now type: eql updated_at: '2020-10-05T09:06:16.403Z' updated_by: elastic version: 1 example5: description: Example response for an indicator match rule summary: Indicator match rule response value: author: [] created_at: '2020-10-06T07:07:58.227Z' created_by: elastic description: Checks for bad IP addresses listed in the ip-threat-list index enabled: true exceptions_list: [] false_positives: [] from: now-6m id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 immutable: false index: - packetbeat-* interval: 5m language: kuery max_signals: 100 name: Bad IP threat match query: destination.ip:* or host.ip:* references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: destination.ip type: ip - ecs: true name: destination.port type: long - ecs: true name: host.ip type: ip risk_score: 50 risk_score_mapping: [] rule_id: 608501e4-c768-4f64-9326-cec55b5d439b setup: '' severity: medium severity_mapping: [] tags: [] threat: [] threat_index: - ip-threat-list threat_mapping: - entries: - field: destination.ip type: mapping value: destination.ip - field: destination.port type: mapping value: destination.port - entries: - field: source.ip type: mapping value: host.ip threat_query: '*:*' to: now type: threat_match updated_at: '2020-10-06T07:07:58.237Z' updated_by: elastic version: 1 example6: description: Example response for a new terms rule summary: New terms rule response value: author: [] created_at: '2020-10-06T07:07:58.227Z' created_by: elastic description: Detects a user associated with a new IP address enabled: true exceptions_list: [] false_positives: [] from: now-6m history_window_start: now-30d id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 immutable: false index: - auditbeat* interval: 5m language: kuery max_signals: 100 name: New User IP Detected new_terms_fields: - user.id - source.ip query: '*' references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: user.id type: keyword - ecs: true name: source.ip type: ip risk_score: 21 risk_score_mapping: [] rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 setup: '' severity: medium severity_mapping: [] tags: [] threat: [] to: now type: new_terms updated_at: '2020-10-06T07:07:58.237Z' updated_by: elastic version: 1 example7: description: Example response for an Esql rule summary: Esql rule response value: actions: [] author: [] created_at: '2023-10-18T10:55:14.269Z' created_by: elastic description: Find Excel events enabled: false exceptions_list: [] false_positives: [] from: now-360s id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 immutable: false interval: 5m language: esql max_signals: 100 name: Find Excel events output_index: '' query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: process.parent.name type: keyword revision: 0 risk_score: 21 risk_score_mapping: [] rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 setup: '' severity: low severity_mapping: [] tags: [] threat: [] to: now type: esql updated_at: '2023-10-18T10:55:14.269Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Create a detection rule tags: - Security Detections API put: description: | Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: UpdateRule requestBody: content: application/json: examples: example1: summary: Update query rule value: description: A new description id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 name: A new name for the rule risk_score: 22 severity: medium type: query example2: summary: Update EQL rule value: description: eql rule test id: 9b684efb-acf9-4323-9bff-8335b3867d14 index: - apm-*-transaction* language: eql name: New name for EQL rule query: process where process.name == "regsvr32.exe" risk_score: 21 severity: low type: eql example3: summary: Update threshold rule value: description: Description of threat rule test id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 language: kuery name: New name for threat rule query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' risk_score: 21 severity: low tags: - new_tag threshold: cardinality: [] field: [] value: 400 type: threshold example4: summary: Update new terms rule value: description: New description history_window_start: now-7d id: 569aac91-40dc-4807-a8ae-a2c8698089c4 interval: 5m name: New terms rule name new_terms_fields: - Endpoint.policy.applied.artifacts.global.identifiers.name query: 'agent.version : "9.1.0"' risk_score: 21 severity: low type: new_terms example5: summary: Update esql rule value: description: New description for esql rule id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd language: esql name: New name for esql rule query: | FROM logs* | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ | KEEP event_rate risk_score: 21 severity: low type: esql example6: summary: Update indicator match rule value: description: New description id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd name: New name for Indicator Match rule query: source.ip:* or destination.ip:*\n risk_score: 99 severity: critical threat_index: - filebeat-* - logs-ti_* threat_mapping: - entries: - field: source.ip type: mapping value: threat.indicator.ip - entries: - field: destination.ip type: mapping value: threat.indicator.ip threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' type: threat_match example7: summary: Update machine learning rule value: anomaly_threshold: 50 description: New description of ml rule id: 60b13926-289b-41b1-a537-197ef1fa5059 machine_learning_job_id: - auth_high_count_logon_events name: New name of ml rule risk_score: 21 severity: low type: machine_learning schema: $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' description: | > info > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. required: true responses: '200': content: application/json: examples: example1: summary: Example response for an updated rule value: actions: [] created_at: '2020-04-07T14:51:09.755Z' created_by: elastic description: Updated description for the rule. enabled: false false_positives: [] filters: - query: null from: now-70m id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 immutable: false interval: 1h language: kuery max_signals: 100 name: Updated Rule Name query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 required_fields: - name: process.parent.name risk_score: 50 rule_id: process_started_by_ms_office_program setup: '' severity: low tags: - child process - ms office threat: [] to: now type: query updated_at: '2020-04-07T14:51:09.970Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Update a detection rule tags: - Security Detections API /api/detection_engine/rules/_bulk_action: post: description: | Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: PerformRulesBulkAction parameters: - description: | Enables dry run mode for the request call. Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. > info > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. in: query name: dry_run required: false schema: type: boolean requestBody: content: application/json: examples: example01: description: The following request activates all rules with the test tag. summary: Enable - Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' example02: description: The following request enables the rule with the specified ID. summary: Enable - Enable a specific rule by ID. value: action: enable ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example03: description: The following request disables the rule with the specified ID. summary: Disable - Disable a specific rule by ID value: action: disable ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example04: description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. summary: Duplicate - Duplicate rules with specific IDs value: action: duplicate duplicate: include_exceptions: true include_expired_exceptions: false ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - 461a4c22-416e-4009-a9a7-cf79656454bf example05: description: The following request deletes the rule with the specified ID. summary: Delete - Delete a specific rule by ID value: action: delete ids: - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 example06: description: The following request runs the rule with the specified ID within the given date range. summary: Run - Run a specific rule by ID value: action: run ids: - 748694f0-6977-4ea5-8384-cd2e39730779 run: end_date: '2025-03-10T23:59:59.999Z' start_date: '2025-03-01T00:00:00.000Z' example07: description: The following request exports the rules with the specified IDs. summary: Export - Export specific rules by ID value: action: export ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example08: description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true summary: Edit - dry run - Validate add_index_patterns bulk action value: action: edit edit: - type: add_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a - de8f5af0-0831-11ed-ac8b-05a222bd8d4a example09: description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. summary: Edit - Add a tag to rules (idempotent) value: action: edit edit: - type: add_tags value: - tag-1 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example10: description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. summary: Edit - Add two tags to rules (idempotent) value: action: edit edit: - type: add_tags value: - tag-1 - tag-2 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example11: description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. summary: Edit - Delete a tag from rules (idempotent) value: action: edit edit: - type: delete_tags value: - tag-1 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example12: description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: - type: set_tags value: - tag-1 - tag-2 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example13: description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. summary: Edit - Add index patterns to rules (idempotent) value: action: edit edit: - type: add_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example14: description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. summary: Edit - Remove index patterns from rules (idempotent) value: action: edit edit: - type: delete_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example15: description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) value: action: edit edit: - type: set_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example16: description: The following request adds investigation field to the rules with the specified IDs. summary: Edit - Add investigation field to rules value: action: edit edit: - type: add_investigation_fields value: field_names: - alert.status ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example17: description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. summary: Edit - Delete investigation fields from rules (idempotent) value: action: edit edit: - type: delete_investigation_fields ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba value: - field1 - field2 example18: description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) value: action: edit edit: - type: set_investigation_fields value: - field1 - field2 ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example19: description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) value: action: edit edit: - type: set_timeline value: timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline ids: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b example20: description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. summary: Edit - Set (overwrite existing) schedule for rules (idempotent) value: action: edit edit: - type: set_schedule value: interval: 1h lookback: 30m ids: - 99887766-5544-3322-1100-aabbccddeeff example21: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules (non-idempotent) value: action: edit edit: - type: add_rule_actions value: actions: - group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: The message body ids: - 9e946bfc-3118-4c77-bb25-67d781191928 example22: description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) value: action: edit edit: - type: set_rule_actions value: actions: - group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: The message body ids: - 9e946bfc-3118-4c77-bb25-67d781191928 example23: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a webhook connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: The message body ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example24: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for an email connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: message: The message body subject: Subject to: address@domain.com ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example25: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a slack connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: message: The content of the message ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example26: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a PagerDuty connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: eventAction: trigger severity: critical summary: The message body timestamp: '2023-10-31T00:00:00.000Z' ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example27: description: The following request set alert suppression to the rules with the specified IDs. summary: Edit - Set alert suppression to rules (idempotent) value: action: edit edit: - type: set_alert_suppression value: duration: unit: h value: 1 group_by: - source.ip missing_fields_strategy: suppress ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example28: description: The following request set alert suppression to threshold rules with the specified IDs. summary: Edit - Set alert suppression to threshold rules (idempotent) value: action: edit edit: - type: set_alert_suppression_for_threshold value: duration: unit: h value: 1 ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example29: description: The following request removes alert suppression from the rules with the specified IDs. If the rules do not have alert suppression, no changes are made. summary: Edit - Removes alert suppression from rules (idempotent) value: action: edit edit: - type: delete_alert_suppression ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example30: description: The following request triggers the filling of gaps for the specified rule ids and time range summary: Fill Gaps - Manually trigger the filling of gaps for specified rules value: action: fill_gaps ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - 164d0918-f720-4c9f-9f5c-c5122587cf19 run: end_date: '2025-03-10T23:59:59.999Z' start_date: '2025-03-01T00:00:00.000Z' schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps' - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' responses: '200': content: application/json: examples: example01: description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. summary: Successful response value: attributes: results: created: [] deleted: [] skipped: - id: 51658332-a15e-4c9e-912a-67214e2e2359 name: Skipped rule skip_reason: RULE_NOT_MODIFIED updated: - anomaly_threshold: 50 author: - Elastic created_at: '2022-02-21T14:14:13.801Z' created_by: elastic description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. enabled: true exceptions_list: [] execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. from: now-45m id: 8bc7dad0-9320-11ec-9265-8b772383a08d immutable: false interval: 15m license: Elastic License v2 machine_learning_job_id: - packetbeat_dns_tunneling max_signals: 100 name: DNS Tunneling [Duplicate] references: - https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html related_integrations: [] required_fields: [] risk_score: 21 risk_score_mapping: [] rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 setup: '' severity: low severity_mapping: [] tags: - Elastic - Network - Threat Detection - ML threat: [] to: now type: machine_learning updated_at: '2022-02-21T17:05:50.883Z' updated_by: elastic version: 6 summary: failed: 0 skipped: 1 succeeded: 1 total: 2 rules_count: 1 success: true example02: description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). summary: Partial failure value: value: attributes: errors: - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property rules: - id: 8bc7dad0-9320-11ec-9265-8b772383a08d name: DNS Tunneling [Duplicate] status_code: 500 results: created: [] deleted: [] skipped: [] updated: - actions: [] author: - Elastic created_at: '2022-02-21T14:14:17.883Z' created_by: elastic description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. enabled: true exceptions_list: [] execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: [] from: now-6m id: 8e5c1a40-9320-11ec-9265-8b772383a08d immutable: false index: - apm-*-transaction* - traces-apm* - auditbeat-* - filebeat-* - logs-* - packetbeat-* - winlogbeat-* - added-by-id-* interval: 5m language: kuery license: Elastic License v2 max_signals: 10000 name: External Alerts [Duplicate] query: | event.kind:alert and not event.module:(endgame or endpoint) references: [] related_integrations: [] required_fields: [] risk_score: 47 risk_score_mapping: - field: event.risk_score operator: equals value: '' rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 rule_name_override: message setup: '' severity: medium severity_mapping: - field: event.severity operator: equals severity: low value: '21' - field: event.severity operator: equals severity: medium value: '47' - field: event.severity operator: equals severity: high value: '73' - field: event.severity operator: equals severity: critical value: '99' tags: - Elastic - Network - Windows - APM - macOS - Linux threat: [] timestamp_override: event.ingested to: now type: query updated_at: '2022-02-21T16:56:22.818Z' updated_by: elastic version: 5 summary: failed: 1 skipped: 0 succeeded: 1 total: 2 message: Bulk edit partially failed rules_count: 2 status_code: 500 success: false example03: description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. summary: Dry run value: attributes: errors: - err_code: IMMUTABLE message: Elastic rule can't be edited rules: - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 name: Unusual AWS Command for a User status_code: 500 - err_code: MACHINE_LEARNING_INDEX_PATTERN message: Machine learning rule doesn't have index patterns rules: - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a name: Suspicious Powershell Script [Duplicate] status_code: 500 results: created: [] deleted: [] skipped: [] updated: [] summary: failed: 2 skipped: 0 succeeded: 1 total: 3 message: Bulk edit partially failed status_code: 500 example04: description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. summary: Set tags successsully for 2 rules value: attributes: results: created: [] deleted: [] skipped: [] updated: - actions: [] author: [] created_at: '2025-03-25T11:46:41.899Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-6m id: 738112cd-6cfa-414a-8457-2a658845d6ba immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 5m language: kuery license: '' max_signals: 100 meta: kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Rule 1 output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 1 risk_score: 21 risk_score_mapping: [] rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 threat: [] to: now type: query updated_at: '2025-03-25T11:47:11.350Z' updated_by: elastic version: 2 - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: Hello uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 author: [] created_at: '2025-03-25T09:49:08.343Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-360s id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 3m investigation_fields: field_names: - alert.status - Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 meta: from: 3m kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Rule 2 output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 33 risk_score: 21 risk_score_mapping: [] rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 threat: [] timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline to: now type: query updated_at: '2025-03-25T11:47:11.357Z' updated_by: elastic version: 24 summary: failed: 0 skipped: 0 succeeded: 2 total: 2 rules_count: 2 success: true example05: description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. summary: Idempotent behavior of set_tags value: attributes: results: created: [] deleted: [] skipped: - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b name: Rule 1 skip_reason: RULE_NOT_MODIFIED - id: 738112cd-6cfa-414a-8457-2a658845d6ba name: Rule 2 skip_reason: RULE_NOT_MODIFIED updated: [] summary: failed: 0 skipped: 2 succeeded: 0 total: 2 rules_count: 2 success: true example06: description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. summary: Idempotent behavior of add_tags value: attributes: results: created: [] deleted: [] skipped: - id: 738112cd-6cfa-414a-8457-2a658845d6ba name: Test Rule 2 skip_reason: RULE_NOT_MODIFIED updated: - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: Hello uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 author: [] created_at: '2025-03-25T09:49:08.343Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-360s id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 3m investigation_fields: field_names: - alert.status - Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 meta: from: 3m kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Test rule output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 34 risk_score: 21 risk_score_mapping: [] rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 - tag-4 threat: [] timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline to: now type: query updated_at: '2025-03-25T11:55:12.752Z' updated_by: elastic version: 25 summary: failed: 0 skipped: 1 succeeded: 1 total: 2 rules_count: 2 success: true example07: description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. summary: Non-idempotent behavior for set_rule_actions value: attributes: results: created: [] deleted: [] skipped: [] updated: - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: Hello uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 author: [] created_at: '2025-03-25T09:49:08.343Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-360s id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 3m investigation_fields: field_names: - alert.status - Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 meta: from: 3m kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Test rule output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 39 risk_score: 21 risk_score_mapping: [] rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 - tag-4 threat: [] timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline to: now type: query updated_at: '2025-03-25T12:17:40.528Z' updated_by: elastic version: 30 summary: failed: 0 skipped: 0 succeeded: 1 total: 1 rules_count: 1 success: true example08: description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. summary: Non-idempotent behavior for add_rule_actions value: attributes: results: created: [] deleted: [] skipped: [] updated: - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 params: body: Message body uuid: 0309347e-3954-429c-9168-5da2663389af - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 params: body: Message body uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd author: [] created_at: '2025-04-02T12:42:03.400Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-6m id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 5m language: kuery license: '' max_signals: 100 meta: kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Jacek test rule output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 2 risk_score: 21 risk_score_mapping: [] rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: [] threat: [] to: now type: query updated_at: '2025-04-02T12:51:40.215Z' updated_by: elastic version: 2 summary: failed: 0 skipped: 0 succeeded: 1 total: 1 rules_count: 1 success: true schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' description: OK summary: Apply a bulk action to detection rules tags: - Security Detections API /api/detection_engine/rules/_export: post: description: | Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: - Actions - Exception lists > info > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. > You can use Kibana’s [Saved Objects](https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/guide/en/security/current/value-lists-exceptions.html#manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. operationId: ExportRules parameters: - description: Determines whether a summary of the exported rules is returned. in: query name: exclude_export_details required: false schema: default: false type: boolean - description: | File name for saving the exported rules. > info > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. in: query name: file_name required: false schema: default: export.ndjson type: string requestBody: content: application/json: schema: nullable: true type: object properties: objects: description: Array of `rule_id` fields. Exports all rules when unspecified. items: type: object properties: rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' required: - rule_id type: array required: - objects required: false responses: '200': content: application/ndjson: schema: description: | An `.ndjson` file containing the returned rules. Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. format: binary type: string description: Indicates a successful call. summary: Export detection rules tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' { "objects": [ { "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" }, { "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" } ] } /api/detection_engine/rules/_find: get: description: Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. operationId: FindRules parameters: - in: query name: fields required: false schema: items: type: string type: array - description: | Search query Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: - name - enabled - tags - createdBy - interval - updatedBy > info > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. in: query name: filter required: false schema: type: string - description: Field to sort by in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - description: Sort order in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_Detections_API_SortOrder' - description: Page number in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: Rules per page in: query name: per_page required: false schema: default: 20 minimum: 0 type: integer - description: Gaps range start in: query name: gaps_range_start required: false schema: type: string - description: Gaps range end in: query name: gaps_range_end required: false schema: type: string responses: '200': content: application/json: examples: example1: value: data: - created_at: '2020-02-02T10:05:19.613Z' created_by: elastic description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. enabled: false execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: [] from: now-6m id: 89761517-fdb0-4223-b67b-7621acc48f9e immutable: true index: - winlogbeat-* interval: 5m language: kuery max_signals: 33 name: Windows Script Executing PowerShell query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: event.action type: keyword - ecs: true name: process.name type: keyword - ecs: true name: process.parent.name type: keyword risk_score: 21 rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc setup: '' severity: low tags: - Elastic - Windows threat: - framework: MITRE ATT&CK tactic: id: TA0002 name: Execution reference: https://attack.mitre.org/tactics/TA0002/ technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193/ to: now type: query updated_at: '2020-02-02T10:05:19.830Z' updated_by: elastic page: 1 perPage: 5 total: 4 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array page: type: integer perPage: type: integer total: type: integer required: - page - perPage - total - data description: | Successful response > info > These fields are under development and their usage or schema may change: execution_summary. summary: List all detection rules tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' /api/detection_engine/rules/_import: post: description: | Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: - The `Content-Type: multipart/form-data` HTTP header. - A link to the `.ndjson` file containing the rules. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. > info > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for more information. > info > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. > You can use Kibana’s [Saved Objects](https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/guide/en/security/current/value-lists-exceptions.html#manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. operationId: ImportRules parameters: - description: Determines whether existing rules with the same `rule_id` are overwritten. in: query name: overwrite required: false schema: default: false type: boolean - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. in: query name: overwrite_exceptions required: false schema: default: false type: boolean - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. in: query name: overwrite_action_connectors required: false schema: default: false type: boolean - description: Generates a new list ID for each imported exception list. in: query name: as_new_list required: false schema: default: false type: boolean requestBody: content: multipart/form-data: schema: type: object properties: file: description: The `.ndjson` file containing the rules. format: binary type: string required: true responses: '200': content: application/json: examples: example1: summary: Import rules with success value: errors: [] exceptions_errors: [] exceptions_success: true exceptions_success_count: 0 rules_count: 1 success: true success_count: 1 schema: additionalProperties: false type: object properties: action_connectors_errors: items: $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array action_connectors_success: type: boolean action_connectors_success_count: minimum: 0 type: integer action_connectors_warnings: items: $ref: '#/components/schemas/Security_Detections_API_WarningSchema' type: array errors: items: $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array exceptions_errors: items: $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array exceptions_success: type: boolean exceptions_success_count: minimum: 0 type: integer rules_count: minimum: 0 type: integer success: type: boolean success_count: minimum: 0 type: integer required: - exceptions_success - exceptions_success_count - exceptions_errors - rules_count - success - success_count - errors - action_connectors_errors - action_connectors_warnings - action_connectors_success - action_connectors_success_count description: Indicates a successful call. summary: Import detection rules tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl -X POST "/api/detection_engine/rules/_import" -u : -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form "file=@" /api/detection_engine/rules/{id}/exceptions: post: description: Create exception items that apply to a single detection rule. operationId: CreateRuleExceptionListItems parameters: - description: Detection rule's identifier examples: id: value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_RuleId' requestBody: content: application/json: schema: example: items: - description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware type: simple type: object properties: items: items: $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' type: array required: - items description: Rule exception items. required: true responses: '200': content: application/json: examples: ruleExceptionItems: value: - _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic schema: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' type: array description: Successful response '400': content: application/json: examples: badPayload: value: error: Bad Request message: Invalid request payload JSON format statusCode: 400 badRequest: value: error: Bad Request message: '[request params]: id: Invalid uuid' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: message: Unable to create exception-list status_code: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create rule exception items tags: - Security Exceptions API /api/detection_engine/rules/prepackaged: put: description: | Install and update all Elastic prebuilt detection rules and Timelines. This endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic. When you call this endpoint, it will: - Install any new prebuilt detection rules that are not currently installed in your system. - Update any existing prebuilt detection rules that have been modified or improved by Elastic. - Install any new prebuilt Timelines that are not currently installed in your system. - Update any existing prebuilt Timelines that have been modified or improved by Elastic. This ensures that your detection engine is always up-to-date with the latest rules and Timelines, providing you with the most current and effective threat detection capabilities. operationId: InstallPrebuiltRulesAndTimelines responses: '200': content: application/json: examples: example1: value: rules_installed: 112 rules_updated: 0 timelines_installed: 5 timelines_updated: 2 schema: additionalProperties: false type: object properties: rules_installed: description: The number of rules installed minimum: 0 type: integer rules_updated: description: The number of rules updated minimum: 0 type: integer timelines_installed: description: The number of timelines installed minimum: 0 type: integer timelines_updated: description: The number of timelines updated minimum: 0 type: integer required: - rules_installed - rules_updated - timelines_installed - timelines_updated description: Indicates a successful call summary: Install prebuilt detection rules and Timelines tags: - Security Detections API /api/detection_engine/rules/prepackaged/_status: get: description: | Retrieve the status of all Elastic prebuilt detection rules and Timelines. This endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines. operationId: ReadPrebuiltRulesAndTimelinesStatus responses: '200': content: application/json: examples: example1: value: rules_custom_installed: 0 rules_installed: 0 rules_not_installed: 112 rules_not_updated: 0 timelines_installed: 0 timelines_not_installed: 0 timelines_not_updated: 0 schema: additionalProperties: false type: object properties: rules_custom_installed: description: The total number of custom rules minimum: 0 type: integer rules_installed: description: The total number of installed prebuilt rules minimum: 0 type: integer rules_not_installed: description: The total number of available prebuilt rules that are not installed minimum: 0 type: integer rules_not_updated: description: The total number of outdated prebuilt rules minimum: 0 type: integer timelines_installed: description: The total number of installed prebuilt timelines minimum: 0 type: integer timelines_not_installed: description: The total number of available prebuilt timelines that are not installed minimum: 0 type: integer timelines_not_updated: description: The total number of outdated prebuilt timelines minimum: 0 type: integer required: - rules_custom_installed - rules_installed - rules_not_installed - rules_not_updated - timelines_installed - timelines_not_installed - timelines_not_updated description: Indicates a successful call summary: Retrieve the status of prebuilt detection rules and Timelines tags: - Security Detections API /api/detection_engine/rules/preview: post: operationId: RulePreview parameters: - description: Enables logging and returning in response ES queries, performed during rule execution in: query name: enable_logged_requests required: false schema: type: boolean requestBody: content: application/json: schema: anyOf: - allOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' discriminator: propertyName: type description: An object containing tags to add or remove and alert ids the changes will be applied required: true responses: '200': content: application/json: schema: type: object properties: isAborted: type: boolean logs: items: $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' type: array previewId: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - logs description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Preview rule alerts generated on specified time range tags: - Security Detections API /api/detection_engine/signals/assignees: post: description: | Assign users to detection alerts, and unassign them from alerts. > info > You cannot add and remove the same assignee in the same request. operationId: SetAlertAssignees requestBody: content: application/json: examples: add: value: assignees: add: - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 remove: [] ids: - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 remove: value: assignees: add: [] remove: - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 ids: - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 schema: type: object properties: assignees: $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' description: Details about the assignees to assign and unassign. ids: $ref: '#/components/schemas/Security_Detections_API_AlertIds' required: - assignees - ids required: true responses: '200': content: application/ndjson: examples: add: value: batches: 1, deleted: 0, failures: [] noops: 0, requests_per_second: '-1,' retries: - bulk: 0, - search: 0 throttled_millis: 0, throttled_until_millis: 0, timed_out: false, took: 76, total: 1, updated: 1, version_conflicts: 0, description: Indicates a successful call. '400': description: Invalid request. summary: Assign and unassign users from detection alerts tags: - Security Detections API /api/detection_engine/signals/finalize_migration: post: deprecated: true description: | Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, finalize it. operationId: FinalizeAlertsMigration requestBody: content: application/json: schema: example: migration_ids: - 924f7c50-505f-11eb-ae0a-3fa2e626a51d type: object properties: migration_ids: description: Array of `migration_id`s to finalize. items: type: string minItems: 1 type: array required: - migration_ids description: Array of `migration_id`s to finalize required: true responses: '200': content: application/json: examples: success: value: migrations: - completed: true destinationIndex: .siem-signals-default-000002-r000016 id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d sourceIndex: .siem-signals-default-000002 status: success updated: '2021-01-06T22:05:56.859Z' version: 16 schema: items: $ref: '#/components/schemas/Security_Detections_API_MigrationFinalizationResult' type: array description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Finalize detection alert migrations tags: - Security Detections API /api/detection_engine/signals/migration: delete: deprecated: true description: | Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of the migration process. A successful migration will result in both the old and new indices being present. As such, the old, orphaned index can (and likely should) be deleted. While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted after 30 days. It also deletes other artifacts specific to the migration implementation. operationId: AlertsMigrationCleanup requestBody: content: application/json: schema: example: migration_ids: - 924f7c50-505f-11eb-ae0a-3fa2e626a51d type: object properties: migration_ids: description: Array of `migration_id`s to cleanup. items: type: string minItems: 1 type: array required: - migration_ids description: Array of `migration_id`s to cleanup required: true responses: '200': content: application/json: examples: success: value: migrations: - destinationIndex: .siem-signals-default-000002-r000016 id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d sourceIndex: .siem-signals-default-000002 status: success updated: '2021-01-06T22:05:56.859Z' version: 16 schema: items: $ref: '#/components/schemas/Security_Detections_API_MigrationCleanupResult' type: array description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Clean up detection alert migrations tags: - Security Detections API post: deprecated: true description: | Initiate a migration of detection alerts. Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. operationId: CreateAlertsMigration requestBody: content: application/json: examples: singleIndex: value: index: - .siem-signals-default-000001 schema: allOf: - type: object properties: index: description: Array of index names to migrate. items: format: nonempty minLength: 1 type: string minItems: 1 type: array required: - index - $ref: '#/components/schemas/Security_Detections_API_AlertsReindexOptions' description: Alerts migration parameters required: true responses: '200': content: application/json: examples: success: value: indices: - index: .siem-signals-default-000001, migration_id: 923f7c50-505f-11eb-ae0a-3fa2e626a51d migration_index: .siem-signals-default-000001-r000016 schema: type: object properties: indices: items: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess' - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationError' - $ref: '#/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration' type: array required: - indices description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Initiate a detection alert migration tags: - Security Detections API /api/detection_engine/signals/migration_status: get: deprecated: true description: Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. operationId: ReadAlertsMigrationStatus parameters: - description: Maximum age of qualifying detection alerts in: query name: from required: true schema: description: | Time from which data is analyzed. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). example: now-30d format: date-math type: string responses: '200': content: application/json: examples: success: value: indices: - index: .siem-signals-default-000002 is_outdated: true migrations: - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d status: pending updated: '2021-01-06T20:41:37.173Z' version: 16 signal_versions: - count: 100 version: 15 - count: 87 version: 16 version: 15 - index: .siem-signals-default-000003 is_outdated: false migrations: [] signal_versions: - count: 54 version: 16 version: 16 schema: type: object properties: indices: items: $ref: '#/components/schemas/Security_Detections_API_IndexMigrationStatus' type: array required: - indices description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Retrieve the status of detection alert migrations tags: - Security Detections API /api/detection_engine/signals/search: post: description: Find and/or aggregate detection alerts that match the given query. operationId: SearchAlerts requestBody: content: application/json: examples: query: value: aggs: alertsByGrouping: terms: field: host.name size: 10 missingFields: missing: field: host.name query: bool: filter: - bool: filter: - match_phrase: kibana.alert.workflow_status: open must: [] must_not: - exists: field: kibana.alert.building_block_type should: [] - range: '@timestamp': gte: '2025-01-17T08:00:00.000Z' lte: '2025-01-18T07:59:59.999Z' runtime_mappings: {} size: 0 schema: description: Elasticsearch query and aggregation request type: object properties: _source: oneOf: - type: boolean - type: string - items: type: string type: array aggs: additionalProperties: true type: object fields: items: type: string type: array query: additionalProperties: true type: object runtime_mappings: additionalProperties: true type: object size: minimum: 0 type: integer sort: $ref: '#/components/schemas/Security_Detections_API_AlertsSort' track_total_hits: type: boolean description: Search and/or aggregation query required: true responses: '200': content: application/json: examples: success: value: _shards: failed: 0 skipped: 0 successful: 1 total: 1 aggregations: alertsByGrouping: buckets: - doc_count: 5 key: Host-f43kkddfyc doc_count_error_upper_bound: 0 sum_other_doc_count: 0 missingFields: doc_count: 0 hits: hits: [] max_score: null total: relation: eq value: 5 timed_out: false took: 0 schema: additionalProperties: true description: Elasticsearch search response type: object description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Find and/or aggregate detection alerts tags: - Security Detections API /api/detection_engine/signals/status: post: description: Set the status of one or more detection alerts. operationId: SetAlertsStatus requestBody: content: application/json: examples: byId: value: signal_ids: - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 status: closed byQuery: value: conflicts: proceed query: bool: filter: - '@timestamp': format: strict_date_optional_time gte: '2024-10-23T07:00:00.000Z' lte: '2025-01-21T20:12:11.704Z' range: null - bool: filter: bool: filter: - match_phrase: kibana.alert.workflow_status: open - '@timestamp': format: strict_date_optional_time gte: '2024-10-23T07:00:00.000Z' lte: '2025-01-21T20:12:11.704Z' range: null must: [] must_not: - exists: field: kibana.alert.building_block_type should: [] must: [] must_not: [] should: [] status: closed schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' description: An object containing desired status and explicit alert ids or a query to select alerts required: true responses: '200': content: application/json: examples: byId: value: batches: 1 deleted: 0 failures: [] noops: 0 requests_per_second: -1 retries: bulk: 0 search: 0 throttled_millis: 0 throttled_until_millis: 0 timed_out: false took: 81 total: 1 updated: 1 version_conflicts: 0 byQuery: value: batches: 1 deleted: 0 failures: [] noops: 0 requests_per_second: -1 retries: bulk: 0 search: 0 throttled_millis: 0 throttled_until_millis: 0 timed_out: false took: 100 total: 17 updated: 17 version_conflicts: 0 schema: additionalProperties: true description: Elasticsearch update by query response type: object description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Set a detection alert status tags: - Security Detections API /api/detection_engine/signals/tags: post: description: | And tags to detection alerts, and remove them from alerts. > info > You cannot add and remove the same alert tag in the same request. operationId: SetAlertTags requestBody: content: application/json: examples: add: value: ids: - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e tags: tags_to_add: - Duplicate tags_to_remove: [] remove: value: ids: - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e tags: tags_to_add: [] tags_to_remove: - Duplicate schema: type: object properties: ids: $ref: '#/components/schemas/Security_Detections_API_AlertIds' tags: $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' required: - ids - tags description: An object containing tags to add or remove and alert ids the changes will be applied required: true responses: '200': content: application/json: examples: success: value: batches: 1, deleted: 0, failures: [] noops: 0, requests_per_second: '-1,' retries: bulk: 0, search: 0 throttled_millis: 0, throttled_until_millis: 0, timed_out: false, took: 68, total: 1, updated: 1, version_conflicts: 0, schema: additionalProperties: true description: Elasticsearch update by query response type: object description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Add and remove detection alert tags tags: - Security Detections API /api/detection_engine/tags: get: description: List all unique tags from all detection rules. operationId: ReadTags responses: '200': content: application/json: examples: example1: value: - zeek - suricata - windows - linux - network - initial access - remote access - phishing schema: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' description: Indicates a successful call summary: List all detection rule tags tags: - Security Detections API /api/encrypted_saved_objects/_rotate_key: post: description: | Superuser role required. If a saved object cannot be decrypted using the primary encryption key, then Kibana will attempt to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. operationId: rotateEncryptionKey parameters: - description: | Specifies a maximum number of saved objects that Kibana can process in a single batch. Bulk key rotation is an iterative process since Kibana may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value. in: query name: batch_size required: false schema: default: 10000 type: number - description: | Limits encryption key rotation only to the saved objects with the specified type. By default, Kibana tries to rotate the encryption key for all saved object types that may contain encrypted attributes. in: query name: type required: false schema: type: string responses: '200': content: application/json: examples: rotateEncryptionKeyResponse: $ref: '#/components/examples/Saved_objects_key_rotation_response' schema: type: object properties: failed: description: | Indicates the number of the saved objects that were still encrypted with one of the old encryption keys that Kibana failed to re-encrypt with the primary key. type: number successful: description: | Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. NOTE: In most cases, `total` will be greater than `successful` even if `failed` is zero. The reason is that Kibana may not need or may not be able to rotate encryption keys for all encrypted saved objects. type: number total: description: | Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. type: number description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request '429': content: application/json: schema: type: object description: Already in progress. summary: Rotate a key for encrypted saved objects tags: - saved objects /api/endpoint_list: post: description: Create an endpoint exception list, which groups endpoint exception list items. If an endpoint exception list already exists, an empty response is returned. operationId: CreateEndpointList responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Create an endpoint exception list tags: - Security Endpoint Exceptions API /api/endpoint_list/items: delete: description: Delete an endpoint exception list item using the `id` or `item_id` field. operationId: DeleteEndpointListItem parameters: - description: Either `id` or `item_id` must be specified in: query name: id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Delete an endpoint exception list item tags: - Security Endpoint Exceptions API get: description: Get the details of an endpoint exception list item using the `id` or `item_id` field. operationId: ReadEndpointListItem parameters: - description: Either `id` or `item_id` must be specified in: query name: id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' responses: '200': content: application/json: schema: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' type: array description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Get an endpoint exception list item tags: - Security Endpoint Exceptions API post: description: Create an endpoint exception list item, and associate it with the endpoint exception list. operationId: CreateEndpointListItem requestBody: content: application/json: schema: type: object properties: comments: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' item_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' default: [] type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries description: Exception list item's properties required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '409': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item already exists '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Create an endpoint exception list item tags: - Security Endpoint Exceptions API put: description: Update an endpoint exception list item using the `id` or `item_id` field. operationId: UpdateEndpointListItem requestBody: content: application/json: schema: type: object properties: _version: type: string comments: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' description: Either `id` or `item_id` must be specified item_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' description: Either `id` or `item_id` must be specified meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries description: Exception list item's properties required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Update an endpoint exception list item tags: - Security Endpoint Exceptions API /api/endpoint_list/items/_find: get: description: Get a list of all endpoint exception list items. operationId: FindEndpointListItems parameters: - description: | Filters the returned results according to the value of the specified field, using the `:` syntax. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter' - description: The page number to return in: query name: page required: false schema: minimum: 0 type: integer - description: The number of exception list items to return per page in: query name: per_page required: false schema: minimum: 0 type: integer - description: Determines which field is used to sort the results in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order required: false schema: enum: - desc - asc type: string responses: '200': content: application/json: schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' type: array page: minimum: 0 type: integer per_page: minimum: 0 type: integer pit: type: string total: minimum: 0 type: integer required: - data - page - per_page - total description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Get endpoint exception list items tags: - Security Endpoint Exceptions API /api/endpoint/action: get: description: Get a list of all response actions. operationId: EndpointGetActionsList parameters: - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - in: query name: commands required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - in: query name: agentIds required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - in: query name: userIds required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - in: query name: startDate required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - in: query name: endDate required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - in: query name: agentTypes required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - in: query name: withOutputs required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - in: query name: types required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' description: OK summary: Get response actions tags: - Security Endpoint Management API /api/endpoint/action_status: get: description: Get the status of response actions for the specified agent IDs. operationId: EndpointGetActionsStatus parameters: - in: query name: query required: true schema: type: object properties: agent_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' description: OK summary: Get response actions status tags: - Security Endpoint Management API /api/endpoint/action/{action_id}: get: description: Get the details of a response action using the action ID. operationId: EndpointGetActionsDetails parameters: - in: path name: action_id required: true schema: description: The ID of the action to retrieve. example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionResponse' description: OK summary: Get action details tags: - Security Endpoint Management API /api/endpoint/action/{action_id}/file/{file_id}: get: description: Get information for the specified file using the file ID. operationId: EndpointFileInfo parameters: - in: path name: action_id required: true schema: type: string - in: path name: file_id required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Get file information tags: - Security Endpoint Management API /api/endpoint/action/{action_id}/file/{file_id}/download: get: description: Download a file from an endpoint. operationId: EndpointFileDownload parameters: - in: path name: action_id required: true schema: type: string - in: path name: file_id required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Download a file tags: - Security Endpoint Management API /api/endpoint/action/execute: post: description: Run a shell command on an endpoint. operationId: EndpointExecuteAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse' description: OK summary: Run a command tags: - Security Endpoint Management API /api/endpoint/action/get_file: post: description: Get a file from an endpoint. operationId: EndpointGetFileAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse' description: OK summary: Get a file tags: - Security Endpoint Management API /api/endpoint/action/isolate: post: description: Isolate an endpoint from the network. The endpoint remains isolated until it's released. operationId: EndpointIsolateAction requestBody: content: application/json: examples: multiple_endpoints: summary: Isolates several hosts; includes a comment value: comment: Locked down, pending further investigation endpoint_ids: - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - fa89271b-b9d4-43f2-a684-307cffddeb5a single_endpoint: summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 with_case_id: summary: Isolates a single host with a case_id value of 1234 value: case_ids: - 4976be38-c134-4554-bd5e-0fd89ce63667 comment: Isolating as initial response endpoint_ids: - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - b30a11bf-1395-4707-b508-fbb45ef9793e schema: type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' description: OK summary: Isolate an endpoint tags: - Security Endpoint Management API /api/endpoint/action/kill_process: post: description: Terminate a running process on an endpoint. operationId: EndpointKillProcessAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse' description: OK summary: Terminate a process tags: - Security Endpoint Management API /api/endpoint/action/running_procs: post: description: Get a list of all processes running on an endpoint. operationId: EndpointGetProcessesAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse' description: OK summary: Get running processes tags: - Security Endpoint Management API /api/endpoint/action/runscript: post: description: Run a shell command on an endpoint. operationId: RunScriptAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Run a script tags: - Security Endpoint Management API /api/endpoint/action/scan: post: description: Scan a specific file or directory on an endpoint for malware. operationId: EndpointScanAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse' description: OK summary: Scan a file or directory tags: - Security Endpoint Management API /api/endpoint/action/state: get: description: Get a response actions state, which reports whether encryption is enabled. operationId: EndpointGetActionsState responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' description: OK summary: Get actions state tags: - Security Endpoint Management API /api/endpoint/action/suspend_process: post: description: Suspend a running process on an endpoint. operationId: EndpointSuspendProcessAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse' description: OK summary: Suspend a process tags: - Security Endpoint Management API /api/endpoint/action/unisolate: post: description: Release an isolated endpoint, allowing it to rejoin a network. operationId: EndpointUnisolateAction requestBody: content: application/json: examples: multipleHosts: summary: 'Releases several hosts; includes a comment:' value: comment: Benign process identified, releasing group endpoint_ids: - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - fa89271b-b9d4-43f2-a684-307cffddeb5a singleHost: summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 withCaseId: summary: Releases hosts with an associated case; includes a comment. value: case_ids: - 4976be38-c134-4554-bd5e-0fd89ce63667 comment: Remediation complete, restoring network endpoint_ids: - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - b30a11bf-1395-4707-b508-fbb45ef9793e schema: type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' description: OK summary: Release an isolated endpoint tags: - Security Endpoint Management API /api/endpoint/action/upload: post: description: Upload a file to an endpoint. operationId: EndpointUploadAction requestBody: content: multipart/form-data: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse' description: OK summary: Upload a file tags: - Security Endpoint Management API /api/endpoint/metadata: get: operationId: GetEndpointMetadataList parameters: - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - in: query name: hostStatuses required: true schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' - in: query name: sortField required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' - in: query name: sortDirection required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' description: OK summary: Get a metadata list tags: - Security Endpoint Management API /api/endpoint/metadata/{id}: get: operationId: GetEndpointMetadata parameters: - in: path name: id required: true schema: example: ed518850-681a-4d60-bb98-e22640cae2a8 type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' description: OK summary: Get metadata tags: - Security Endpoint Management API /api/endpoint/policy_response: get: operationId: GetPolicyResponse parameters: - in: query name: query required: true schema: type: object properties: agentId: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Get a policy response tags: - Security Endpoint Management API /api/endpoint/protection_updates_note/{package_policy_id}: get: operationId: GetProtectionUpdatesNote parameters: - in: path name: package_policy_id required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' description: OK summary: Get a protection updates note tags: - Security Endpoint Management API post: operationId: CreateUpdateProtectionUpdatesNote parameters: - in: path name: package_policy_id required: true schema: type: string requestBody: content: application/json: schema: type: object properties: note: type: string required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' description: OK summary: Create or update a protection updates note tags: - Security Endpoint Management API /api/entity_analytics/monitoring/engine/init: post: operationId: InitMonitoringEngine responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' description: Successful response summary: Initialize the Privilege Monitoring Engine tags: - Security Entity Analytics API /api/entity_analytics/monitoring/privileges/health: get: operationId: PrivMonHealth responses: '200': content: application/json: schema: type: object properties: error: type: object properties: message: type: string required: - status status: oneOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' - enum: - not_found type: string required: - status description: Successful response summary: Health check on Privilege Monitoring tags: - Security Entity Analytics API /api/entity_analytics/monitoring/users: post: operationId: CreatePrivMonUser requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' description: User created successfully summary: Create a new monitored user tags: - Security Entity Analytics API /api/entity_analytics/monitoring/users/_csv: post: operationId: PrivmonBulkUploadUsersCSV requestBody: content: multipart/form-data: schema: type: object properties: file: description: The CSV file to upload. format: binary type: string required: - file responses: '200': content: application/json: schema: example: errors: - index: 1 message: Invalid monitored field username: john.doe stats: failed: 1 successful: 1 total: 2 type: object properties: errors: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem' type: array stats: $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats' required: - errors - stats description: Bulk upload successful '413': description: File too large summary: Upsert multiple monitored users via CSV upload tags: - Security Entity Analytics API /api/entity_analytics/monitoring/users/{id}: delete: operationId: DeletePrivMonUser parameters: - in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: type: object properties: aknowledged: description: Indicates if the deletion was successful type: boolean message: description: A message providing additional information about the deletion status type: string required: - success description: User deleted successfully summary: Delete a monitored user tags: - Security Entity Analytics API put: operationId: UpdatePrivMonUser parameters: - in: path name: id required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' description: User updated successfully summary: Update a monitored user tags: - Security Entity Analytics API /api/entity_analytics/monitoring/users/list: get: operationId: ListPrivMonUsers parameters: - description: KQL query to filter the list of monitored users in: query name: kql required: false schema: type: string responses: '200': content: application/json: schema: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' type: array description: List of monitored users summary: List all monitored users tags: - Security Entity Analytics API /api/entity_analytics/privileged_user_monitoring/pad/install: post: operationId: InstallPrivilegedAccessDetectionPackage responses: '200': content: application/json: schema: type: object properties: message: type: string required: - message description: Successful response summary: Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience tags: - Security Entity Analytics API /api/entity_analytics/privileged_user_monitoring/pad/status: get: operationId: GetPrivilegedAccessDetectionPackageStatus responses: '200': content: application/json: schema: type: object properties: jobs: items: type: object properties: description: type: string job_id: type: string state: enum: - closing - closed - opened - failed - opening type: string required: - job_id - state type: array ml_module_setup_status: enum: - complete - incomplete type: string package_installation_status: enum: - complete - incomplete type: string required: - package_installation_status - ml_module_setup_status - jobs description: Privileged access detection status retrieved summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience tags: - Security Entity Analytics API /api/entity_store/enable: post: operationId: InitEntityStore requestBody: content: application/json: schema: type: object properties: delay: default: 1m description: The delay before the transform will run. pattern: '[smdh]$' type: string docsPerSecond: description: The number of documents per second to process. type: integer enrichPolicyExecutionInterval: $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' entityTypes: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' type: array fieldHistoryLength: default: 10 description: The number of historical values to keep for each field. type: integer filter: type: string frequency: default: 1m description: The frequency at which the transform will run. pattern: '[smdh]$' type: string indexPattern: $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' lookbackPeriod: default: 24h description: The amount of time the transform looks back to calculate the aggregations. pattern: '[smdh]$' type: string timeout: default: 180s description: The timeout for initializing the aggregating transform. pattern: '[smdh]$' type: string timestampField: default: '@timestamp' description: The field to use as the timestamp. type: string description: Schema for the entity store initialization required: true responses: '200': content: application/json: schema: type: object properties: engines: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' type: array succeeded: type: boolean description: Successful response '400': description: Invalid request summary: Initialize the Entity Store tags: - Security Entity Analytics API /api/entity_store/engines: get: operationId: ListEntityEngines responses: '200': content: application/json: schema: type: object properties: count: type: integer engines: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' type: array description: Successful response summary: List the Entity Engines tags: - Security Entity Analytics API /api/entity_store/engines/{entityType}: delete: operationId: DeleteEntityEngine parameters: - description: The entity type of the engine (either 'user' or 'host'). in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - description: Control flag to also delete the entity data. in: query name: data required: false schema: type: boolean responses: '200': content: application/json: schema: type: object properties: deleted: type: boolean description: Successful response summary: Delete the Entity Engine tags: - Security Entity Analytics API get: operationId: GetEntityEngine parameters: - description: The entity type of the engine (either 'user' or 'host'). in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' description: Successful response summary: Get an Entity Engine tags: - Security Entity Analytics API /api/entity_store/engines/{entityType}/init: post: operationId: InitEntityEngine parameters: - description: The entity type of the engine (either 'user' or 'host'). in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' requestBody: content: application/json: schema: type: object properties: delay: default: 1m description: The delay before the transform will run. pattern: '[smdh]$' type: string docsPerSecond: description: The number of documents per second to process. type: integer enrichPolicyExecutionInterval: $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' fieldHistoryLength: default: 10 description: The number of historical values to keep for each field. type: integer filter: type: string frequency: default: 1m description: The frequency at which the transform will run. pattern: '[smdh]$' type: string indexPattern: $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' lookbackPeriod: default: 24h description: The amount of time the transform looks back to calculate the aggregations. pattern: '[smdh]$' type: string timeout: default: 180s description: The timeout for initializing the aggregating transform. pattern: '[smdh]$' type: string timestampField: default: '@timestamp' description: The field to use as the timestamp for the entity type. type: string description: Schema for the engine initialization required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' description: Successful response '400': description: Invalid request summary: Initialize an Entity Engine tags: - Security Entity Analytics API /api/entity_store/engines/{entityType}/start: post: operationId: StartEntityEngine parameters: - description: The entity type of the engine in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: application/json: schema: type: object properties: started: type: boolean description: Successful response summary: Start an Entity Engine tags: - Security Entity Analytics API /api/entity_store/engines/{entityType}/stop: post: operationId: StopEntityEngine parameters: - description: The entity type of the engine (either 'user' or 'host'). in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: application/json: schema: type: object properties: stopped: type: boolean description: Successful response summary: Stop an Entity Engine tags: - Security Entity Analytics API /api/entity_store/engines/apply_dataview_indices: post: operationId: ApplyEntityEngineDataviewIndices responses: '200': content: application/json: schema: type: object properties: result: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' type: array success: type: boolean description: Successful response '207': content: application/json: schema: type: object properties: errors: items: type: string type: array result: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' type: array success: type: boolean description: Partial successful response '500': content: application/json: schema: type: object properties: body: type: string statusCode: type: number description: Error response summary: Apply DataView indices to all installed engines tags: - Security Entity Analytics API /api/entity_store/entities/list: get: description: List entities records, paging, sorting and filtering as needed. operationId: ListEntities parameters: - in: query name: sort_field required: false schema: type: string - in: query name: sort_order required: false schema: enum: - asc - desc type: string - in: query name: page required: false schema: minimum: 1 type: integer - in: query name: per_page required: false schema: maximum: 10000 minimum: 1 type: integer - description: An ES query to filter by. in: query name: filterQuery required: false schema: type: string - in: query name: entity_types required: true schema: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' type: array responses: '200': content: application/json: schema: type: object properties: inspect: $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' page: minimum: 1 type: integer per_page: maximum: 1000 minimum: 1 type: integer records: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' type: array total: minimum: 0 type: integer required: - records - page - per_page - total description: Entities returned successfully summary: List Entity Store Entities tags: - Security Entity Analytics API /api/entity_store/status: get: operationId: GetEntityStoreStatus parameters: - description: If true returns a detailed status of the engine including all it's components in: query name: include_components schema: type: boolean responses: '200': content: application/json: schema: type: object properties: engines: items: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - type: object properties: components: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' type: array type: array status: $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' required: - status - engines description: Successful response summary: Get the status of the Entity Store tags: - Security Entity Analytics API /api/exception_lists: delete: description: Delete an exception list using the `id` or `list_id` field. operationId: DeleteExceptionList parameters: - description: Exception list's identifier. Either `id` or `list_id` must be specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. examples: autogeneratedId: value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 list_id: value: simple_list in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: detectionExceptionList: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list list_id: "foo" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Delete an exception list tags: - Security Exceptions API get: description: Get the details of an exception list using the `id` or `list_id` field. operationId: ReadExceptionList parameters: - description: Exception list's identifier. Either `id` or `list_id` must be specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: detectionType: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get exception list details tags: - Security Exceptions API post: description: | An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. > info > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. operationId: CreateExceptionList requestBody: content: application/json: schema: example: description: This is a sample detection type exception list. list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware type: detection type: object properties: description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' default: [] type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' version: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' default: 1 required: - name - description - type description: Exception list's properties required: true responses: '200': content: application/json: examples: autogeneratedListId: value: _version: WzMsMV0= created_at: '2025-01-09T01:05:23.019Z' created_by: elastic description: This is a sample detection type exception with an autogenerated list_id. id: 28243c2f-624a-4443-823d-c0b894880931 immutable: false list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 name: Sample Detection Exception List namespace_type: single os_types: [] tags: - malware tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 type: detection updated_at: '2025-01-09T01:05:23.020Z' updated_by: elastic version: 1 namespaceAgnostic: value: _version: WzUsMV0= created_at: '2025-01-09T01:10:36.369Z' created_by: elastic description: This is a sample agnostic endpoint type exception. id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 immutable: false list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 name: Sample Agnostic Endpoint Exception List namespace_type: agnostic os_types: - linux tags: - malware tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 type: endpoint updated_at: '2025-01-09T01:10:36.369Z' updated_by: elastic version: 1 typeDetection: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 typeEndpoint: value: _version: WzQsMV0= created_at: '2025-01-09T01:07:49.658Z' created_by: elastic description: This is a sample endpoint type exception list. id: a79f4730-6e32-4278-abfc-349c0add7d54 immutable: false list_id: endpoint_list name: Sample Endpoint Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee type: endpoint updated_at: '2025-01-09T01:07:49.658Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'exception list id: "simple_list" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create an exception list tags: - Security Exceptions API put: description: Update an exception list using the `id` or `list_id` field. operationId: UpdateExceptionList requestBody: content: application/json: schema: example: description: Different description list_id: simple_list name: Updated exception list name os_types: - linux tags: - draft malware type: detection type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' version: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' required: - name - description - type description: Exception list's properties required: true responses: '200': content: application/json: examples: simpleList: value: _version: WzExLDFd created_at: '2025-01-07T20:43:55.264Z' created_by: elastic description: Different description id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 immutable: false list_id: simple_list name: Updated exception list name namespace_type: single os_types: [] tags: - draft malware tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f type: detection updated_at: '2025-01-07T21:32:03.726Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Update an exception list tags: - Security Exceptions API /api/exception_lists/_duplicate: post: description: Duplicate an existing exception list. operationId: DuplicateExceptionList parameters: - in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. in: query name: include_expired_exceptions required: true schema: default: 'true' enum: - 'true' - 'false' example: true type: string responses: '200': content: application/json: examples: detectionExceptionList: value: _version: WzExNDY1LDFd created_at: '2025-01-09T16:19:50.280Z' created_by: elastic description: This is a sample detection type exception id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 immutable: false list_id: d6390d60-bce3-4a48-9002-52db600f329c name: Sample Detection Exception List [Duplicate] namespace_type: single os_types: [] tags: - malware tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 type: detection updated_at: '2025-01-09T16:19:50.280Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Exception list not found '405': content: application/json: schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list to duplicate not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Duplicate an exception list tags: - Security Exceptions API /api/exception_lists/_export: post: description: Export an exception list and its associated items to an NDJSON file. operationId: ExportExceptionList parameters: - in: query name: id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. example: true in: query name: include_expired_exceptions required: true schema: default: 'true' enum: - 'true' - 'false' type: string responses: '200': content: application/ndjson: examples: exportSavedObjectsResponse: value: | {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} schema: description: A `.ndjson` file containing specified exception list and its items format: binary type: string description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: list_id: Required, namespace_type: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Export an exception list tags: - Security Exceptions API /api/exception_lists/_find: get: description: Get a list of all exception list containers. operationId: FindExceptionLists parameters: - description: | Filters the returned results according to the value of the specified field. Uses the `so type.field name:field` value syntax, where `so type` can be: - `exception-list`: Specify a space-aware exception list. - `exception-list-agnostic`: Specify an exception list that is shared across spaces. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' - description: | Determines whether the returned containers are Kibana associated with a Kibana space or available in all spaces (`agnostic` or `single`) examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: default: - single items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' type: array - description: The page number to return in: query name: page required: false schema: example: 1 minimum: 1 type: integer - description: The number of exception lists to return per page in: query name: per_page required: false schema: example: 20 minimum: 1 type: integer - description: Determines which field is used to sort the results. in: query name: sort_field required: false schema: example: name type: string - description: Determines the sort order, which can be `desc` or `asc`. in: query name: sort_order required: false schema: enum: - desc - asc example: desc type: string responses: '200': content: application/json: examples: simpleLists: value: data: - _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Detection Exception List namespace_type: single os_types: [] tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 page: 1 per_page: 20 total: 1 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' type: array page: minimum: 1 type: integer per_page: minimum: 1 type: integer total: minimum: 0 type: integer required: - data - page - per_page - total description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get exception lists tags: - Security Exceptions API /api/exception_lists/_import: post: description: Import an exception list and its associated items from an NDJSON file. operationId: ImportExceptionList parameters: - description: | Determines whether existing exception lists with the same `list_id` are overwritten. If any exception items have the same `item_id`, those are also overwritten. in: query name: overwrite required: false schema: default: false example: false type: boolean - description: | Determines whether the list being imported will have a new `list_id` generated. Additional `item_id`'s are generated for each exception item. Both the exception list and its items are overwritten. in: query name: as_new_list required: false schema: default: false example: false type: boolean requestBody: content: multipart/form-data: schema: type: object properties: file: description: A `.ndjson` file containing the exception list example: | {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} format: binary type: string required: true responses: '200': content: application/json: examples: withErrors: value: errors: - error: message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"' status_code: 400 list_id: (unknown list_id) - error: message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.' status_code: 409 item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee success: false, success_count: 0, success_count_exception_list_items: 0 success_count_exception_lists: 0, success_exception_list_items: false, success_exception_lists: false, withoutErrors: value: errors: [] success: true success_count: 2 success_count_exception_list_items: 1 success_count_exception_lists: 1 success_exception_list_items: true success_exception_lists: true, schema: type: object properties: errors: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' success: type: boolean success_count: minimum: 0 type: integer success_count_exception_list_items: minimum: 0 type: integer success_count_exception_lists: minimum: 0 type: integer success_exception_list_items: type: boolean success_exception_lists: type: boolean required: - errors - success - success_count - success_exception_lists - success_count_exception_lists - success_exception_list_items - success_count_exception_list_items description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Import an exception list tags: - Security Exceptions API /api/exception_lists/items: delete: description: Delete an exception list item using the `id` or `item_id` field. operationId: DeleteExceptionListItem parameters: - description: Exception item's identifier. Either `id` or `item_id` must be specified in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: simpleExceptionItem: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: schema: example: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: \"foo\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Delete an exception list item tags: - Security Exceptions API get: description: Get the details of an exception list item using the `id` or `item_id` field. operationId: ReadExceptionListItem parameters: - description: Exception list item's identifier. Either `id` or `item_id` must be specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: simpleListItem: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: \"foo\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get an exception list item tags: - Security Exceptions API post: description: | Create an exception item and associate it with the specified exception list. > info > Before creating exception items, you must create an exception list. operationId: CreateExceptionListItem requestBody: content: application/json: schema: example: description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware type: simple type: object properties: comments: $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' default: [] type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - list_id - type - name - description - entries description: Exception list item's properties required: true responses: '200': content: application/json: examples: autogeneratedItemId: value: _version: WzYsMV0= comments: [] created_at: '2025-01-09T01:16:23.322Z' created_by: elastic description: This is a sample exception that has no item_id so it is autogenerated. entries: - field: actingProcess.file.signer operator: excluded type: exists id: 323faa75-c657-4fa0-9084-8827612c207b item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 name: Sample Autogenerated Exception List Item ID namespace_type: single os_types: [] tags: - malware tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 type: simple updated_at: '2025-01-09T01:16:23.322Z' updated_by: elastic detectionExceptionListItem: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withExistEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withMatchAnyEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withMatchEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: included type: match value: Elastic N.V. id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withNestedEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - entries: - field: signer operator: included type: match value: Evil - field: trusted operator: included type: match value: true field: file.signature type: nested id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withValueListEntry: value: _version: WzcsMV0= comments: [] created_at: '2025-01-09T01:31:12.614Z' created_by: elastic description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list entries: - field: source.ip list: id: goodguys.txt type: ip operator: excluded type: list id: deb26876-297d-4677-8a1f-35467d2f1c4f item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 name: Filter out good guys ip and agent.name rock01 namespace_type: single os_types: [] tags: - malware tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 type: simple updated_at: '2025-01-09T01:31:12.614Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request, message: '[request body]: list_id: Expected string, received number' statusCode: 400, schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'exception list item id: \"simple_list_item\" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create an exception list item tags: - Security Exceptions API put: description: Update an exception list item using the `id` or `item_id` field. operationId: UpdateExceptionListItem requestBody: content: application/json: example: comments: [] description: Updated description entries: - field: host.name operator: included type: match value: rock01 item_id: simple_list_item name: Updated name namespace_type: single tags: [] type: simple schema: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' description: Either `id` or `item_id` must be specified item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' description: Either `id` or `item_id` must be specified list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries description: Exception list item's properties required: true responses: '200': content: application/json: examples: simpleListItem: value: _version: WzEyLDFd comments: [] created_at: '2025-01-07T21:12:25.512Z' created_by: elastic description: Updated description entries: - field: host.name operator: included type: match value: rock01 id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da item_id: simple_list_item list_id: simple_list name: Updated name namespace_type: single os_types: [] tags: [] tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 type: simple updated_at: '2025-01-07T21:34:50.233Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: item_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: \"foo\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Update an exception list item tags: - Security Exceptions API /api/exception_lists/items/_find: get: description: Get a list of all exception list items in the specified list. operationId: FindExceptionListItems parameters: - description: The `list_id`s of the items to fetch. in: query name: list_id required: true schema: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' type: array - description: | Filters the returned results according to the value of the specified field, using the `:` syntax. examples: singleFilter: value: - exception-list.attributes.name:%My%20item in: query name: filter required: false schema: default: [] items: $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter' type: array - description: | Determines whether the returned containers are Kibana associated with a Kibana space or available in all spaces (`agnostic` or `single`) examples: single: value: - single in: query name: namespace_type required: false schema: default: - single items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' type: array - in: query name: search required: false schema: example: host.name type: string - description: The page number to return in: query name: page required: false schema: example: 1 minimum: 0 type: integer - description: The number of exception list items to return per page in: query name: per_page required: false schema: example: 20 minimum: 0 type: integer - description: Determines which field is used to sort the results. example: name in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - description: Determines the sort order, which can be `desc` or `asc`. in: query name: sort_order required: false schema: enum: - desc - asc example: desc type: string responses: '200': content: application/json: examples: simpleListItems: value: data: - _version: WzgsMV0= comments: [] created_at: '2025-01-07T21:12:25.512Z' created_by: elastic description: This is a sample exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - jupiter - saturn id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 type: simple updated_at: '2025-01-07T21:12:25.512Z' updated_by: elastic page: 1 per_page: 20 total: 1 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' type: array page: minimum: 1 type: integer per_page: minimum: 1 type: integer pit: type: string total: minimum: 0 type: integer required: - data - page - per_page - total description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list list_id: "foo" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get exception list items tags: - Security Exceptions API /api/exception_lists/summary: get: description: Get a summary of the specified exception list. operationId: ReadExceptionListSummary parameters: - description: Exception list's identifier generated upon creation. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Exception list's human readable identifier. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single - description: Search filter clause in: query name: filter required: false schema: example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all" type: string responses: '200': content: application/json: examples: summary: value: linux: 0 macos: 0 total: 0 windows: 0 schema: type: object properties: linux: minimum: 0 type: integer macos: minimum: 0 type: integer total: minimum: 0 type: integer windows: minimum: 0 type: integer description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get an exception list summary tags: - Security Exceptions API /api/exceptions/shared: post: description: | An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. > info > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. operationId: CreateSharedExceptionList requestBody: content: application/json: schema: example: description: This is a sample detection type exception list. list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware type: object properties: description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' required: - name - description required: true responses: '200': content: application/json: examples: sharedList: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: message: Unable to create exception-list status_code: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'exception list id: "simple_list" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create a shared exception list tags: - Security Exceptions API /api/features: get: description: | Get information about all Kibana features. Features are used by spaces and security to refine and secure access to Kibana. operationId: get-features responses: '200': content: application/json: examples: getFeaturesExample: value: | { "features": [ { "name": "tasks", "description": "Manages task results" }, { "name": "security", "description": "Manages configuration for Security features, such as users and roles" }, { "name": "searchable_snapshots", "description": "Manages caches and configuration for searchable snapshots" }, { "name": "logstash_management", "description": "Enables Logstash Central Management pipeline storage" }, { "name": "transform", "description": "Manages configuration and state for transforms" }, { "name": "kibana", "description": "Manages Kibana configuration and reports" }, { "name": "synonyms", "description": "Manages synonyms" }, { "name": "async_search", "description": "Manages results of async searches" }, { "name": "ent_search", "description": "Manages configuration for Enterprise Search features" }, { "name": "machine_learning", "description": "Provides anomaly detection and forecasting functionality" }, { "name": "geoip", "description": "Manages data related to GeoIP database downloader" }, { "name": "watcher", "description": "Manages Watch definitions and state" }, { "name": "fleet", "description": "Manages configuration for Fleet" }, { "name": "enrich", "description": "Manages data related to Enrich policies" }, { "name": "inference_plugin", "description": "Inference plugin for managing inference services and inference" } ] } schema: type: object description: Indicates a successful call summary: Get features tags: - system x-state: Technical Preview /api/fleet/agent_download_sources: get: description: '[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.' operationId: get-fleet-agent-download-sources parameters: [] responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string required: - id - name - host type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get agent binary download sources tags: - Elastic Agent binary download sources post: description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-agent-download-sources parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string required: - name - host responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string required: - id - name - host required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Create an agent binary download source tags: - Elastic Agent binary download sources /api/fleet/agent_download_sources/{sourceId}: delete: description: 'Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: delete-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: sourceId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: id: type: string required: - id '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Delete an agent binary download source tags: - Elastic Agent binary download sources get: description: 'Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.' operationId: get-fleet-agent-download-sources-sourceid parameters: - in: path name: sourceId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string required: - id - name - host required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get an agent binary download source tags: - Elastic Agent binary download sources put: description: 'Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: put-fleet-agent-download-sources-sourceid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: sourceId required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string required: - name - host responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: host: format: uri type: string id: type: string is_default: default: false type: boolean name: type: string proxy_id: description: The ID of the proxy to use for this download source. See the proxies API for more information. nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string required: - id - name - host required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Update an agent binary download source tags: - Elastic Agent binary download sources /api/fleet/agent_policies: get: description: '[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.' operationId: get-fleet-agent-policies parameters: - in: query name: page required: false schema: type: number - in: query name: perPage required: false schema: type: number - in: query name: sortField required: false schema: type: string - in: query name: sortOrder required: false schema: enum: - desc - asc type: string - in: query name: showUpgradeable required: false schema: type: boolean - in: query name: kuery required: false schema: type: string - description: use withAgentCount instead in: query name: noAgentCount required: false schema: deprecated: true type: boolean - description: get policies with agent count in: query name: withAgentCount required: false schema: type: boolean - description: get full policies with package policies populated in: query name: full required: false schema: type: boolean - in: query name: format required: false schema: enum: - simplified - legacy type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value type: array has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_policies: anyOf: - items: type: string type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array agents: type: number created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array - additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object x-oas-optional: true is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object x-oas-optional: true version: type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_managed - is_protected - status - updated_at - updated_by - revision type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get agent policies tags: - Elastic Agent policies post: description: '[Required authorization] Route required privileges: fleet-agent-policies-all.' operationId: post-fleet-agent-policies parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: query name: sys_monitoring required: false schema: type: boolean requestBody: content: application/json: schema: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fleet_server_host_id: nullable: true type: string force: type: boolean global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value type: array has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_protected: type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage nullable: true type: array space_ids: items: type: string type: array supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number required: - name - namespace responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value type: array has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_policies: anyOf: - items: type: string type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array agents: type: number created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array - additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object x-oas-optional: true is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object x-oas-optional: true version: type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_managed - is_protected - status - updated_at - updated_by - revision required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Create an agent policy tags: - Elastic Agent policies /api/fleet/agent_policies/_bulk_get: post: description: '[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.' operationId: post-fleet-agent-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: full: description: get full policies with package policies populated type: boolean ids: description: list of package policy ids items: type: string type: array ignoreMissing: type: boolean required: - ids responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value type: array has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_policies: anyOf: - items: type: string type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array agents: type: number created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array - additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object x-oas-optional: true is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object x-oas-optional: true version: type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_managed - is_protected - status - updated_at - updated_by - revision type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Bulk get agent policies tags: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}: get: description: 'Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.' operationId: get-fleet-agent-policies-agentpolicyid parameters: - in: path name: agentPolicyId required: true schema: type: string - in: query name: format required: false schema: enum: - simplified - legacy type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value type: array has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_policies: anyOf: - items: type: string type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array agents: type: number created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array - additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object x-oas-optional: true is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object x-oas-optional: true version: type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_managed - is_protected - status - updated_at - updated_by - revision required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get an agent policy tags: - Elastic Agent policies put: description: 'Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.' operationId: put-fleet-agent-policies-agentpolicyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: agentPolicyId required: true schema: type: string - in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string bumpRevision: type: boolean data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fleet_server_host_id: nullable: true type: string force: type: boolean global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value type: array has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_protected: type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage nullable: true type: array space_ids: items: type: string type: array supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number required: - name - namespace responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value type: array has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_policies: anyOf: - items: type: string type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array agents: type: number created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array - additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object x-oas-optional: true is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object x-oas-optional: true version: type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_managed - is_protected - status - updated_at - updated_by - revision required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Update an agent policy tags: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: get: description: 'Get auto upgrade agent status

[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status parameters: - in: path name: agentPolicyId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: currentVersions: items: additionalProperties: false type: object properties: agents: type: number failedUpgradeAgents: type: number version: type: string required: - version - agents - failedUpgradeAgents type: array totalAgents: type: number required: - currentVersions - totalAgents '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get auto upgrade agent status tags: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/copy: post: description: 'Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.' operationId: post-fleet-agent-policies-agentpolicyid-copy parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: agentPolicyId required: true schema: type: string - in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: description: type: string name: minLength: 1 type: string required: - name responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: advanced_settings: additionalProperties: false type: object properties: agent_download_target_directory: nullable: true agent_download_timeout: nullable: true agent_limits_go_max_procs: nullable: true agent_logging_files_interval: nullable: true agent_logging_files_keepfiles: nullable: true agent_logging_files_rotateeverybytes: nullable: true agent_logging_level: nullable: true agent_logging_metrics_period: nullable: true agent_logging_to_files: nullable: true agent_features: items: additionalProperties: false type: object properties: enabled: type: boolean name: type: string required: - name - enabled type: array agentless: additionalProperties: false type: object properties: cloud_connectors: additionalProperties: false type: object properties: enabled: type: boolean target_csp: type: string required: - enabled resources: additionalProperties: false type: object properties: requests: additionalProperties: false type: object properties: cpu: type: string memory: type: string agents: type: number data_output_id: nullable: true type: string description: type: string download_source_id: nullable: true type: string fleet_server_host_id: nullable: true type: string global_data_tags: description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. items: additionalProperties: false type: object properties: name: type: string value: anyOf: - type: string - type: number required: - name - value type: array has_fleet_server: type: boolean id: type: string inactivity_timeout: default: 1209600 minimum: 0 type: number is_default: type: boolean is_default_fleet_server: type: boolean is_managed: type: boolean is_preconfigured: type: boolean is_protected: description: Indicates whether the agent policy has tamper protection enabled. Default false. type: boolean keep_monitoring_alive: default: false description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled nullable: true type: boolean monitoring_diagnostics: additionalProperties: false type: object properties: limit: additionalProperties: false type: object properties: burst: type: number interval: type: string uploader: additionalProperties: false type: object properties: init_dur: type: string max_dur: type: string max_retries: type: number monitoring_enabled: items: enum: - logs - metrics - traces type: string type: array monitoring_http: additionalProperties: false type: object properties: buffer: additionalProperties: false type: object properties: enabled: default: false type: boolean enabled: type: boolean host: type: string port: maximum: 65353 minimum: 0 type: number monitoring_output_id: nullable: true type: string monitoring_pprof_enabled: type: boolean name: minLength: 1 type: string namespace: minLength: 1 type: string overrides: additionalProperties: {} description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object package_policies: anyOf: - items: type: string type: array - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array agents: type: number created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array - additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object x-oas-optional: true is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object x-oas-optional: true version: type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by type: array required_versions: items: additionalProperties: false type: object properties: percentage: description: Target percentage of agents to auto upgrade maximum: 100 minimum: 0 type: number version: description: Target version for automatic agent upgrade type: string required: - version - percentage nullable: true type: array revision: type: number schema_version: type: string space_ids: items: type: string type: array status: enum: - active - inactive type: string supports_agentless: default: false description: Indicates whether the agent policy supports agentless integrations. nullable: true type: boolean unenroll_timeout: minimum: 0 type: number unprivileged_agents: type: number updated_at: type: string updated_by: type: string version: type: string required: - id - name - namespace - is_managed - is_protected - status - updated_at - updated_by - revision required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Copy an agent policy tags: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/download: get: description: 'Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.' operationId: get-fleet-agent-policies-agentpolicyid-download parameters: - in: path name: agentPolicyId required: true schema: type: string - in: query name: download required: false schema: type: boolean - in: query name: standalone required: false schema: type: boolean - in: query name: kubernetes required: false schema: type: boolean responses: '200': content: application/json: schema: type: string '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes '404': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Download an agent policy tags: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/full: get: description: 'Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read.' operationId: get-fleet-agent-policies-agentpolicyid-full parameters: - in: path name: agentPolicyId required: true schema: type: string - in: query name: download required: false schema: type: boolean - in: query name: standalone required: false schema: type: boolean - in: query name: kubernetes required: false schema: type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: anyOf: - type: string - additionalProperties: false type: object properties: agent: additionalProperties: false type: object properties: download: additionalProperties: false type: object properties: secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: additionalProperties: true type: object properties: id: type: string required: - key sourceURI: type: string ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string renegotiation: type: string verification_mode: type: string required: - sourceURI features: additionalProperties: additionalProperties: false type: object properties: enabled: type: boolean required: - enabled type: object limits: additionalProperties: false type: object properties: go_max_procs: type: number logging: additionalProperties: false type: object properties: files: additionalProperties: false type: object properties: interval: type: string keepfiles: type: number rotateeverybytes: type: number level: type: string to_files: type: boolean monitoring: additionalProperties: false type: object properties: apm: {} enabled: type: boolean logs: type: boolean metrics: type: boolean namespace: type: string traces: type: boolean use_output: type: string required: - enabled - metrics - logs - traces - apm protection: additionalProperties: false type: object properties: enabled: type: boolean signing_key: type: string uninstall_token_hash: type: string required: - enabled - uninstall_token_hash - signing_key required: - monitoring - download - features fleet: anyOf: - additionalProperties: false type: object properties: hosts: items: type: string type: array proxy_headers: {} proxy_url: type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: additionalProperties: true type: object properties: id: type: string required: - key ssl: additionalProperties: false type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string renegotiation: type: string verification_mode: type: string required: - hosts - proxy_headers - additionalProperties: false type: object properties: kibana: additionalProperties: false type: object properties: hosts: items: type: string type: array path: type: string protocol: type: string required: - hosts - protocol required: - kibana id: type: string inputs: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: namespace: type: string required: - namespace id: type: string meta: additionalProperties: true type: object properties: package: additionalProperties: true type: object properties: name: type: string version: type: string required: - name - version name: type: string package_policy_id: type: string processors: items: additionalProperties: true type: object properties: add_fields: additionalProperties: true type: object properties: fields: additionalProperties: anyOf: - type: string - type: number type: object target: type: string required: - target - fields required: - add_fields type: array revision: type: number streams: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: dataset: type: string type: type: string required: - dataset id: type: string required: - id - data_stream type: array type: type: string use_output: type: string required: - id - name - revision - type - data_stream - use_output - package_policy_id type: array namespaces: items: type: string type: array output_permissions: additionalProperties: additionalProperties: {} type: object type: object outputs: additionalProperties: additionalProperties: true type: object properties: ca_sha256: nullable: true type: string hosts: items: type: string type: array proxy_headers: {} proxy_url: type: string type: type: string required: - type - proxy_headers type: object revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array signed: additionalProperties: false type: object properties: data: type: string signature: type: string required: - data - signature required: - id - outputs - inputs required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get a full agent policy tags: - Elastic Agent policies /api/fleet/agent_policies/{agentPolicyId}/outputs: get: description: 'Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.' operationId: get-fleet-agent-policies-agentpolicyid-outputs parameters: - in: path name: agentPolicyId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: agentPolicyId: type: string data: additionalProperties: false type: object properties: integrations: items: additionalProperties: false type: object properties: id: type: string integrationPolicyName: type: string name: type: string pkgName: type: string type: array output: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name required: - output monitoring: additionalProperties: false type: object properties: output: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name required: - output required: - monitoring - data required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get outputs for an agent policy tags: - Elastic Agent policies /api/fleet/agent_policies/delete: post: description: 'Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all.' operationId: post-fleet-agent-policies-delete parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: agentPolicyId: type: string force: description: bypass validation checks that can prevent agent policy deletion type: boolean required: - agentPolicyId responses: '200': content: application/json: schema: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Delete an agent policy tags: - Elastic Agent policies /api/fleet/agent_policies/outputs: post: description: 'Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.' operationId: post-fleet-agent-policies-outputs parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: ids: description: list of package policy ids items: type: string type: array required: - ids responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: agentPolicyId: type: string data: additionalProperties: false type: object properties: integrations: items: additionalProperties: false type: object properties: id: type: string integrationPolicyName: type: string name: type: string pkgName: type: string type: array output: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name required: - output monitoring: additionalProperties: false type: object properties: output: additionalProperties: false type: object properties: id: type: string name: type: string required: - id - name required: - output required: - monitoring - data type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get outputs for agent policies tags: - Elastic Agent policies /api/fleet/agent_status: get: operationId: get-fleet-agent-status parameters: - in: query name: policyId required: false schema: type: string - in: query name: policyIds required: false schema: anyOf: - items: type: string type: array - type: string - in: query name: kuery required: false schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: results: additionalProperties: false type: object properties: active: type: number all: type: number error: type: number events: type: number inactive: type: number offline: type: number online: type: number orphaned: type: number other: type: number unenrolled: type: number uninstalled: type: number updating: type: number required: - events - online - error - offline - other - updating - inactive - unenrolled - all - active required: - results '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get an agent status summary tags: - Elastic Agent status /api/fleet/agent_status/data: get: description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agent-status-data parameters: - in: query name: agentsIds required: true schema: anyOf: - items: type: string type: array - type: string - in: query name: pkgName required: false schema: type: string - in: query name: pkgVersion required: false schema: type: string - in: query name: previewData required: false schema: default: false type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: dataPreview: items: {} type: array items: items: additionalProperties: additionalProperties: false type: object properties: data: type: boolean required: - data type: object type: array required: - items - dataPreview '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get incoming agent data tags: - Elastic Agents /api/fleet/agents: get: description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents parameters: - in: query name: page required: false schema: type: number - in: query name: perPage required: false schema: default: 20 type: number - in: query name: kuery required: false schema: type: string - in: query name: showAgentless required: false schema: default: true type: boolean - in: query name: showInactive required: false schema: default: false type: boolean - in: query name: withMetrics required: false schema: default: false type: boolean - in: query name: showUpgradeable required: false schema: default: false type: boolean - in: query name: getStatusSummary required: false schema: default: false type: boolean - in: query name: sortField required: false schema: type: string - in: query name: sortOrder required: false schema: enum: - asc - desc type: string - in: query name: searchAfter required: false schema: type: string - in: query name: openPit required: false schema: type: boolean - in: query name: pitId required: false schema: type: string - in: query name: pitKeepAlive required: false schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: access_api_key: type: string access_api_key_id: type: string active: type: boolean agent: additionalProperties: true type: object properties: id: type: string version: type: string required: - id - version audit_unenrolled_reason: type: string components: items: additionalProperties: false type: object properties: id: type: string message: type: string status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: type: string units: items: additionalProperties: false type: object properties: id: type: string message: type: string payload: additionalProperties: {} type: object status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: enum: - input - output type: string required: - id - type - status - message type: array required: - id - type - status - message type: array default_api_key: type: string default_api_key_history: items: additionalProperties: false deprecated: true type: object properties: id: type: string retired_at: type: string required: - id - retired_at type: array default_api_key_id: type: string enrolled_at: type: string id: type: string last_checkin: type: string last_checkin_message: type: string last_checkin_status: enum: - error - online - degraded - updating - starting type: string local_metadata: additionalProperties: {} type: object metrics: additionalProperties: false type: object properties: cpu_avg: type: number memory_size_byte_avg: type: number namespaces: items: type: string type: array outputs: additionalProperties: additionalProperties: false type: object properties: api_key_id: type: string to_retire_api_key_ids: items: additionalProperties: false type: object properties: id: type: string retired_at: type: string required: - id - retired_at type: array type: type: string type: object packages: items: type: string type: array policy_id: type: string policy_revision: nullable: true type: number sort: items: {} type: array status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string tags: items: type: string type: array type: enum: - PERMANENT - EPHEMERAL - TEMPORARY type: string unenrolled_at: type: string unenrollment_started_at: type: string unhealthy_reason: items: enum: - input - output - other type: string nullable: true type: array upgrade_attempts: items: type: string nullable: true type: array upgrade_details: additionalProperties: false nullable: true type: object properties: action_id: type: string metadata: additionalProperties: false type: object properties: download_percent: type: number download_rate: type: number error_msg: type: string failed_state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string retry_error_msg: type: string retry_until: type: string scheduled_at: type: string state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string target_version: type: string required: - target_version - action_id - state upgrade_started_at: nullable: true type: string upgraded_at: nullable: true type: string user_provided_metadata: additionalProperties: {} type: object required: - id - packages - type - active - enrolled_at - local_metadata type: array nextSearchAfter: type: string page: type: number perPage: type: number pit: type: string statusSummary: additionalProperties: type: number type: object total: type: number required: - items - total - page - perPage '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get agents tags: - Elastic Agents post: description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: post-fleet-agents parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: actionIds: items: type: string type: array required: - actionIds responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: type: string type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get agents by action ids tags: - Elastic Agents /api/fleet/agents/{agentId}: delete: description: 'Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: delete-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: agentId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: action: enum: - deleted type: string required: - action '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Delete an agent tags: - Elastic Agents get: description: 'Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-agentid parameters: - in: path name: agentId required: true schema: type: string - in: query name: withMetrics required: false schema: default: false type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: access_api_key: type: string access_api_key_id: type: string active: type: boolean agent: additionalProperties: true type: object properties: id: type: string version: type: string required: - id - version audit_unenrolled_reason: type: string components: items: additionalProperties: false type: object properties: id: type: string message: type: string status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: type: string units: items: additionalProperties: false type: object properties: id: type: string message: type: string payload: additionalProperties: {} type: object status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: enum: - input - output type: string required: - id - type - status - message type: array required: - id - type - status - message type: array default_api_key: type: string default_api_key_history: items: additionalProperties: false deprecated: true type: object properties: id: type: string retired_at: type: string required: - id - retired_at type: array default_api_key_id: type: string enrolled_at: type: string id: type: string last_checkin: type: string last_checkin_message: type: string last_checkin_status: enum: - error - online - degraded - updating - starting type: string local_metadata: additionalProperties: {} type: object metrics: additionalProperties: false type: object properties: cpu_avg: type: number memory_size_byte_avg: type: number namespaces: items: type: string type: array outputs: additionalProperties: additionalProperties: false type: object properties: api_key_id: type: string to_retire_api_key_ids: items: additionalProperties: false type: object properties: id: type: string retired_at: type: string required: - id - retired_at type: array type: type: string type: object packages: items: type: string type: array policy_id: type: string policy_revision: nullable: true type: number sort: items: {} type: array status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string tags: items: type: string type: array type: enum: - PERMANENT - EPHEMERAL - TEMPORARY type: string unenrolled_at: type: string unenrollment_started_at: type: string unhealthy_reason: items: enum: - input - output - other type: string nullable: true type: array upgrade_attempts: items: type: string nullable: true type: array upgrade_details: additionalProperties: false nullable: true type: object properties: action_id: type: string metadata: additionalProperties: false type: object properties: download_percent: type: number download_rate: type: number error_msg: type: string failed_state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string retry_error_msg: type: string retry_until: type: string scheduled_at: type: string state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string target_version: type: string required: - target_version - action_id - state upgrade_started_at: nullable: true type: string upgraded_at: nullable: true type: string user_provided_metadata: additionalProperties: {} type: object required: - id - packages - type - active - enrolled_at - local_metadata required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get an agent tags: - Elastic Agents put: description: 'Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: put-fleet-agents-agentid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: agentId required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: tags: items: type: string type: array user_provided_metadata: additionalProperties: {} type: object responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: access_api_key: type: string access_api_key_id: type: string active: type: boolean agent: additionalProperties: true type: object properties: id: type: string version: type: string required: - id - version audit_unenrolled_reason: type: string components: items: additionalProperties: false type: object properties: id: type: string message: type: string status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: type: string units: items: additionalProperties: false type: object properties: id: type: string message: type: string payload: additionalProperties: {} type: object status: enum: - STARTING - CONFIGURING - HEALTHY - DEGRADED - FAILED - STOPPING - STOPPED type: string type: enum: - input - output type: string required: - id - type - status - message type: array required: - id - type - status - message type: array default_api_key: type: string default_api_key_history: items: additionalProperties: false deprecated: true type: object properties: id: type: string retired_at: type: string required: - id - retired_at type: array default_api_key_id: type: string enrolled_at: type: string id: type: string last_checkin: type: string last_checkin_message: type: string last_checkin_status: enum: - error - online - degraded - updating - starting type: string local_metadata: additionalProperties: {} type: object metrics: additionalProperties: false type: object properties: cpu_avg: type: number memory_size_byte_avg: type: number namespaces: items: type: string type: array outputs: additionalProperties: additionalProperties: false type: object properties: api_key_id: type: string to_retire_api_key_ids: items: additionalProperties: false type: object properties: id: type: string retired_at: type: string required: - id - retired_at type: array type: type: string type: object packages: items: type: string type: array policy_id: type: string policy_revision: nullable: true type: number sort: items: {} type: array status: enum: - offline - error - online - inactive - enrolling - unenrolling - unenrolled - updating - degraded - uninstalled - orphaned type: string tags: items: type: string type: array type: enum: - PERMANENT - EPHEMERAL - TEMPORARY type: string unenrolled_at: type: string unenrollment_started_at: type: string unhealthy_reason: items: enum: - input - output - other type: string nullable: true type: array upgrade_attempts: items: type: string nullable: true type: array upgrade_details: additionalProperties: false nullable: true type: object properties: action_id: type: string metadata: additionalProperties: false type: object properties: download_percent: type: number download_rate: type: number error_msg: type: string failed_state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string retry_error_msg: type: string retry_until: type: string scheduled_at: type: string state: enum: - UPG_REQUESTED - UPG_SCHEDULED - UPG_DOWNLOADING - UPG_EXTRACTING - UPG_REPLACING - UPG_RESTARTING - UPG_FAILED - UPG_WATCHING - UPG_ROLLBACK type: string target_version: type: string required: - target_version - action_id - state upgrade_started_at: nullable: true type: string upgraded_at: nullable: true type: string user_provided_metadata: additionalProperties: {} type: object required: - id - packages - type - active - enrolled_at - local_metadata required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Update an agent by ID tags: - Elastic Agents /api/fleet/agents/{agentId}/actions: post: description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-agentid-actions parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: agentId required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: action: anyOf: - additionalProperties: false type: object properties: ack_data: {} data: {} type: enum: - UNENROLL - UPGRADE - POLICY_REASSIGN type: string required: - type - data - ack_data - additionalProperties: false type: object properties: data: additionalProperties: false type: object properties: log_level: enum: - debug - info - warning - error nullable: true type: string required: - log_level type: enum: - SETTINGS type: string required: - type - data required: - action responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: ack_data: {} agents: items: type: string type: array created_at: type: string data: {} expiration: type: string id: type: string minimum_execution_duration: type: number namespaces: items: type: string type: array rollout_duration_seconds: type: number sent_at: type: string source_uri: type: string start_time: type: string total: type: number type: type: string required: - id - type - data - created_at - ack_data required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Create an agent action tags: - Elastic Agent actions /api/fleet/agents/{agentId}/reassign: post: description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-agentid-reassign parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: agentId required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: policy_id: type: string required: - policy_id responses: '200': content: application/json: schema: additionalProperties: false type: object properties: {} '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Reassign an agent tags: - Elastic Agent actions /api/fleet/agents/{agentId}/request_diagnostics: post: description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: post-fleet-agents-agentid-request-diagnostics parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: agentId required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false nullable: true type: object properties: additional_metrics: items: enum: - CPU type: string type: array responses: '200': content: application/json: schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Request agent diagnostics tags: - Elastic Agent actions /api/fleet/agents/{agentId}/unenroll: post: description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-agentid-unenroll parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: agentId required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false nullable: true type: object properties: force: type: boolean revoke: type: boolean responses: {} summary: Unenroll an agent tags: - Elastic Agent actions /api/fleet/agents/{agentId}/upgrade: post: description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-agentid-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: agentId required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: force: type: boolean skipRateLimitCheck: type: boolean source_uri: type: string version: type: string required: - version responses: '200': content: application/json: schema: additionalProperties: false type: object properties: {} '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Upgrade an agent tags: - Elastic Agent actions /api/fleet/agents/{agentId}/uploads: get: description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-agentid-uploads parameters: - in: path name: agentId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: actionId: type: string createTime: type: string error: type: string filePath: type: string id: type: string name: type: string status: enum: - READY - AWAITING_UPLOAD - DELETED - EXPIRED - IN_PROGRESS - FAILED type: string required: - id - name - filePath - createTime - status - actionId type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get agent uploads tags: - Elastic Agents /api/fleet/agents/action_status: get: description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-action-status parameters: - in: query name: page required: false schema: default: 0 type: number - in: query name: perPage required: false schema: default: 20 type: number - in: query name: date required: false schema: type: string - in: query name: latest required: false schema: type: number - in: query name: errorSize required: false schema: default: 5 type: number responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: actionId: type: string cancellationTime: type: string completionTime: type: string creationTime: description: creation time of action type: string expiration: type: string hasRolloutPeriod: type: boolean is_automatic: type: boolean latestErrors: items: additionalProperties: false description: latest errors that happened when the agents executed the action type: object properties: agentId: type: string error: type: string hostname: type: string timestamp: type: string required: - agentId - error - timestamp type: array nbAgentsAck: description: number of agents that acknowledged the action type: number nbAgentsActionCreated: description: number of agents included in action from kibana type: number nbAgentsActioned: description: number of agents actioned type: number nbAgentsFailed: description: number of agents that failed to execute the action type: number newPolicyId: description: new policy id (POLICY_REASSIGN action) type: string policyId: description: policy id (POLICY_CHANGE action) type: string revision: description: new policy revision (POLICY_CHANGE action) type: number startTime: description: start time of action (scheduled actions) type: string status: enum: - COMPLETE - EXPIRED - CANCELLED - FAILED - IN_PROGRESS - ROLLOUT_PASSED type: string type: enum: - UPGRADE - UNENROLL - SETTINGS - POLICY_REASSIGN - CANCEL - FORCE_UNENROLL - REQUEST_DIAGNOSTICS - UPDATE_TAGS - POLICY_CHANGE - INPUT_ACTION - MIGRATE type: string version: description: agent version number (UPGRADE action) type: string required: - actionId - nbAgentsActionCreated - nbAgentsAck - nbAgentsFailed - type - nbAgentsActioned - status - creationTime type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get an agent action status tags: - Elastic Agent actions /api/fleet/agents/actions/{actionId}/cancel: post: description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-actions-actionid-cancel parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: actionId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: ack_data: {} agents: items: type: string type: array created_at: type: string data: {} expiration: type: string id: type: string minimum_execution_duration: type: number namespaces: items: type: string type: array rollout_duration_seconds: type: number sent_at: type: string source_uri: type: string start_time: type: string total: type: number type: type: string required: - id - type - data - created_at - ack_data required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Cancel an agent action tags: - Elastic Agent actions /api/fleet/agents/available_versions: get: description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-available-versions parameters: [] responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: type: string type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get available agent versions tags: - Elastic Agents /api/fleet/agents/bulk_reassign: post: description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-bulk-reassign parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string type: array - type: string batchSize: type: number includeInactive: default: false type: boolean policy_id: type: string required: - policy_id - agents responses: '200': content: application/json: schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Bulk reassign agents tags: - Elastic Agent actions /api/fleet/agents/bulk_request_diagnostics: post: description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: post-fleet-agents-bulk-request-diagnostics parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: additional_metrics: items: enum: - CPU type: string type: array agents: anyOf: - items: type: string type: array - type: string batchSize: type: number required: - agents responses: '200': content: application/json: schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Bulk request diagnostics from agents tags: - Elastic Agent actions /api/fleet/agents/bulk_unenroll: post: description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-bulk-unenroll parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: agents: anyOf: - items: description: KQL query string, leave empty to action all agents type: string type: array - description: list of agent IDs type: string batchSize: type: number force: description: Unenrolls hosted agents too type: boolean includeInactive: description: When passing agents by KQL query, unenrolls inactive agents too type: boolean revoke: description: Revokes API keys of agents type: boolean required: - agents responses: '200': content: application/json: schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Bulk unenroll agents tags: - Elastic Agent actions /api/fleet/agents/bulk_update_agent_tags: post: description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-bulk-update-agent-tags parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string type: array - type: string batchSize: type: number includeInactive: default: false type: boolean tagsToAdd: items: type: string type: array tagsToRemove: items: type: string type: array required: - agents responses: '200': content: application/json: schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Bulk update agent tags tags: - Elastic Agent actions /api/fleet/agents/bulk_upgrade: post: description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-agents-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: agents: anyOf: - items: type: string type: array - type: string batchSize: type: number force: type: boolean includeInactive: default: false type: boolean rollout_duration_seconds: minimum: 600 type: number skipRateLimitCheck: type: boolean source_uri: type: string start_time: type: string version: type: string required: - agents - version responses: '200': content: application/json: schema: additionalProperties: false type: object properties: actionId: type: string required: - actionId '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Bulk upgrade agents tags: - Elastic Agent actions /api/fleet/agents/files/{fileId}: delete: description: 'Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: delete-fleet-agents-files-fileid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: fileId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: deleted: type: boolean id: type: string required: - id - deleted '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Delete an uploaded file tags: - Elastic Agents /api/fleet/agents/files/{fileId}/{fileName}: get: description: 'Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-files-fileid-filename parameters: - in: path name: fileId required: true schema: type: string - in: path name: fileName required: true schema: type: string responses: '200': content: application/json: schema: type: object '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get an uploaded file tags: - Elastic Agents /api/fleet/agents/setup: get: description: '[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.' operationId: get-fleet-agents-setup parameters: [] responses: '200': content: application/json: schema: additionalProperties: false description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. type: object properties: is_secrets_storage_enabled: type: boolean is_space_awareness_enabled: type: boolean isReady: type: boolean missing_optional_features: items: enum: - encrypted_saved_object_encryption_key_required type: string type: array missing_requirements: items: enum: - security_required - tls_required - api_keys - fleet_admin_user - fleet_server type: string type: array package_verification_key_id: type: string required: - isReady - missing_requirements - missing_optional_features '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get agent setup info tags: - Elastic Agents post: description: '[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.' operationId: post-fleet-agents-setup parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string responses: '200': content: application/json: schema: additionalProperties: false description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: isInitialized: type: boolean nonFatalErrors: items: additionalProperties: false type: object properties: message: type: string name: type: string required: - name - message type: array required: - isInitialized - nonFatalErrors '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Initiate agent setup tags: - Elastic Agents /api/fleet/agents/tags: get: description: '[Required authorization] Route required privileges: fleet-agents-read.' operationId: get-fleet-agents-tags parameters: - in: query name: kuery required: false schema: type: string - in: query name: showInactive required: false schema: default: false type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: type: string type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get agent tags tags: - Elastic Agents /api/fleet/check-permissions: get: operationId: get-fleet-check-permissions parameters: - in: query name: fleetServerSetup required: false schema: type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: error: enum: - MISSING_SECURITY - MISSING_PRIVILEGES - MISSING_FLEET_SERVER_SETUP_PRIVILEGES type: string success: type: boolean required: - success '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Check permissions tags: - Fleet internals /api/fleet/data_streams: get: description: '[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.' operationId: get-fleet-data-streams parameters: [] responses: '200': content: application/json: schema: additionalProperties: false type: object properties: data_streams: items: additionalProperties: false type: object properties: dashboards: items: additionalProperties: false type: object properties: id: type: string title: type: string required: - id - title type: array dataset: type: string index: type: string last_activity_ms: type: number namespace: type: string package: type: string package_version: type: string serviceDetails: additionalProperties: false nullable: true type: object properties: environment: type: string serviceName: type: string required: - environment - serviceName size_in_bytes: type: number size_in_bytes_formatted: anyOf: - type: number - type: string type: type: string required: - index - dataset - namespace - type - package - package_version - last_activity_ms - size_in_bytes - size_in_bytes_formatted - dashboards - serviceDetails type: array required: - data_streams '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get data streams tags: - Data streams /api/fleet/enrollment_api_keys: get: description: '[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.' operationId: get-fleet-enrollment-api-keys parameters: - in: query name: page required: false schema: default: 1 type: number - in: query name: perPage required: false schema: default: 20 type: number - in: query name: kuery required: false schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: active: description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. type: boolean api_key: description: The enrollment API key (token) used for enrolling Elastic Agents. type: string api_key_id: description: The ID of the API key in the Security API. type: string created_at: type: string hidden: type: boolean id: type: string name: description: The name of the enrollment API key. type: string policy_id: description: The ID of the agent policy the Elastic Agent will be enrolled in. type: string required: - id - api_key_id - api_key - active - created_at type: array list: deprecated: true items: additionalProperties: false type: object properties: active: description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. type: boolean api_key: description: The enrollment API key (token) used for enrolling Elastic Agents. type: string api_key_id: description: The ID of the API key in the Security API. type: string created_at: type: string hidden: type: boolean id: type: string name: description: The name of the enrollment API key. type: string policy_id: description: The ID of the agent policy the Elastic Agent will be enrolled in. type: string required: - id - api_key_id - api_key - active - created_at type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage - list '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get enrollment API keys tags: - Fleet enrollment API keys post: description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-enrollment-api-keys parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: expiration: type: string name: type: string policy_id: type: string required: - policy_id responses: '200': content: application/json: schema: additionalProperties: false type: object properties: action: enum: - created type: string item: additionalProperties: false type: object properties: active: description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. type: boolean api_key: description: The enrollment API key (token) used for enrolling Elastic Agents. type: string api_key_id: description: The ID of the API key in the Security API. type: string created_at: type: string hidden: type: boolean id: type: string name: description: The name of the enrollment API key. type: string policy_id: description: The ID of the agent policy the Elastic Agent will be enrolled in. type: string required: - id - api_key_id - api_key - active - created_at required: - item - action '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Create an enrollment API key tags: - Fleet enrollment API keys /api/fleet/enrollment_api_keys/{keyId}: delete: description: 'Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: delete-fleet-enrollment-api-keys-keyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: keyId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: action: enum: - deleted type: string required: - action '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Revoke an enrollment API key tags: - Fleet enrollment API keys get: description: 'Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.' operationId: get-fleet-enrollment-api-keys-keyid parameters: - in: path name: keyId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: active: description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. type: boolean api_key: description: The enrollment API key (token) used for enrolling Elastic Agents. type: string api_key_id: description: The ID of the API key in the Security API. type: string created_at: type: string hidden: type: boolean id: type: string name: description: The name of the enrollment API key. type: string policy_id: description: The ID of the agent policy the Elastic Agent will be enrolled in. type: string required: - id - api_key_id - api_key - active - created_at required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get an enrollment API key tags: - Fleet enrollment API keys /api/fleet/epm/bulk_assets: post: description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: post-fleet-epm-bulk-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: assetIds: items: additionalProperties: false type: object properties: id: type: string type: type: string required: - id - type type: array required: - assetIds responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: appLink: type: string attributes: additionalProperties: false type: object properties: description: type: string service: type: string title: type: string id: type: string type: type: string updatedAt: type: string required: - id - type - attributes type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Bulk get assets tags: - Elastic Package Manager (EPM) /api/fleet/epm/categories: get: description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-categories parameters: - in: query name: prerelease required: false schema: type: boolean - in: query name: include_policy_templates required: false schema: type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: count: type: number id: type: string parent_id: type: string parent_title: type: string title: type: string required: - id - title - count type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get package categories tags: - Elastic Package Manager (EPM) /api/fleet/epm/custom_integrations: post: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-custom-integrations parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: datasets: items: additionalProperties: false type: object properties: name: type: string type: enum: - logs - metrics - traces - synthetics - profiling type: string required: - name - type type: array force: type: boolean integrationName: type: string required: - integrationName - datasets responses: '200': content: application/json: schema: additionalProperties: false type: object properties: _meta: additionalProperties: false type: object properties: install_source: type: string name: type: string required: - install_source - name items: items: anyOf: - additionalProperties: false type: object properties: id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model type: string version: type: string required: - id - type type: array required: - items - _meta '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Create a custom integration tags: - Elastic Package Manager (EPM) /api/fleet/epm/custom_integrations/{pkgName}: put: description: '[Required authorization] Route required privileges: fleet-settings-all AND integrations-all.' operationId: put-fleet-epm-custom-integrations-pkgname parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: pkgName required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: categories: items: type: string type: array readMeData: type: string required: - readMeData responses: '200': {} '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Update a custom integration tags: - Elastic Package Manager (EPM) /api/fleet/epm/data_streams: get: description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-data-streams parameters: - in: query name: type required: false schema: enum: - logs - metrics - traces - synthetics - profiling type: string - in: query name: datasetQuery required: false schema: type: string - in: query name: sortOrder required: false schema: default: asc enum: - asc - desc type: string - in: query name: uncategorisedOnly required: false schema: default: false type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: name: type: string required: - name type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get data streams tags: - Data streams /api/fleet/epm/packages: get: description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages parameters: - in: query name: category required: false schema: type: string - in: query name: prerelease required: false schema: type: boolean - in: query name: excludeInstallStatus required: false schema: type: boolean - in: query name: withPackagePoliciesCount required: false schema: type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: true type: object properties: categories: items: type: string type: array conditions: additionalProperties: true type: object properties: elastic: additionalProperties: true type: object properties: capabilities: items: type: string type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: {} type: object type: array description: type: string discovery: additionalProperties: true type: object properties: fields: items: additionalProperties: true type: object properties: name: type: string required: - name type: array download: type: string format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src type: array id: type: string installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model type: string version: type: string required: - id - type type: array installed_kibana: items: additionalProperties: true type: object properties: id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type type: array installed_kibana_space_id: type: string latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error type: array name: type: string namespaces: items: type: string type: array type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status integration: type: string internal: type: boolean latestVersion: type: string name: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: {} type: object type: array readme: type: string release: enum: - ga - beta - experimental type: string signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string vars: items: additionalProperties: {} type: object type: array version: type: string required: - name - version - title - id type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get packages tags: - Elastic Package Manager (EPM) post: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: query name: ignoreMappingUpdateErrors required: false schema: default: false type: boolean - in: query name: skipDataStreamRollover required: false schema: default: false type: boolean requestBody: content: application/gzip; application/zip: schema: format: binary type: string responses: '200': content: application/gzip; application/zip: schema: additionalProperties: false type: object properties: _meta: additionalProperties: false type: object properties: install_source: type: string name: type: string required: - install_source - name items: items: anyOf: - additionalProperties: false type: object properties: id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model type: string version: type: string required: - id - type type: array required: - items - _meta '400': content: application/gzip; application/zip: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Install a package by upload tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/_bulk: post: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages-bulk parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: query name: prerelease required: false schema: type: boolean requestBody: content: application/json: schema: additionalProperties: false type: object properties: force: default: false type: boolean packages: items: anyOf: - type: string - additionalProperties: false type: object properties: name: type: string prerelease: type: boolean version: type: string required: - name - version minItems: 1 type: array required: - packages responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: anyOf: - additionalProperties: false type: object properties: name: type: string result: additionalProperties: false type: object properties: assets: items: anyOf: - additionalProperties: false type: object properties: id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model type: string version: type: string required: - id - type type: array error: {} installSource: type: string installType: type: string status: enum: - installed - already_installed type: string required: - error - installType version: type: string required: - name - version - result - additionalProperties: false type: object properties: error: anyOf: - type: string - {} name: type: string statusCode: type: number required: - name - statusCode - error type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Bulk install packages tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/_bulk_uninstall: post: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages-bulk-uninstall parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: force: default: false type: boolean packages: items: additionalProperties: false type: object properties: name: type: string version: type: string required: - name - version minItems: 1 type: array required: - packages responses: '200': content: application/json: schema: additionalProperties: false type: object properties: taskId: type: string required: - taskId '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Bulk uninstall packages tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/_bulk_uninstall/{taskId}: get: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: get-fleet-epm-packages-bulk-uninstall-taskid parameters: - in: path name: taskId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message results: items: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message name: type: string success: type: boolean required: - name - success type: array status: type: string required: - status '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get Bulk uninstall packages details tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/_bulk_upgrade: post: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages-bulk-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: force: default: false type: boolean packages: items: additionalProperties: false type: object properties: name: type: string version: type: string required: - name minItems: 1 type: array prerelease: type: boolean upgrade_package_policies: default: false type: boolean required: - packages responses: '200': content: application/json: schema: additionalProperties: false type: object properties: taskId: type: string required: - taskId '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Bulk upgrade packages tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/_bulk_upgrade/{taskId}: get: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: get-fleet-epm-packages-bulk-upgrade-taskid parameters: - in: path name: taskId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message results: items: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: type: string required: - message name: type: string success: type: boolean required: - name - success type: array status: type: string required: - status '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get Bulk upgrade packages details tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}: delete: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: delete-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: pkgName required: true schema: type: string - in: path name: pkgVersion required: false schema: type: string - in: query name: force required: false schema: type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: anyOf: - additionalProperties: false type: object properties: id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model type: string version: type: string required: - id - type type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Delete a package tags: - Elastic Package Manager (EPM) get: operationId: get-fleet-epm-packages-pkgname-pkgversion parameters: - in: path name: pkgName required: true schema: type: string - in: path name: pkgVersion required: false schema: type: string - in: query name: ignoreUnverified required: false schema: type: boolean - in: query name: prerelease required: false schema: type: boolean - in: query name: full required: false schema: type: boolean - in: query name: withMetadata required: false schema: default: false type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: agent: additionalProperties: false type: object properties: privileges: additionalProperties: false type: object properties: root: type: boolean asset_tags: items: additionalProperties: false type: object properties: asset_ids: items: type: string type: array asset_types: items: type: string type: array text: type: string required: - text type: array assets: additionalProperties: {} type: object categories: items: type: string type: array conditions: additionalProperties: true type: object properties: elastic: additionalProperties: true type: object properties: capabilities: items: type: string type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: {} type: object type: array description: type: string discovery: additionalProperties: true type: object properties: fields: items: additionalProperties: true type: object properties: name: type: string required: - name type: array download: type: string elasticsearch: additionalProperties: {} type: object format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src type: array installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model type: string version: type: string required: - id - type type: array installed_kibana: items: additionalProperties: true type: object properties: id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type type: array installed_kibana_space_id: type: string latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error type: array name: type: string namespaces: items: type: string type: array type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status internal: type: boolean keepPoliciesUpToDate: type: boolean latestVersion: type: string license: type: string licensePath: type: string name: type: string notice: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: {} type: object type: array readme: type: string release: enum: - ga - beta - experimental type: string screenshots: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src type: array signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string vars: items: additionalProperties: {} type: object type: array version: type: string required: - name - version - title - assets metadata: additionalProperties: false type: object properties: has_policies: type: boolean required: - has_policies required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get a package tags: - Elastic Package Manager (EPM) post: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: pkgName required: true schema: type: string - in: path name: pkgVersion required: false schema: type: string - in: query name: prerelease required: false schema: type: boolean - in: query name: ignoreMappingUpdateErrors required: false schema: default: false type: boolean - in: query name: skipDataStreamRollover required: false schema: default: false type: boolean requestBody: content: application/json: schema: additionalProperties: false nullable: true type: object properties: force: default: false type: boolean ignore_constraints: default: false type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: _meta: additionalProperties: false type: object properties: install_source: type: string name: type: string required: - install_source - name items: items: anyOf: - additionalProperties: false type: object properties: id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type - additionalProperties: false type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model type: string version: type: string required: - id - type type: array required: - items - _meta '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Install a package from the registry tags: - Elastic Package Manager (EPM) put: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: put-fleet-epm-packages-pkgname-pkgversion parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: pkgName required: true schema: type: string - in: path name: pkgVersion required: false schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: keepPoliciesUpToDate: type: boolean required: - keepPoliciesUpToDate responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: agent: additionalProperties: false type: object properties: privileges: additionalProperties: false type: object properties: root: type: boolean asset_tags: items: additionalProperties: false type: object properties: asset_ids: items: type: string type: array asset_types: items: type: string type: array text: type: string required: - text type: array assets: additionalProperties: {} type: object categories: items: type: string type: array conditions: additionalProperties: true type: object properties: elastic: additionalProperties: true type: object properties: capabilities: items: type: string type: array subscription: type: string kibana: additionalProperties: true type: object properties: version: type: string data_streams: items: additionalProperties: {} type: object type: array description: type: string discovery: additionalProperties: true type: object properties: fields: items: additionalProperties: true type: object properties: name: type: string required: - name type: array download: type: string elasticsearch: additionalProperties: {} type: object format_version: type: string icons: items: additionalProperties: true type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src type: array installationInfo: additionalProperties: true type: object properties: additional_spaces_installed_kibana: additionalProperties: items: additionalProperties: true type: object properties: id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type type: array type: object created_at: type: string experimental_data_stream_features: items: additionalProperties: true type: object properties: data_stream: type: string features: additionalProperties: true type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array install_format_schema_version: type: string install_source: enum: - registry - upload - bundled - custom type: string install_status: enum: - installed - installing - install_failed type: string installed_es: items: additionalProperties: true type: object properties: deferred: type: boolean id: type: string type: enum: - index - index_template - component_template - ingest_pipeline - ilm_policy - data_stream_ilm_policy - transform - ml_model type: string version: type: string required: - id - type type: array installed_kibana: items: additionalProperties: true type: object properties: id: type: string originId: type: string type: anyOf: - enum: - dashboard - lens - visualization - search - index-pattern - map - ml-module - security-rule - csp-rule-template - osquery-pack-asset - osquery-saved-query - tag type: string - type: string required: - id - type type: array installed_kibana_space_id: type: string latest_executed_state: additionalProperties: true type: object properties: error: type: string name: type: string started_at: type: string latest_install_failed_attempts: items: additionalProperties: true type: object properties: created_at: type: string error: additionalProperties: true type: object properties: message: type: string name: type: string stack: type: string required: - name - message target_version: type: string required: - created_at - target_version - error type: array name: type: string namespaces: items: type: string type: array type: type: string updated_at: type: string verification_key_id: nullable: true type: string verification_status: enum: - unverified - verified - unknown type: string version: type: string required: - type - installed_kibana - installed_es - name - version - install_status - install_source - verification_status internal: type: boolean keepPoliciesUpToDate: type: boolean latestVersion: type: string license: type: string licensePath: type: string name: type: string notice: type: string owner: additionalProperties: true type: object properties: github: type: string type: enum: - elastic - partner - community type: string path: type: string policy_templates: items: additionalProperties: {} type: object type: array readme: type: string release: enum: - ga - beta - experimental type: string screenshots: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src type: array signature_path: type: string source: additionalProperties: true type: object properties: license: type: string required: - license status: type: string title: type: string type: anyOf: - enum: - integration type: string - enum: - input type: string - enum: - content type: string - type: string vars: items: additionalProperties: {} type: object type: array version: type: string required: - name - version - title - assets required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Update package settings tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: get: description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath parameters: - in: path name: pkgName required: true schema: type: string - in: path name: pkgVersion required: true schema: type: string - in: path name: filePath required: true schema: type: string responses: '200': content: application/json: schema: {} '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get a package file tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: delete: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: pkgName required: true schema: type: string - in: path name: pkgVersion required: true schema: type: string - in: query name: packagePolicyId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: success: type: boolean required: - success '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Delete assets for an input package tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: delete: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: pkgName required: true schema: type: string - in: path name: pkgVersion required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: success: type: boolean required: - success '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Delete Kibana assets for a package tags: - Elastic Package Manager (EPM) post: description: '[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.' operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: pkgName required: true schema: type: string - in: path name: pkgVersion required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false nullable: true type: object properties: force: type: boolean space_ids: description: When provided install assets in the specified spaces instead of the current space. items: type: string minItems: 1 type: array responses: '200': content: application/json: schema: additionalProperties: false type: object properties: success: type: boolean required: - success '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Install Kibana assets for a package tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: post: operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: pkgName required: true schema: type: string - in: path name: pkgVersion required: true schema: type: string - in: query name: prerelease required: false schema: type: boolean requestBody: content: application/json: schema: additionalProperties: false type: object properties: transforms: items: additionalProperties: false type: object properties: transformId: type: string required: - transformId type: array required: - transforms responses: '200': content: application/json: schema: items: additionalProperties: false type: object properties: error: nullable: true success: type: boolean transformId: type: string required: - transformId - success - error type: array '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Authorize transforms tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/{pkgName}/stats: get: description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages-pkgname-stats parameters: - in: path name: pkgName required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: response: additionalProperties: false type: object properties: agent_policy_count: type: number required: - agent_policy_count required: - response '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get package stats tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/installed: get: description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages-installed parameters: - in: query name: dataStreamType required: false schema: enum: - logs - metrics - traces - synthetics - profiling type: string - in: query name: showOnlyActiveDataStreams required: false schema: type: boolean - in: query name: nameQuery required: false schema: type: string - in: query name: searchAfter required: false schema: items: anyOf: - type: string - type: number type: array - in: query name: perPage required: false schema: default: 15 type: number - in: query name: sortOrder required: false schema: default: asc enum: - asc - desc type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: dataStreams: items: additionalProperties: false type: object properties: name: type: string title: type: string required: - name - title type: array description: type: string icons: items: additionalProperties: false type: object properties: dark_mode: type: boolean path: type: string size: type: string src: type: string title: type: string type: type: string required: - src type: array name: type: string status: type: string title: type: string version: type: string required: - name - version - status - dataStreams type: array searchAfter: items: anyOf: - type: string - type: number - type: boolean - enum: [] nullable: true - {} type: array total: type: number required: - items - total '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get installed packages tags: - Elastic Package Manager (EPM) /api/fleet/epm/packages/limited: get: description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-packages-limited parameters: [] responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: type: string type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get a limited package list tags: - Elastic Package Manager (EPM) /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: get: description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs parameters: - in: path name: pkgName required: true schema: type: string - in: path name: pkgVersion required: true schema: type: string - in: query name: format required: false schema: default: json enum: - json - yml - yaml type: string - in: query name: prerelease required: false schema: type: boolean - in: query name: ignoreUnverified required: false schema: type: boolean responses: '200': content: application/json: schema: anyOf: - type: string - additionalProperties: false type: object properties: inputs: items: additionalProperties: false type: object properties: id: type: string streams: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: dataset: type: string type: type: string required: - dataset id: type: string required: - id - data_stream type: array type: type: string required: - id - type type: array required: - inputs '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get an inputs template tags: - Elastic Package Manager (EPM) /api/fleet/epm/verification_key_id: get: description: '[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.' operationId: get-fleet-epm-verification-key-id parameters: [] responses: '200': content: application/json: schema: additionalProperties: false type: object properties: id: nullable: true type: string required: - id '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get a package signature verification key ID tags: - Elastic Package Manager (EPM) /api/fleet/fleet_server_hosts: get: description: '[Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read.' operationId: get-fleet-fleet-server-hosts parameters: [] responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: host_urls: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string type: array es_key: type: string key: type: string required: - name - host_urls - id type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get Fleet Server hosts tags: - Fleet Server hosts post: description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-fleet-server-hosts parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: host_urls: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string type: array es_key: type: string key: type: string required: - name - host_urls responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: host_urls: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string type: array es_key: type: string key: type: string required: - name - host_urls - id required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Create a Fleet Server host tags: - Fleet Server hosts /api/fleet/fleet_server_hosts/{itemId}: delete: description: 'Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: delete-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: itemId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: id: type: string required: - id '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Delete a Fleet Server host tags: - Fleet Server hosts get: description: 'Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-fleet-server-hosts-itemid parameters: - in: path name: itemId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: host_urls: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string type: array es_key: type: string key: type: string required: - name - host_urls - id required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get a Fleet Server host tags: - Fleet Server hosts put: description: 'Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: put-fleet-fleet-server-hosts-itemid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: itemId required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: host_urls: items: type: string minItems: 1 type: array is_default: type: boolean is_internal: type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string type: array es_key: type: string key: type: string required: - proxy_id responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: host_urls: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_internal: type: boolean is_preconfigured: default: false type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: es_key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array client_auth: enum: - optional - required - none type: string es_certificate: type: string es_certificate_authorities: items: type: string type: array es_key: type: string key: type: string required: - name - host_urls - id required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Update a Fleet Server host tags: - Fleet Server hosts /api/fleet/health_check: post: description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-health-check parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: id: type: string required: - id responses: '200': content: application/json: schema: additionalProperties: false type: object properties: host_id: type: string name: type: string status: type: string required: - status '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes '404': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Check Fleet Server health tags: - Fleet internals /api/fleet/kubernetes: get: description: '[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.' operationId: get-fleet-kubernetes parameters: - in: query name: download required: false schema: type: boolean - in: query name: fleetServer required: false schema: type: string - in: query name: enrolToken required: false schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: type: string required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get a full K8s agent manifest tags: - Elastic Agent policies /api/fleet/kubernetes/download: get: description: '[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.' operationId: get-fleet-kubernetes-download parameters: - in: query name: download required: false schema: type: boolean - in: query name: fleetServer required: false schema: type: string - in: query name: enrolToken required: false schema: type: string responses: '200': content: application/json: schema: type: string '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes '404': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Download an agent manifest tags: - Elastic Agent policies /api/fleet/logstash_api_keys: post: description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-logstash-api-keys parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: api_key: type: string required: - api_key '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Generate a Logstash API key tags: - Fleet outputs /api/fleet/message_signing_service/rotate_key_pair: post: description: '[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.' operationId: post-fleet-message-signing-service-rotate-key-pair parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: query name: acknowledge required: false schema: default: false type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: message: type: string required: - message '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes '500': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Rotate a Fleet message signing key pair tags: - Message Signing Service /api/fleet/outputs: get: description: '[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.' operationId: get-fleet-outputs parameters: [] responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: anyOf: - additionalProperties: true type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - elasticsearch type: string required: - name - type - hosts - additionalProperties: true type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean kibana_api_key: nullable: true type: string kibana_url: nullable: true type: string name: type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: service_token: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string service_token: nullable: true type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string sync_integrations: type: boolean sync_uninstalled_integrations: type: boolean type: enum: - remote_elasticsearch type: string required: - name - type - hosts - additionalProperties: true type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - logstash type: string required: - name - type - hosts - additionalProperties: true type: object properties: allow_edit: items: type: string type: array auth_type: enum: - none - user_pass - ssl - kerberos type: string broker_timeout: type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string client_id: type: string compression: enum: - gzip - snappy - lz4 - none type: string compression_level: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: number - not: {} config_yaml: nullable: true type: string connection_type: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - enum: - plaintext - encryption type: string - not: {} hash: additionalProperties: true type: object properties: hash: type: string random: type: boolean headers: items: additionalProperties: true type: object properties: key: type: string value: type: string required: - key - value type: array hosts: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean key: type: string name: type: string partition: enum: - random - round_robin - hash type: string password: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - not: {} - anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} proxy_id: nullable: true type: string random: additionalProperties: true type: object properties: group_events: type: number required_acks: enum: - 1 - 0 - -1 type: integer round_robin: additionalProperties: true type: object properties: group_events: type: number sasl: additionalProperties: true nullable: true type: object properties: mechanism: enum: - PLAIN - SCRAM-SHA-256 - SCRAM-SHA-512 type: string secrets: additionalProperties: true type: object properties: password: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string required: - key shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string timeout: type: number topic: type: string type: enum: - kafka type: string username: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} version: type: string required: - name - type - hosts - compression_level - auth_type - connection_type - username - password type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get outputs tags: - Fleet outputs post: description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-outputs parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - elasticsearch type: string required: - name - type - hosts - additionalProperties: false type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean kibana_api_key: nullable: true type: string kibana_url: nullable: true type: string name: type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: service_token: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string service_token: nullable: true type: string shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string sync_integrations: type: boolean sync_uninstalled_integrations: type: boolean type: enum: - remote_elasticsearch type: string required: - name - type - hosts - additionalProperties: false type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - logstash type: string required: - name - type - hosts - additionalProperties: false type: object properties: allow_edit: items: type: string type: array auth_type: enum: - none - user_pass - ssl - kerberos type: string broker_timeout: type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string client_id: type: string compression: enum: - gzip - snappy - lz4 - none type: string compression_level: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: number - not: {} config_yaml: nullable: true type: string connection_type: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - enum: - plaintext - encryption type: string - not: {} hash: additionalProperties: false type: object properties: hash: type: string random: type: boolean headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value type: array hosts: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean key: type: string name: type: string partition: enum: - random - round_robin - hash type: string password: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - not: {} - anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} proxy_id: nullable: true type: string random: additionalProperties: false type: object properties: group_events: type: number required_acks: enum: - 1 - 0 - -1 type: integer round_robin: additionalProperties: false type: object properties: group_events: type: number sasl: additionalProperties: false nullable: true type: object properties: mechanism: enum: - PLAIN - SCRAM-SHA-256 - SCRAM-SHA-512 type: string secrets: additionalProperties: false type: object properties: password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string required: - key shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string timeout: type: number topic: type: string type: enum: - kafka type: string username: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} version: type: string required: - name - type - hosts - compression_level - auth_type - connection_type - username - password responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: anyOf: - additionalProperties: true type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - elasticsearch type: string required: - name - type - hosts - additionalProperties: true type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean kibana_api_key: nullable: true type: string kibana_url: nullable: true type: string name: type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: service_token: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string service_token: nullable: true type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string sync_integrations: type: boolean sync_uninstalled_integrations: type: boolean type: enum: - remote_elasticsearch type: string required: - name - type - hosts - additionalProperties: true type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - logstash type: string required: - name - type - hosts - additionalProperties: true type: object properties: allow_edit: items: type: string type: array auth_type: enum: - none - user_pass - ssl - kerberos type: string broker_timeout: type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string client_id: type: string compression: enum: - gzip - snappy - lz4 - none type: string compression_level: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: number - not: {} config_yaml: nullable: true type: string connection_type: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - enum: - plaintext - encryption type: string - not: {} hash: additionalProperties: true type: object properties: hash: type: string random: type: boolean headers: items: additionalProperties: true type: object properties: key: type: string value: type: string required: - key - value type: array hosts: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean key: type: string name: type: string partition: enum: - random - round_robin - hash type: string password: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - not: {} - anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} proxy_id: nullable: true type: string random: additionalProperties: true type: object properties: group_events: type: number required_acks: enum: - 1 - 0 - -1 type: integer round_robin: additionalProperties: true type: object properties: group_events: type: number sasl: additionalProperties: true nullable: true type: object properties: mechanism: enum: - PLAIN - SCRAM-SHA-256 - SCRAM-SHA-512 type: string secrets: additionalProperties: true type: object properties: password: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string required: - key shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string timeout: type: number topic: type: string type: enum: - kafka type: string username: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} version: type: string required: - name - type - hosts - compression_level - auth_type - connection_type - username - password required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Create output tags: - Fleet outputs /api/fleet/outputs/{outputId}: delete: description: 'Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: delete-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: outputId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: id: type: string required: - id '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes '404': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Delete output tags: - Fleet outputs get: description: 'Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read.' operationId: get-fleet-outputs-outputid parameters: - in: path name: outputId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: anyOf: - additionalProperties: true type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - elasticsearch type: string required: - name - type - hosts - additionalProperties: true type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean kibana_api_key: nullable: true type: string kibana_url: nullable: true type: string name: type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: service_token: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string service_token: nullable: true type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string sync_integrations: type: boolean sync_uninstalled_integrations: type: boolean type: enum: - remote_elasticsearch type: string required: - name - type - hosts - additionalProperties: true type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - logstash type: string required: - name - type - hosts - additionalProperties: true type: object properties: allow_edit: items: type: string type: array auth_type: enum: - none - user_pass - ssl - kerberos type: string broker_timeout: type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string client_id: type: string compression: enum: - gzip - snappy - lz4 - none type: string compression_level: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: number - not: {} config_yaml: nullable: true type: string connection_type: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - enum: - plaintext - encryption type: string - not: {} hash: additionalProperties: true type: object properties: hash: type: string random: type: boolean headers: items: additionalProperties: true type: object properties: key: type: string value: type: string required: - key - value type: array hosts: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean key: type: string name: type: string partition: enum: - random - round_robin - hash type: string password: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - not: {} - anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} proxy_id: nullable: true type: string random: additionalProperties: true type: object properties: group_events: type: number required_acks: enum: - 1 - 0 - -1 type: integer round_robin: additionalProperties: true type: object properties: group_events: type: number sasl: additionalProperties: true nullable: true type: object properties: mechanism: enum: - PLAIN - SCRAM-SHA-256 - SCRAM-SHA-512 type: string secrets: additionalProperties: true type: object properties: password: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string required: - key shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string timeout: type: number topic: type: string type: enum: - kafka type: string username: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} version: type: string required: - name - type - hosts - compression_level - auth_type - connection_type - username - password required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get output tags: - Fleet outputs put: description: 'Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all.' operationId: put-fleet-outputs-outputid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: outputId required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string minItems: 1 type: array id: type: string is_default: type: boolean is_default_monitoring: type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - elasticsearch type: string - additionalProperties: false type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string minItems: 1 type: array id: type: string is_default: type: boolean is_default_monitoring: type: boolean is_internal: type: boolean is_preconfigured: type: boolean kibana_api_key: nullable: true type: string kibana_url: nullable: true type: string name: type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: service_token: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string service_token: nullable: true type: string shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string sync_integrations: type: boolean sync_uninstalled_integrations: type: boolean type: enum: - remote_elasticsearch type: string - additionalProperties: false type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: type: string minItems: 1 type: array id: type: string is_default: type: boolean is_default_monitoring: type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: false type: object properties: ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - logstash type: string - additionalProperties: false type: object properties: allow_edit: items: type: string type: array auth_type: enum: - none - user_pass - ssl - kerberos type: string broker_timeout: type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string client_id: type: string compression: enum: - gzip - snappy - lz4 - none type: string compression_level: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: number - not: {} config_yaml: nullable: true type: string connection_type: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - enum: - plaintext - encryption type: string - not: {} hash: additionalProperties: false type: object properties: hash: type: string random: type: boolean headers: items: additionalProperties: false type: object properties: key: type: string value: type: string required: - key - value type: array hosts: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean key: type: string name: type: string partition: enum: - random - round_robin - hash type: string password: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - not: {} - anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} proxy_id: nullable: true type: string random: additionalProperties: false type: object properties: group_events: type: number required_acks: enum: - 1 - 0 - -1 type: integer round_robin: additionalProperties: false type: object properties: group_events: type: number sasl: additionalProperties: false nullable: true type: object properties: mechanism: enum: - PLAIN - SCRAM-SHA-256 - SCRAM-SHA-512 type: string secrets: additionalProperties: false type: object properties: password: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: false type: object properties: key: anyOf: - additionalProperties: false type: object properties: id: type: string required: - id - type: string required: - key shipper: additionalProperties: false nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: false nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string timeout: type: number topic: type: string type: enum: - kafka type: string username: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} version: type: string required: - name - compression_level - connection_type - username - password responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: anyOf: - additionalProperties: true type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - elasticsearch type: string required: - name - type - hosts - additionalProperties: true type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: format: uri type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean kibana_api_key: nullable: true type: string kibana_url: nullable: true type: string name: type: string preset: enum: - balanced - custom - throughput - scale - latency type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: service_token: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string service_token: nullable: true type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string sync_integrations: type: boolean sync_uninstalled_integrations: type: boolean type: enum: - remote_elasticsearch type: string required: - name - type - hosts - additionalProperties: true type: object properties: allow_edit: items: type: string type: array ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string config_yaml: nullable: true type: string hosts: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean name: type: string proxy_id: nullable: true type: string secrets: additionalProperties: true type: object properties: ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string type: enum: - logstash type: string required: - name - type - hosts - additionalProperties: true type: object properties: allow_edit: items: type: string type: array auth_type: enum: - none - user_pass - ssl - kerberos type: string broker_timeout: type: number ca_sha256: nullable: true type: string ca_trusted_fingerprint: nullable: true type: string client_id: type: string compression: enum: - gzip - snappy - lz4 - none type: string compression_level: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: number - not: {} config_yaml: nullable: true type: string connection_type: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - enum: - plaintext - encryption type: string - not: {} hash: additionalProperties: true type: object properties: hash: type: string random: type: boolean headers: items: additionalProperties: true type: object properties: key: type: string value: type: string required: - key - value type: array hosts: items: type: string minItems: 1 type: array id: type: string is_default: default: false type: boolean is_default_monitoring: default: false type: boolean is_internal: type: boolean is_preconfigured: type: boolean key: type: string name: type: string partition: enum: - random - round_robin - hash type: string password: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - not: {} - anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} proxy_id: nullable: true type: string random: additionalProperties: true type: object properties: group_events: type: number required_acks: enum: - 1 - 0 - -1 type: integer round_robin: additionalProperties: true type: object properties: group_events: type: number sasl: additionalProperties: true nullable: true type: object properties: mechanism: enum: - PLAIN - SCRAM-SHA-256 - SCRAM-SHA-512 type: string secrets: additionalProperties: true type: object properties: password: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string ssl: additionalProperties: true type: object properties: key: anyOf: - additionalProperties: true type: object properties: id: type: string required: - id - type: string required: - key shipper: additionalProperties: true nullable: true type: object properties: compression_level: nullable: true type: number disk_queue_compression_enabled: nullable: true type: boolean disk_queue_enabled: default: false nullable: true type: boolean disk_queue_encryption_enabled: nullable: true type: boolean disk_queue_max_size: nullable: true type: number disk_queue_path: nullable: true type: string loadbalance: nullable: true type: boolean max_batch_bytes: nullable: true type: number mem_queue_events: nullable: true type: number queue_flush_timeout: nullable: true type: number required: - disk_queue_path - disk_queue_max_size - disk_queue_encryption_enabled - disk_queue_compression_enabled - compression_level - loadbalance - mem_queue_events - queue_flush_timeout - max_batch_bytes ssl: additionalProperties: true nullable: true type: object properties: certificate: type: string certificate_authorities: items: type: string type: array key: type: string verification_mode: enum: - full - none - certificate - strict type: string timeout: type: number topic: type: string type: enum: - kafka type: string username: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - type: string - not: {} version: type: string required: - name - type - hosts - compression_level - auth_type - connection_type - username - password required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Update output tags: - Fleet outputs /api/fleet/outputs/{outputId}/health: get: description: '[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-outputs-outputid-health parameters: - in: path name: outputId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: message: description: long message if unhealthy type: string state: description: state of output, HEALTHY or DEGRADED type: string timestamp: description: timestamp of reported state type: string required: - state - message - timestamp '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get the latest output health tags: - Fleet outputs /api/fleet/package_policies: get: operationId: get-fleet-package-policies parameters: - in: query name: page required: false schema: type: number - in: query name: perPage required: false schema: type: number - in: query name: sortField required: false schema: type: string - in: query name: sortOrder required: false schema: enum: - desc - asc type: string - in: query name: showUpgradeable required: false schema: type: boolean - in: query name: kuery required: false schema: type: string - in: query name: format required: false schema: enum: - simplified - legacy type: string - in: query name: withAgentCount required: false schema: type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array agents: type: number created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array - additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object x-oas-optional: true is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object x-oas-optional: true version: type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get package policies tags: - Fleet package policies post: operationId: post-fleet-package-policies parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array description: description: Package policy description type: string enabled: type: boolean force: description: Force package policy creation even if package is not verified, or if the agent policy is managed. type: boolean id: description: Package policy unique identifier type: string inputs: items: additionalProperties: false type: object properties: config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled type: array is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - name - inputs - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array description: type: string force: type: boolean id: type: string inputs: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object name: type: string namespace: type: string output_id: nullable: true type: string package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: nullable: true type: string policy_ids: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object required: - name - package description: You should use inputs as an object and not use the deprecated inputs array. responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array agents: type: number created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array - additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object x-oas-optional: true is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object x-oas-optional: true version: type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes '409': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Create a package policy tags: - Fleet package policies /api/fleet/package_policies/_bulk_get: post: operationId: post-fleet-package-policies-bulk-get parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: ids: description: list of package policy ids items: type: string type: array ignoreMissing: type: boolean required: - ids responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array agents: type: number created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array - additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object x-oas-optional: true is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object x-oas-optional: true version: type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by type: array required: - items '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes '404': content: application/json: schema: additionalProperties: false type: object properties: message: type: string required: - message summary: Bulk get package policies tags: - Fleet package policies /api/fleet/package_policies/{packagePolicyId}: delete: description: 'Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.' operationId: delete-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: packagePolicyId required: true schema: type: string - in: query name: force required: false schema: type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: id: type: string required: - id '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Delete a package policy tags: - Fleet package policies get: description: Get a package policy by ID. operationId: get-fleet-package-policies-packagepolicyid parameters: - in: path name: packagePolicyId required: true schema: type: string - in: query name: format required: false schema: enum: - simplified - legacy type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array agents: type: number created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array - additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object x-oas-optional: true is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object x-oas-optional: true version: type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes '404': content: application/json: schema: additionalProperties: false type: object properties: message: type: string required: - message summary: Get a package policy tags: - Fleet package policies put: description: Update a package policy by ID. operationId: put-fleet-package-policies-packagepolicyid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: packagePolicyId required: true schema: type: string - in: query name: format required: false schema: enum: - simplified - legacy type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array description: description: Package policy description type: string enabled: type: boolean force: type: boolean inputs: items: additionalProperties: false type: object properties: config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled type: array is_managed: type: boolean name: type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object version: type: string - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array description: type: string force: type: boolean id: type: string inputs: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object name: type: string namespace: type: string output_id: nullable: true type: string package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: nullable: true type: string policy_ids: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object required: - name - package responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array agents: type: number created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array - additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object x-oas-optional: true is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object x-oas-optional: true version: type: string required: - name - enabled - inputs - id - revision - updated_at - updated_by - created_at - created_by required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes '403': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Update a package policy tags: - Fleet package policies /api/fleet/package_policies/delete: post: description: '[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.' operationId: post-fleet-package-policies-delete parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: force: type: boolean packagePolicyIds: items: type: string type: array required: - packagePolicyIds responses: '200': content: application/json: schema: items: additionalProperties: false type: object properties: body: additionalProperties: false type: object properties: message: type: string required: - message id: type: string name: type: string output_id: nullable: true type: string package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Use `policy_ids` instead nullable: true type: string policy_ids: items: type: string type: array statusCode: type: number success: type: boolean required: - id - success - policy_ids - package type: array '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Bulk delete package policies tags: - Fleet package policies /api/fleet/package_policies/upgrade: post: description: 'Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.' operationId: post-fleet-package-policies-upgrade parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: packagePolicyIds: items: type: string type: array required: - packagePolicyIds responses: '200': content: application/json: schema: items: additionalProperties: false type: object properties: body: additionalProperties: false type: object properties: message: type: string required: - message id: type: string name: type: string statusCode: type: number success: type: boolean required: - id - success type: array '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Upgrade a package policy tags: - Fleet package policies /api/fleet/package_policies/upgrade/dryrun: post: description: '[Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read.' operationId: post-fleet-package-policies-upgrade-dryrun parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: packagePolicyIds: items: type: string type: array packageVersion: type: string required: - packagePolicyIds responses: '200': content: application/json: schema: items: additionalProperties: false type: object properties: agent_diff: items: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: namespace: type: string required: - namespace id: type: string meta: additionalProperties: true type: object properties: package: additionalProperties: true type: object properties: name: type: string version: type: string required: - name - version required: - package name: type: string package_policy_id: type: string processors: items: additionalProperties: true type: object properties: add_fields: additionalProperties: true type: object properties: fields: additionalProperties: anyOf: - type: string - type: number type: object target: type: string required: - target - fields required: - add_fields type: array revision: type: number streams: items: additionalProperties: true type: object properties: data_stream: additionalProperties: true type: object properties: dataset: type: string type: type: string required: - dataset id: type: string required: - data_stream type: array type: type: string use_output: type: string required: - id - name - revision - type - data_stream - use_output - package_policy_id type: array type: array body: additionalProperties: false type: object properties: message: type: string required: - message diff: items: anyOf: - additionalProperties: false type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array agents: type: number created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean id: type: string inputs: anyOf: - items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array - additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that input, (default to true) type: boolean streams: additionalProperties: additionalProperties: false type: object properties: enabled: description: enable or disable that stream, (default to true) type: boolean vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Input streams (see integration documentation to know what streams are available) type: object vars: additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object description: Package policy inputs (see integration documentation to know what inputs are available) type: object x-oas-optional: true is_managed: type: boolean name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array spaceIds: items: type: string type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: anyOf: - additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object - additionalProperties: anyOf: - type: boolean - type: string - type: number - items: type: string type: array - items: type: number type: array - additionalProperties: false type: object properties: id: type: string isSecretRef: type: boolean required: - id - isSecretRef nullable: true description: Input/stream level variable (see integration documentation for more information) type: object x-oas-optional: true version: type: string required: - name - enabled - inputs - revision - updated_at - updated_by - created_at - created_by - additionalProperties: true type: object properties: additional_datastreams_permissions: description: Additional datastream permissions, that will be added to the agent policy. items: type: string nullable: true type: array created_at: type: string created_by: type: string description: description: Package policy description type: string elasticsearch: additionalProperties: true type: object properties: privileges: additionalProperties: true type: object properties: cluster: items: type: string type: array enabled: type: boolean errors: items: additionalProperties: false type: object properties: key: type: string message: type: string required: - message type: array force: type: boolean id: type: string inputs: items: additionalProperties: false type: object properties: compiled_input: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object enabled: type: boolean id: type: string keep_enabled: type: boolean policy_template: type: string streams: items: additionalProperties: false type: object properties: compiled_stream: {} config: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object data_stream: additionalProperties: false type: object properties: dataset: type: string elasticsearch: additionalProperties: false type: object properties: dynamic_dataset: type: boolean dynamic_namespace: type: boolean privileges: additionalProperties: false type: object properties: indices: items: type: string type: array type: type: string required: - dataset - type enabled: type: boolean id: type: string keep_enabled: type: boolean release: enum: - ga - beta - experimental type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - enabled - data_stream - compiled_stream type: array type: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object required: - type - enabled - streams - compiled_input type: array is_managed: type: boolean missingVars: items: type: string type: array name: description: Package policy name (should be unique) type: string namespace: description: The package policy namespace. Leave blank to inherit the agent policy's namespace. type: string output_id: nullable: true type: string overrides: additionalProperties: false description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. nullable: true type: object properties: inputs: additionalProperties: {} type: object package: additionalProperties: false type: object properties: experimental_data_stream_features: items: additionalProperties: false type: object properties: data_stream: type: string features: additionalProperties: false type: object properties: doc_value_only_numeric: type: boolean doc_value_only_other: type: boolean synthetic_source: type: boolean tsdb: type: boolean required: - data_stream - features type: array name: description: Package name type: string requires_root: type: boolean title: type: string version: description: Package version type: string required: - name - version policy_id: deprecated: true description: Agent policy ID where that package policy will be added nullable: true type: string policy_ids: items: description: Agent policy IDs where that package policy will be added type: string type: array revision: type: number secret_references: items: additionalProperties: false type: object properties: id: type: string required: - id type: array supports_agentless: default: false description: Indicates whether the package policy belongs to an agentless agent policy. nullable: true type: boolean updated_at: type: string updated_by: type: string vars: additionalProperties: additionalProperties: false type: object properties: frozen: type: boolean type: type: string value: {} required: - value description: Package variable (see integration documentation for more information) type: object version: type: string required: - name - enabled - inputs type: array hasErrors: type: boolean name: type: string statusCode: type: number required: - hasErrors type: array '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Dry run a package policy upgrade tags: - Fleet package policies /api/fleet/proxies: get: description: '[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-proxies parameters: [] responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - id - url - name type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get proxies tags: - Fleet proxies post: description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: post-fleet-proxies parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - url - name responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - id - url - name required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Create a proxy tags: - Fleet proxies /api/fleet/proxies/{itemId}: delete: description: 'Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all.' operationId: delete-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: itemId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: id: type: string required: - id '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Delete a proxy tags: - Fleet proxies get: description: 'Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-proxies-itemid parameters: - in: path name: itemId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - id - url - name required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get a proxy tags: - Fleet proxies put: description: 'Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all.' operationId: put-fleet-proxies-itemid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: itemId required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - proxy_headers - certificate_authorities - certificate - certificate_key responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: certificate: nullable: true type: string certificate_authorities: nullable: true type: string certificate_key: nullable: true type: string id: type: string is_preconfigured: default: false type: boolean name: type: string proxy_headers: additionalProperties: anyOf: - type: string - type: boolean - type: number nullable: true type: object url: type: string required: - id - url - name required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Update a proxy tags: - Fleet proxies /api/fleet/remote_synced_integrations/{outputId}/remote_status: get: description: '[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.' operationId: get-fleet-remote-synced-integrations-outputid-remote-status parameters: - in: path name: outputId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: custom_assets: additionalProperties: additionalProperties: false type: object properties: error: type: string is_deleted: type: boolean name: type: string package_name: type: string package_version: type: string sync_status: enum: - completed - synchronizing - failed - warning type: string type: type: string required: - type - name - package_name - package_version - sync_status type: object error: type: string integrations: items: additionalProperties: false type: object properties: error: type: string id: type: string install_status: additionalProperties: false type: object properties: main: type: string remote: type: string required: - main package_name: type: string package_version: type: string sync_status: enum: - completed - synchronizing - failed - warning type: string updated_at: type: string warning: additionalProperties: false type: object properties: message: type: string title: type: string required: - title required: - sync_status - install_status type: array warning: additionalProperties: false type: object properties: message: type: string title: type: string required: - title required: - integrations '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get CCR Remote synced integrations status by outputId tags: - CCR Remote synced integrations /api/fleet/remote_synced_integrations/status: get: description: '[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.' operationId: get-fleet-remote-synced-integrations-status parameters: [] responses: '200': content: application/json: schema: additionalProperties: false type: object properties: custom_assets: additionalProperties: additionalProperties: false type: object properties: error: type: string is_deleted: type: boolean name: type: string package_name: type: string package_version: type: string sync_status: enum: - completed - synchronizing - failed - warning type: string type: type: string required: - type - name - package_name - package_version - sync_status type: object error: type: string integrations: items: additionalProperties: false type: object properties: error: type: string id: type: string install_status: additionalProperties: false type: object properties: main: type: string remote: type: string required: - main package_name: type: string package_version: type: string sync_status: enum: - completed - synchronizing - failed - warning type: string updated_at: type: string warning: additionalProperties: false type: object properties: message: type: string title: type: string required: - title required: - sync_status - install_status type: array warning: additionalProperties: false type: object properties: message: type: string title: type: string required: - title required: - integrations '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get CCR Remote synced integrations status tags: - CCR Remote synced integrations /api/fleet/service_tokens: post: description: '[Required authorization] Route required privileges: fleet-agents-all.' operationId: post-fleet-service-tokens parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false nullable: true type: object properties: remote: default: false type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: name: type: string value: type: string required: - name - value '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Create a service token tags: - Fleet service tokens /api/fleet/settings: get: description: '[Required authorization] Route required privileges: fleet-settings-read.' operationId: get-fleet-settings parameters: [] responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: delete_unenrolled_agents: additionalProperties: false type: object properties: enabled: type: boolean is_preconfigured: type: boolean required: - enabled - is_preconfigured has_seen_add_data_notice: type: boolean id: type: string output_secret_storage_requirements_met: type: boolean preconfigured_fields: items: enum: - fleet_server_hosts type: string type: array prerelease_integrations_enabled: type: boolean secret_storage_requirements_met: type: boolean use_space_awareness_migration_started_at: nullable: true type: string use_space_awareness_migration_status: enum: - pending - success - error type: string version: type: string required: - id required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes '404': content: application/json: schema: additionalProperties: false type: object properties: message: type: string required: - message summary: Get settings tags: - Fleet internals put: description: '[Required authorization] Route required privileges: fleet-settings-all.' operationId: put-fleet-settings parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: additional_yaml_config: type: string delete_unenrolled_agents: additionalProperties: false type: object properties: enabled: type: boolean is_preconfigured: type: boolean required: - enabled - is_preconfigured has_seen_add_data_notice: type: boolean kibana_ca_sha256: type: string kibana_urls: items: format: uri type: string type: array prerelease_integrations_enabled: type: boolean responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: delete_unenrolled_agents: additionalProperties: false type: object properties: enabled: type: boolean is_preconfigured: type: boolean required: - enabled - is_preconfigured has_seen_add_data_notice: type: boolean id: type: string output_secret_storage_requirements_met: type: boolean preconfigured_fields: items: enum: - fleet_server_hosts type: string type: array prerelease_integrations_enabled: type: boolean secret_storage_requirements_met: type: boolean use_space_awareness_migration_started_at: nullable: true type: string use_space_awareness_migration_status: enum: - pending - success - error type: string version: type: string required: - id required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes '404': content: application/json: schema: additionalProperties: false type: object properties: message: type: string required: - message summary: Update settings tags: - Fleet internals /api/fleet/setup: post: description: '[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.' operationId: post-fleet-setup parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string responses: '200': content: application/json: schema: additionalProperties: false description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. type: object properties: isInitialized: type: boolean nonFatalErrors: items: additionalProperties: false type: object properties: message: type: string name: type: string required: - name - message type: array required: - isInitialized - nonFatalErrors '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes '500': content: application/json: schema: additionalProperties: false description: Internal Server Error type: object properties: message: type: string required: - message summary: Initiate Fleet setup tags: - Fleet internals /api/fleet/uninstall_tokens: get: description: 'List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: get-fleet-uninstall-tokens parameters: - description: Partial match filtering for policy IDs in: query name: policyId required: false schema: maxLength: 50 type: string - in: query name: search required: false schema: maxLength: 50 type: string - description: The number of items to return in: query name: perPage required: false schema: minimum: 5 type: number - in: query name: page required: false schema: minimum: 1 type: number responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: false type: object properties: created_at: type: string id: type: string namespaces: items: type: string type: array policy_id: type: string policy_name: nullable: true type: string required: - id - policy_id - created_at type: array page: type: number perPage: type: number total: type: number required: - items - total - page - perPage '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get metadata for latest uninstall tokens tags: - Fleet uninstall tokens /api/fleet/uninstall_tokens/{uninstallTokenId}: get: description: 'Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all.' operationId: get-fleet-uninstall-tokens-uninstalltokenid parameters: - in: path name: uninstallTokenId required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: false type: object properties: created_at: type: string id: type: string namespaces: items: type: string type: array policy_id: type: string policy_name: nullable: true type: string token: type: string required: - id - policy_id - created_at - token required: - item '400': content: application/json: schema: additionalProperties: false description: Generic Error type: object properties: attributes: {} error: type: string errorType: type: string message: type: string statusCode: type: number required: - message - attributes summary: Get a decrypted uninstall token tags: - Fleet uninstall tokens /api/lists: delete: description: | Delete a value list using the list ID. > info > When you delete a list, all of its list items are also deleted. operationId: DeleteList parameters: - in: query name: id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: Determines whether exception items referencing this value list should be deleted. in: query name: deleteReferences required: false schema: default: false example: false type: boolean - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. in: query name: ignoreReferences required: false schema: default: false example: false type: boolean responses: '200': content: application/json: examples: ipList: value: _version: WzIsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: List of bad internet ips. id: 21b01cfb-058d-44b9-838c-282be16c91cd immutable: false name: Bad ips tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:39:39.292Z' updated_by: elastic version: 3 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: id: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"ip_list\" was not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Delete a value list tags: - Security Lists API get: description: Get the details of a value list using the list ID. operationId: ReadList parameters: - in: query name: id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: application/json: examples: ip: value: _version: WzEsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ip id: ip_list immutable: false name: My bad ips tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:21:53.843Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: id: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value list details tags: - Security Lists API patch: description: Update specific fields of an existing list using the list `id`. operationId: PatchList requestBody: content: application/json: schema: example: id: ip_list name: Bad ips list - UPDATED type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' version: $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - id description: Value list's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzEsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ips id: ip_list immutable: false name: Bad ips list - UPDATED tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:21:53.843Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: name: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Patch a value list tags: - Security Lists API post: description: Create a new value list. operationId: CreateList requestBody: content: application/json: examples: ip: value: description: This list describes bad internet ips id: ip_list name: Simple list with ips type: ip ip_range: value: description: This list has ip ranges id: ip_range_list name: Simple list with ip ranges type: ip_range keyword: value: description: This list describes bad host names id: keyword_list name: Simple list with a keyword type: keyword keyword_custom_format: value: description: This parses the first found ipv4 only deserializer: '{{value}}' id: keyword_custom_format_list name: Simple list with a keyword using a custom format serializer: (?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)) type: keyword schema: type: object properties: description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' deserializer: $ref: '#/components/schemas/Security_Lists_API_ListDeserializer' id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' serializer: $ref: '#/components/schemas/Security_Lists_API_ListSerializer' type: $ref: '#/components/schemas/Security_Lists_API_ListType' version: default: 1 minimum: 1 type: integer required: - name - description - type description: Value list's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzAsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ips id: ip_list immutable: false name: Simple list with ips tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T04:47:34.273Z' updated_by: elastic version: 1 ip_range: value: _version: WzAsMV0= '@timestamp': '2025-01-09T18:23:52.241Z' created_at: '2025-01-09T18:23:52.241Z' created_by: elastic description: This list has ip ranges id: ip_range_list immutable: false name: Simple list with ip ranges tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 type: ip_range updated_at: '2025-01-09T18:23:52.241Z' updated_by: elastic version: 1 keyword: value: _version: WzEsMV0= '@timestamp': '2025-01-09T18:24:55.786Z' created_at: '2025-01-09T18:24:55.786Z' created_by: elastic description: This list describes bad host names id: keyword_list immutable: false name: Simple list with a keyword tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 type: keyword updated_at: '2025-01-09T18:24:55.786Z' updated_by: elastic version: 1 keyword_custom_format: value: _version: WzIsMV0= '@timestamp': '2025-01-09T18:25:39.604Z' created_at: '2025-01-09T18:25:39.604Z' created_by: elastic description: This parses the first found ipv4 only deserializer: '{{value}}' id: keyword_custom_format_list immutable: false name: Simple list with a keyword using a custom format serializer: (?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)) tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 type: keyword updated_at: '2025-01-09T18:25:39.604Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: notFound: value: message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'list id: "keyword_custom_format_list" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Create a value list tags: - Security Lists API put: description: | Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. > info > You cannot modify the `id` value. operationId: UpdateList requestBody: content: application/json: schema: example: description: Latest list of bad ips id: ip_list name: Bad ips - updated type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' version: $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - id - name - description description: Value list's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzIsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: Latest list of bad ips id: ip_list immutable: false name: Bad ips - updated tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:39:39.292Z' updated_by: elastic version: 3 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Update a value list tags: - Security Lists API /api/lists/_find: get: description: Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. operationId: FindLists parameters: - description: The page number to return. in: query name: page required: false schema: example: 1 type: integer - description: The number of value lists to return per page. in: query name: per_page required: false schema: example: 20 type: integer - description: Determines which field is used to sort the results. in: query name: sort_field required: false schema: example: name format: nonempty minLength: 1 type: string - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order required: false schema: enum: - desc - asc example: asc type: string - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. in: query name: cursor required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - description: | Filters the returned results according to the value of the specified field, using the : syntax. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' responses: '200': content: application/json: examples: ipList: value: cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d data: - _version: WzAsMV0= '@timestamp': | 2025-01-08T04:47:34.273Z created_at: | 2025-01-08T04:47:34.273Z created_by: elastic description: This list describes bad internet ip id: ip_list immutable: false name: Simple list with an ip tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: | 2025-01-08T04:47:34.273Z updated_by: elastic version: 1 page: 1 per_page: 20 total: 1 schema: type: object properties: cursor: $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' data: items: $ref: '#/components/schemas/Security_Lists_API_List' type: array page: minimum: 0 type: integer per_page: minimum: 0 type: integer total: minimum: 0 type: integer required: - data - page - per_page - total - cursor description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: page: Expected number, received nan' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value lists tags: - Security Lists API /api/lists/index: delete: description: Delete the `.lists` and `.items` data streams. operationId: DeleteListIndex responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Delete value list data streams tags: - Security Lists API get: description: Verify that `.lists` and `.items` data streams exist. operationId: ReadListIndex responses: '200': content: application/json: schema: type: object properties: list_index: type: boolean list_item_index: type: boolean required: - list_index - list_item_index description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream(s) not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get status of value list data streams tags: - Security Lists API post: description: Create `.lists` and `.items` data streams in the relevant space. operationId: CreateListIndex responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: | [security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate] statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'data stream: \".lists-default\" and \".items-default\" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Create list data streams tags: - Security Lists API /api/lists/items: delete: description: Delete a value list item using its `id`, or its `list_id` and `value` fields. operationId: DeleteListItem parameters: - description: Value list item's identifier. Required if `list_id` and `value` are not specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListItemId' - description: Value list's identifier. Required if `id` is not specified. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query name: value required: false schema: example: 255.255.255.255 type: string - description: Determines when changes made by the request are made visible to search. in: query name: refresh required: false schema: default: 'false' enum: - 'true' - 'false' - wait_for example: false type: string responses: '200': content: application/json: examples: ip: value: _version: WzIwLDFd '@timestamp': '2025-01-08T05:15:05.159Z' created_at: '2025-01-08T05:15:05.159Z' created_by: elastic id: pd1WRJQBs4HAK3VQeHFI list_id: ip_list tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 type: ip updated_at: '2025-01-08T05:44:14.009Z' updated_by: elastic value: 255.255.255.255 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - items: $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array description: Successful response '400': content: application/json: examples: badRequest: value: message: Either \"list_id\" or \"id\" needs to be defined in the request status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Delete a value list item tags: - Security Lists API get: description: Get the details of a value list item. operationId: ReadListItem parameters: - description: Value list item identifier. Required if `list_id` and `value` are not specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: Value list item list's `id` identfier. Required if `id` is not specified. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query name: value required: false schema: example: 127.0.0.2 type: string responses: '200': content: application/json: examples: ip: value: _version: WzExLDFd '@timestamp': '2025-01-08T05:16:25.882Z' created_at: '2025-01-08T05:16:25.882Z' created_by: elastic id: qN1XRJQBs4HAK3VQs3Gc list_id: ip_list tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 type: ip updated_at: '2025-01-08T05:16:25.882Z' updated_by: elastic value: 127.0.0.2 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - items: $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array description: Successful response '400': content: application/json: examples: badRequest: value: message: Either \"list_id\" or \"id\" needs to be defined in the request status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get a value list item tags: - Security Lists API patch: description: Update specific fields of an existing value list item using the item `id`. operationId: PatchListItem requestBody: content: application/json: schema: example: id: pd1WRJQBs4HAK3VQeHFI value: 255.255.255.255 type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' refresh: description: Determines when changes made by the request are made visible to search. enum: - 'true' - 'false' - wait_for type: string value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id description: Value list item's properties required: true responses: '200': content: application/json: examples: ipItem: value: _version: WzE5LDFd '@timestamp': '2025-01-08T05:15:05.159Z' created_at: '2025-01-08T05:15:05.159Z' created_by: elastic id: pd1WRJQBs4HAK3VQeHFI list_id: ip_list tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 type: ip updated_at: '2025-01-08T05:23:37.602Z' updated_by: elastic value: 255.255.255.255 schema: $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: badRequest: value: message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}' status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Patch a value list item tags: - Security Lists API post: description: | Create a value list item and associate it with the specified value list. All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. > info > Before creating a list item, you must create a list. operationId: CreateListItem requestBody: content: application/json: examples: ip: value: list_id: ip_list value: 127.0.0.1 ip_range: value: list_id: ip_range_list value: 192.168.0.0/16 keyword: value: list_id: keyword_list value: zeek schema: type: object properties: id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' list_id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' refresh: description: Determines when changes made by the request are made visible to search. enum: - 'true' - 'false' - wait_for example: wait_for type: string value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - list_id - value description: Value list item's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzAsMV0= '@timestamp': '2025-01-08T04:59:06.154Z' created_at: '2025-01-08T04:59:06.154Z' created_by: elastic id: 21b01cfb-058d-44b9-838c-282be16c91cc list_id: ip_list tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a type: ip updated_at: '2025-01-08T04:59:06.154Z' updated_by: elastic value: 127.0.0.1 ip_range: value: _version: WzEsMV0= '@timestamp': '2025-01-09T18:33:08.202Z' created_at: '2025-01-09T18:33:08.202Z' created_by: elastic id: ip_range_item list_id: ip_range_list tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 type: ip_range updated_at: '2025-01-09T18:33:08.202Z' updated_by: elastic value: 192.168.0.0/16 keyword: value: _version: WzIsMV0= '@timestamp': '2025-01-09T18:34:29.422Z' created_at: '2025-01-09T18:34:29.422Z' created_by: elastic id: 7f24737d-1da8-4626-a568-33070591bb4e list_id: keyword_list tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 type: keyword updated_at: '2025-01-09T18:34:29.422Z' updated_by: elastic value: zeek schema: $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: listNotFound: value: message: 'list id: \"ip_list\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'list item id: \"ip_item\" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Create a value list item tags: - Security Lists API put: description: | Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. > info > You cannot modify the `id` value. operationId: UpdateListItem requestBody: content: application/json: example: id: ip_item value: 255.255.255.255 schema: type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id - value description: Value list item's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzIwLDFd '@timestamp': '2025-01-08T05:15:05.159Z' created_at: '2025-01-08T05:15:05.159Z' created_by: elastic id: pd1WRJQBs4HAK3VQeHFI list_id: ip_list tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 type: ip updated_at: '2025-01-08T05:44:14.009Z' updated_by: elastic value: 255.255.255.255 schema: $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Update a value list item tags: - Security Lists API /api/lists/items/_export: post: description: Export list item values from the specified value list. operationId: ExportListItems parameters: - description: Value list's `id` to export. in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: application/ndjson: schema: description: A `.txt` file containing list items from the specified list example: | 127.0.0.1 127.0.0.2 127.0.0.3 127.0.0.4 127.0.0.5 127.0.0.6 127.0.0.7 127.0.0.8 127.0.0.9 format: binary type: string description: Successful response '400': content: application/json: examples: badRequest: value: error: 'Bad Request","message":"[request query]: list_id: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Export value list items tags: - Security Lists API /api/lists/items/_find: get: description: Get all value list items in the specified list. operationId: FindListItems parameters: - in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: The page number to return. in: query name: page required: false schema: example: 1 type: integer - description: The number of list items to return per page. in: query name: per_page required: false schema: example: 20 type: integer - description: Determines which field is used to sort the results. in: query name: sort_field required: false schema: example: value format: nonempty minLength: 1 type: string - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order required: false schema: enum: - desc - asc example: asc type: string - in: query name: cursor required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - description: | Filters the returned results according to the value of the specified field, using the : syntax. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' responses: '200': content: application/json: examples: ip: value: cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d data: - _version: WzAsMV0= '@timestamp': '2025-01-08T04:59:06.154Z' created_at: '2025-01-08T04:59:06.154Z' created_by: elastic id: 21b01cfb-058d-44b9-838c-282be16c91cc list_id: ip_list tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a type: ip updated_at: '2025-01-08T04:59:06.154Z' updated_by: elastic value: 127.0.0.1 page: 1 per_page: 20 total: 1 schema: type: object properties: cursor: $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' data: items: $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array page: minimum: 0 type: integer per_page: minimum: 0 type: integer total: minimum: 0 type: integer required: - data - page - per_page - total - cursor description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request, message: '[request query]: list_id: Required' statusCode: 400, schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value list items tags: - Security Lists API /api/lists/items/_import: post: description: | Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. You can import items to a new or existing list. operationId: ImportListItems parameters: - description: | List's id. Required when importing to an existing list. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: | Type of the importing list. Required when importing a new list whose list `id` is not specified. examples: ip: value: ip in: query name: type required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListType' - description: | Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups: - `(?.+)` - Single value item types, such as ip, long, date, keyword, and text. - `(?.+)-(?.+)|(?.+)` - Range value item types, such as `date_range`, `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`. in: query name: serializer required: false schema: example: (?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)) type: string - description: | Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions: - `{{{value}}}` - Single value item types, such as `ip`, `long`, `date`, `keyword`, and `text`. - `{{{gte}}}-{{{lte}}}` - Range value item types, such as `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`. - `{{{gte}}},{{{lte}}}` - Date range values. in: query name: deserializer required: false schema: example: '{{value}}' type: string - description: Determines when changes made by the request are made visible to search. in: query name: refresh required: false schema: enum: - 'true' - 'false' - wait_for example: true type: string requestBody: content: multipart/form-data: schema: type: object properties: file: description: A `.txt` or `.csv` file containing newline separated list items. example: | 127.0.0.1 127.0.0.2 127.0.0.3 127.0.0.4 127.0.0.5 127.0.0.6 127.0.0.7 127.0.0.8 127.0.0.9 format: binary type: string required: true responses: '200': content: application/json: examples: ip: value: _version: WzAsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ip id: ip_list immutable: false name: Simple list with an ip tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T04:47:34.273Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: message: Either type or list_id need to be defined in the query status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List with specified list_id does not exist response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Import value list items tags: - Security Lists API /api/lists/privileges: get: operationId: ReadListPrivileges responses: '200': content: application/json: examples: privileges: value: is_authenticated: true listItems: application: {} cluster: all: true manage: true manage_api_key: true manage_index_templates: true manage_ml: true manage_own_api_key: true manage_pipeline: true manage_security: true manage_transform: true monitor: true monitor_ml: true monitor_transform: true has_all_requested: true index: .items-default: all: true create: true create_doc: true create_index: true delete: true delete_index: true index: true maintenance: true manage: true monitor: true read: true view_index_metadata: true write: true username: elastic lists: application: {} cluster: all: true manage: true manage_api_key: true manage_index_templates: true manage_ml: true manage_own_api_key: true manage_pipeline: true manage_security: true manage_transform: true monitor: true monitor_ml: true monitor_transform: true has_all_requested: true index: .lists-default: all: true create: true create_doc: true create_index: true delete: true delete_index: true index: true maintenance: true manage: true monitor: true read: true view_index_metadata: true write: true username: elastic schema: type: object properties: is_authenticated: type: boolean listItems: $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' lists: $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' required: - lists - listItems - is_authenticated description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value list privileges tags: - Security Lists API /api/logstash/pipeline/{id}: delete: description: | Delete a centrally-managed Logstash pipeline. If your Elasticsearch cluster is protected with basic authentication, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. externalDocs: description: Secure your connection url: https://www.elastic.co/docs/reference/logstash/secure-connection operationId: delete-logstash-pipeline parameters: - description: An identifier for the pipeline. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call summary: Delete a Logstash pipeline tags: - logstash x-state: Technical Preview get: description: | Get information for a centrally-managed Logstash pipeline. To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. externalDocs: description: Secure your connection url: https://www.elastic.co/docs/reference/logstash/secure-connection operationId: get-logstash-pipeline parameters: - description: An identifier for the pipeline. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getLogstashPipelineResponseExample1: value: |- { "id": "hello-world", "description": "Just a simple pipeline", "username": "elastic", "pipeline": "input { stdin {} } output { stdout {} }", "settings": { "queue.type": "persistent" } } schema: type: object description: Indicates a successful call summary: Get a Logstash pipeline tags: - logstash x-state: Technical Preview put: description: | Create a centrally-managed Logstash pipeline or update a pipeline. To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. externalDocs: description: Secure your connection url: https://www.elastic.co/docs/reference/logstash/secure-connection operationId: put-logstash-pipeline parameters: - description: | An identifier for the pipeline. Only alphanumeric characters, hyphens, and underscores are supported. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: putLogstashPipelineRequestExample1: value: |- { "pipeline": "input { stdin {} } output { stdout {} }", "settings": { "queue.type": "persisted" } } schema: type: object properties: description: description: A description of the pipeline. type: string pipeline: description: A definition for the pipeline. type: string settings: description: | Supported settings, represented as object keys, include the following: - `pipeline.workers` - `pipeline.batch.size` - `pipeline.batch.delay` - `pipeline.ecs_compatibility` - `pipeline.ordered` - `queue.type` - `queue.max_bytes` - `queue.checkpoint.writes` type: object required: - pipeline responses: '204': description: Indicates a successful call summary: Create or update a Logstash pipeline tags: - logstash x-state: Technical Preview /api/logstash/pipelines: get: description: | Get a list of all centrally-managed Logstash pipelines. To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. > info > Limit the number of pipelines to 10,000 or fewer. As the number of pipelines nears and surpasses 10,000, you may see performance issues on Kibana. The `username` property appears in the response when security is enabled and depends on when the pipeline was created or last updated. externalDocs: description: Secure your connection url: https://www.elastic.co/docs/reference/logstash/secure-connection operationId: get-logstash-pipelines responses: '200': content: application/json: examples: getLogstashPipelinesResponseExample1: value: |- { "pipelines": [ { "id": "hello-world", "description": "Just a simple pipeline", "last_modified": "2018-04-14T12:23:29.772Z", "username": "elastic" }, { "id": "sleepy-pipeline", "description": "", "last_modified": "2018-03-24T03:41:30.554Z" } ] } schema: type: object description: Indicates a successful call summary: Get all Logstash pipelines tags: - logstash x-state: Technical Preview /api/maintenance_window: post: description: '[Required authorization] Route required privileges: write-maintenance-window.' operationId: post-maintenance-window parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 type: number minItems: 1 type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 type: number minItems: 1 type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string minItems: 1 type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. type: string required: - kql required: - query required: - alerting title: description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. type: string required: - title - schedule responses: '200': content: application/json: schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. summary: Create a maintenance window. tags: - maintenance-window x-state: Generally available; added in 9.1.0 /api/maintenance_window/{id}: delete: description: '[Required authorization] Route required privileges: write-maintenance-window.' operationId: delete-maintenance-window-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the maintenance window to be deleted. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. summary: Delete a maintenance window. tags: - maintenance-window x-state: Generally available; added in 9.1.0 get: description: '[Required authorization] Route required privileges: read-maintenance-window.' operationId: get-maintenance-window-id parameters: - description: The identifier for the maintenance window. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. summary: Get maintenance window details. tags: - maintenance-window x-state: Generally available; added in 9.1.0 patch: description: '[Required authorization] Route required privileges: write-maintenance-window.' operationId: patch-maintenance-window-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. minimum: 1 type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: maximum: 12 minimum: 1 type: number minItems: 1 type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: maximum: 31 minimum: 1 type: number minItems: 1 type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string minItems: 1 type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. type: string required: - kql required: - query required: - alerting title: description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. '409': description: Indicates that the maintenance window has already been updated by another user. summary: Update a maintenance window. tags: - maintenance-window x-state: Generally available; added in 9.1.0 /api/maintenance_window/{id}/_archive: post: description: '[Required authorization] Route required privileges: write-maintenance-window.' operationId: post-maintenance-window-id-archive parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the maintenance window to be archived. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. summary: Archive a maintenance window. tags: - maintenance-window x-state: Generally available; added in 9.1.0 /api/maintenance_window/{id}/_unarchive: post: description: '[Required authorization] Route required privileges: write-maintenance-window.' operationId: post-maintenance-window-id-unarchive parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the maintenance window to be unarchived. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: created_at: description: The date and time when the maintenance window was created. type: string created_by: description: The identifier for the user that created the maintenance window. nullable: true type: string enabled: description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. type: boolean id: description: The identifier for the maintenance window. type: string schedule: additionalProperties: false type: object properties: custom: additionalProperties: false type: object properties: duration: description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' type: string recurring: additionalProperties: false type: object properties: end: description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' type: string every: description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' type: string occurrences: description: The total number of recurrences of the schedule. type: number onMonth: description: The specific months for a recurring schedule. Valid values are 1-12. items: type: number type: array onMonthDay: description: The specific days of the month for a recurring schedule. Valid values are 1-31. items: type: number type: array onWeekDay: description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. items: type: string type: array start: description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' type: string timezone: description: The timezone of the schedule. The default timezone is UTC. type: string required: - start - duration required: - custom scope: additionalProperties: false type: object properties: alerting: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql required: - query required: - alerting status: description: The current status of the maintenance window. enum: - running - upcoming - finished - archived type: string title: description: The name of the maintenance window. type: string updated_at: description: The date and time when the maintenance window was last updated. type: string updated_by: description: The identifier for the user that last updated this maintenance window. nullable: true type: string required: - id - title - enabled - created_by - updated_by - created_at - updated_at - status - schedule description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a maintenance window with the given ID does not exist. summary: Unarchive a maintenance window. tags: - maintenance-window x-state: Generally available; added in 9.1.0 /api/ml/saved_objects/sync: get: description: | Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. operationId: mlSync parameters: - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' responses: '200': content: application/json: examples: syncExample: $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' schema: $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' description: Indicates a successful call '401': content: application/json: schema: $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' description: Authorization information is missing or invalid. summary: Sync saved objects in the default space tags: - ml /api/note: delete: description: Delete a note from a Timeline using the note ID. operationId: DeleteNote requestBody: content: application/json: schema: oneOf: - nullable: true type: object properties: noteId: type: string required: - noteId - nullable: true type: object properties: noteIds: items: type: string nullable: true type: array required: - noteIds description: The ID of the note to delete. required: true responses: '200': description: Indicates the note was successfully deleted. summary: Delete a note tags: - Security Timeline API get: description: Get all notes for a given document. operationId: GetNotes parameters: - in: query name: documentIds schema: $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - in: query name: savedObjectIds schema: $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - in: query name: page schema: nullable: true type: string - in: query name: perPage schema: nullable: true type: string - in: query name: search schema: nullable: true type: string - in: query name: sortField schema: nullable: true type: string - in: query name: sortOrder schema: nullable: true type: string - in: query name: filter schema: nullable: true type: string - in: query name: createdByFilter schema: nullable: true type: string - in: query name: associatedFilter schema: $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' description: Indicates the requested notes were returned. summary: Get notes tags: - Security Timeline API patch: description: Add a note to a Timeline or update an existing note. operationId: PersistNoteRoute requestBody: content: application/json: schema: type: object properties: note: $ref: '#/components/schemas/Security_Timeline_API_BareNote' description: The note to add or update. noteId: description: The `savedObjectId` of the note example: 709f99c6-89b6-4953-9160-35945c8e174e nullable: true type: string version: description: The version of the note example: WzQ2LDFd nullable: true type: string required: - note description: The note to add or update, along with additional metadata. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' description: Indicates the note was successfully created. summary: Add or update a note tags: - Security Timeline API /api/osquery/live_queries: get: description: Get a list of all live queries. operationId: OsqueryFindLiveQueries parameters: - in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' description: OK summary: Get live queries tags: - Security Osquery API post: description: Create and run a live query. operationId: OsqueryCreateLiveQuery requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' description: OK summary: Create a live query tags: - Security Osquery API /api/osquery/live_queries/{id}: get: description: Get the details of a live query using the query ID. operationId: OsqueryGetLiveQueryDetails parameters: - in: path name: id required: true schema: description: The ID of the live query result you want to retrieve. example: 3c42c847-eb30-4452-80e0-728584042334 type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' description: OK summary: Get live query details tags: - Security Osquery API /api/osquery/live_queries/{id}/results/{actionId}: get: description: Get the results of a live query using the query action ID. operationId: OsqueryGetLiveQueryResults parameters: - in: path name: id required: true schema: description: The ID of the live query result you want to retrieve. example: 3c42c847-eb30-4452-80e0-728584042334 type: string - in: path name: actionId required: true schema: description: The ID of the query action that generated the live query results. example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 type: string - in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' description: OK summary: Get live query results tags: - Security Osquery API /api/osquery/packs: get: description: Get a list of all query packs. operationId: OsqueryFindPacks parameters: - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' description: OK summary: Get packs tags: - Security Osquery API post: description: Create a query pack. operationId: OsqueryCreatePacks requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' description: OK summary: Create a pack tags: - Security Osquery API /api/osquery/packs/{id}: delete: description: Delete a query pack using the pack ID. operationId: OsqueryDeletePacks parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: schema: example: {} type: object properties: {} description: OK summary: Delete a pack tags: - Security Osquery API get: description: Get the details of a query pack using the pack ID. operationId: OsqueryGetPacksDetails parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' description: OK summary: Get pack details tags: - Security Osquery API put: description: | Update a query pack using the pack ID. > info > You cannot update a prebuilt pack. operationId: OsqueryUpdatePacks parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' description: OK summary: Update a pack tags: - Security Osquery API /api/osquery/saved_queries: get: description: Get a list of all saved queries. operationId: OsqueryFindSavedQueries parameters: - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' description: OK summary: Get saved queries tags: - Security Osquery API post: description: Create and run a saved query. operationId: OsqueryCreateSavedQuery requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' description: OK summary: Create a saved query tags: - Security Osquery API /api/osquery/saved_queries/{id}: delete: description: Delete a saved query using the query ID. operationId: OsqueryDeleteSavedQuery parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' description: OK summary: Delete a saved query tags: - Security Osquery API get: description: Get the details of a saved query using the query ID. operationId: OsqueryGetSavedQueryDetails parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' description: OK summary: Get saved query details tags: - Security Osquery API put: description: | Update a saved query using the query ID. > info > You cannot update a prebuilt saved query. operationId: OsqueryUpdateSavedQuery parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' description: OK summary: Update a saved query tags: - Security Osquery API /api/pinned_event: patch: description: Pin/unpin an event to/from an existing Timeline. operationId: PersistPinnedEventRoute requestBody: content: application/json: schema: type: object properties: eventId: description: The `_id` of the associated event for this pinned event. example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc type: string pinnedEventId: description: The `savedObjectId` of the pinned event you want to unpin. example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 nullable: true type: string timelineId: description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - eventId - timelineId description: The pinned event to add or unpin, along with additional metadata. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' description: Indicates the event was successfully pinned to or unpinned from the Timeline. summary: Pin/unpin an event tags: - Security Timeline API /api/risk_score/engine/dangerously_delete_data: delete: description: Cleaning up the the Risk Engine by removing the indices, mapping and transforms operationId: CleanUpRiskEngine responses: '200': content: application/json: schema: type: object properties: cleanup_successful: type: boolean description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' description: Task manager is unavailable default: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' description: Unexpected error summary: Cleanup the Risk Engine tags: - Security Entity Analytics API /api/risk_score/engine/saved_object/configure: patch: description: Configuring the Risk Engine Saved Object operationId: ConfigureRiskEngineSavedObject requestBody: content: application/json: schema: type: object properties: exclude_alert_statuses: items: type: string type: array exclude_alert_tags: items: type: string type: array range: type: object properties: end: type: string start: type: string required: true responses: '200': content: application/json: schema: type: object properties: risk_engine_saved_object_configured: type: boolean description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' description: Task manager is unavailable default: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' description: Unexpected error summary: Configure the Risk Engine Saved Object tags: - Security Entity Analytics API /api/risk_score/engine/schedule_now: post: description: Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. operationId: ScheduleRiskEngineNow requestBody: content: application/json: {} responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' description: Task manager is unavailable default: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' description: Unexpected error summary: Run the risk scoring engine tags: - Security Entity Analytics API /api/saved_objects/_bulk_create: post: deprecated: true operationId: bulkCreateSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - description: When true, overwrites the document with the same identifier. in: query name: overwrite schema: type: boolean requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Create saved objects tags: - saved objects /api/saved_objects/_bulk_delete: post: deprecated: true description: | WARNING: When you delete a saved object, it cannot be recovered. operationId: bulkDeleteSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - description: | When true, force delete objects that exist in multiple namespaces. Note that the option applies to the whole request. Use the delete object API to specify per-object deletion behavior. TIP: Use this if you attempted to delete objects and received an HTTP 400 error with the following message: "Unable to delete saved object that exists in multiple namespaces, use the force option to delete it anyway". WARNING: When you bulk delete objects that exist in multiple namespaces, the API also deletes legacy url aliases that reference the object. These requests are batched to minimise the impact but they can place a heavy load on Kibana. Make sure you limit the number of objects that exist in multiple namespaces in a single bulk delete operation. in: query name: force schema: type: boolean requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: | Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Delete saved objects tags: - saved objects /api/saved_objects/_bulk_get: post: deprecated: true operationId: bulkGetSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Get saved objects tags: - saved objects /api/saved_objects/_bulk_resolve: post: deprecated: true description: | Retrieve multiple Kibana saved objects by identifier using any legacy URL aliases if they exist. Under certain circumstances when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved by the bulk resolve API using either its new ID or its old ID. operationId: bulkResolveSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: | Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Resolve saved objects tags: - saved objects /api/saved_objects/_bulk_update: post: deprecated: true description: Update the attributes for multiple Kibana saved objects. operationId: bulkUpdateSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: | Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Update saved objects tags: - saved objects /api/saved_objects/_export: post: description: |- Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss. Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. operationId: post-saved-objects-export parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: exportSavedObjectsRequest: summary: Export a specific saved object. value: excludeExportDetails: true includeReferencesDeep: false objects: - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 type: map schema: additionalProperties: false type: object properties: excludeExportDetails: default: false description: Do not add export details entry at the end of the stream. type: boolean hasReference: anyOf: - additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id - items: additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id type: array includeReferencesDeep: default: false description: Includes all of the referenced objects in the exported objects. type: boolean objects: description: 'A list of objects to export. NOTE: this optiona cannot be combined with `types` option' items: additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id maxItems: 10000 type: array search: description: Search for documents to export using the Elasticsearch Simple Query String syntax. type: string type: anyOf: - type: string - items: type: string type: array description: The saved object types to include in the export. Use `*` to export all the types. responses: '200': content: application/x-ndjson: examples: exportSavedObjectsResponse: summary: The export objects API response contains a JSON record for each exported object. value: attributes: description: '' layerListJSON: '[{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total Requests by Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web logs count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total Requests and Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web logs count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}]' mapStateJSON: '{"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}}' title: '[Logs] Total Requests and Bytes' uiStateJSON: '{"isDarkMode":false}' coreMigrationVersion: 8.8.0 created_at: '2023-08-23T20:03:32.204Z' id: de71f4f0-1902-11e9-919b-ffe5949a18d2 managed: false references: - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: layer_1_join_0_index_pattern type: index-pattern - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: layer_2_source_index_pattern type: index-pattern - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: layer_3_source_index_pattern type: index-pattern type: map typeMigrationVersion: 8.4.0 updated_at: '2023-08-23T20:03:32.204Z' version: WzEzLDFd schema: {} description: Indicates a successfull call. '400': content: application/json: schema: additionalProperties: false description: Indicates an unsuccessful response. type: object properties: error: type: string message: type: string statusCode: enum: - 400 type: integer required: - error - message - statusCode description: Bad request. summary: Export saved objects tags: - saved objects /api/saved_objects/_find: get: deprecated: true description: Retrieve a paginated set of Kibana saved objects. operationId: findSavedObjects parameters: - description: | An aggregation structure, serialized as a string. The field format is similar to filter, meaning that to use a saved object type attribute in the aggregation, the `savedObjectType.attributes.title: "myTitle"` format must be used. For root fields, the syntax is `savedObjectType.rootField`. NOTE: As objects change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data. in: query name: aggs schema: type: string - description: The default operator to use for the `simple_query_string`. in: query name: default_search_operator schema: type: string - description: The fields to return in the attributes key of the response. in: query name: fields schema: oneOf: - type: string - type: array - description: | The filter is a KQL string with the caveat that if you filter with an attribute from your saved object type, it should look like that: `savedObjectType.attributes.title: "myTitle"`. However, if you use a root attribute of a saved object such as `updated_at`, you will have to define your filter like that: `savedObjectType.updated_at > 2018-12-22`. in: query name: filter schema: type: string - description: Filters to objects that do not have a relationship with the type and identifier combination. in: query name: has_no_reference schema: type: object - description: The operator to use for the `has_no_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. in: query name: has_no_reference_operator schema: type: string - description: Filters to objects that have a relationship with the type and ID combination. in: query name: has_reference schema: type: object - description: The operator to use for the `has_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. in: query name: has_reference_operator schema: type: string - description: The page of objects to return. in: query name: page schema: type: integer - description: The number of objects to return per page. in: query name: per_page schema: type: integer - description: An Elasticsearch `simple_query_string` query that filters the objects in the response. in: query name: search schema: type: string - description: The fields to perform the `simple_query_string` parsed query against. in: query name: search_fields schema: oneOf: - type: string - type: array - description: | Sorts the response. Includes "root" and "type" fields. "root" fields exist for all saved objects, such as "updated_at". "type" fields are specific to an object type, such as fields returned in the attributes key of the response. When a single type is defined in the type parameter, the "root" and "type" fields are allowed, and validity checks are made in that order. When multiple types are defined in the type parameter, only "root" fields are allowed. in: query name: sort_field schema: type: string - description: The saved object types to include. in: query name: type required: true schema: oneOf: - type: string - type: array responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Search for saved objects tags: - saved objects /api/saved_objects/_import: post: description: |- Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss. Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. operationId: post-saved-objects-import parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.' in: query name: overwrite required: false schema: default: false type: boolean - description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.' in: query name: createNewCopies required: false schema: default: false type: boolean - description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.' in: query name: compatibilityMode required: false schema: default: false type: boolean requestBody: content: multipart/form-data: examples: importObjectsRequest: value: file: file.ndjson schema: additionalProperties: false type: object properties: file: description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.' type: object required: - file responses: '200': content: application/json: examples: importObjectsResponse: summary: The import objects API response indicates a successful import and the objects are created. Since these objects are created as new copies, each entry in the successResults array includes a destinationId attribute. value: success: true successCount: 1 successResults: - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 id: 90943e30-9a47-11e8-b64d-95841ca0b247 managed: false meta: icon: indexPatternApp title: Kibana Sample Data Logs type: index-pattern schema: additionalProperties: false type: object properties: errors: description: |- Indicates the import was unsuccessful and specifies the objects that failed to import. NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. items: additionalProperties: true type: object properties: {} type: array success: description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. type: boolean successCount: description: Indicates the number of successfully imported records. type: number successResults: description: |- Indicates the objects that are successfully imported, with any metadata if applicable. NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. items: additionalProperties: true type: object properties: {} type: array required: - success - successCount - errors - successResults description: Indicates a successful call. '400': content: application/json: schema: additionalProperties: false description: Indicates an unsuccessful response. type: object properties: error: type: string message: type: string statusCode: enum: - 400 type: integer required: - error - message - statusCode description: Bad request. summary: Import saved objects tags: - saved objects x-codeSamples: - label: Import with createNewCopies lang: cURL source: | curl \ -X POST api/saved_objects/_import?createNewCopies=true -H "kbn-xsrf: true" --form file=@file.ndjson /api/saved_objects/_resolve_import_errors: post: description: | To resolve errors from the Import objects API, you can: * Retry certain saved objects * Overwrite specific saved objects * Change references to different saved objects operationId: resolveImportErrors parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - description: | Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. When enabled during the initial import, also enable when resolving import errors. This option cannot be used with the `createNewCopies` option. in: query name: compatibilityMode required: false schema: type: boolean - description: | Creates copies of the saved objects, regenerates each object ID, and resets the origin. When enabled during the initial import, also enable when resolving import errors. in: query name: createNewCopies required: false schema: type: boolean requestBody: content: multipart/form-data: examples: resolveImportErrorsRequest: $ref: '#/components/examples/Saved_objects_resolve_missing_reference_request' schema: type: object properties: file: description: The same file given to the import API. format: binary type: string retries: description: The retry operations, which can specify how to resolve different types of errors. items: type: object properties: destinationId: description: Specifies the destination ID that the imported object should have, if different from the current ID. type: string id: description: The saved object ID. type: string ignoreMissingReferences: description: When set to `true`, ignores missing reference errors. When set to `false`, does nothing. type: boolean overwrite: description: When set to `true`, the source object overwrites the conflicting destination object. When set to `false`, does nothing. type: boolean replaceReferences: description: A list of `type`, `from`, and `to` used to change the object references. items: type: object properties: from: type: string to: type: string type: type: string type: array type: description: The saved object type. type: string required: - type - id type: array required: - retries required: true responses: '200': content: application/json: examples: resolveImportErrorsResponse: $ref: '#/components/examples/Saved_objects_resolve_missing_reference_response' schema: type: object properties: errors: description: | Specifies the objects that failed to resolve. NOTE: One object can result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and a `conflict` error. items: type: object type: array success: description: | Indicates a successful import. When set to `false`, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. type: boolean successCount: description: | Indicates the number of successfully resolved records. type: number successResults: description: | Indicates the objects that are successfully imported, with any metadata if applicable. NOTE: Objects are only created when all resolvable errors are addressed, including conflict and missing references. items: type: object type: array description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request. summary: Resolve import errors tags: - saved objects /api/saved_objects/{type}: post: deprecated: true description: Create a Kibana saved object with a randomly generated identifier. operationId: createSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - $ref: '#/components/parameters/Saved_objects_saved_object_type' - description: If true, overwrites the document with the same identifier. in: query name: overwrite schema: type: boolean requestBody: content: application/json: schema: type: object properties: attributes: $ref: '#/components/schemas/Saved_objects_attributes' initialNamespaces: $ref: '#/components/schemas/Saved_objects_initial_namespaces' references: $ref: '#/components/schemas/Saved_objects_references' required: - attributes required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '409': content: application/json: schema: type: object description: Indicates a conflict error. summary: Create a saved object tags: - saved objects /api/saved_objects/{type}/{id}: get: deprecated: true description: Retrieve a single Kibana saved object by identifier. operationId: getSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request. summary: Get a saved object tags: - saved objects post: deprecated: true description: Create a Kibana saved object and specify its identifier instead of using a randomly generated ID. operationId: createSavedObjectId parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' - description: If true, overwrites the document with the same identifier. in: query name: overwrite schema: type: boolean requestBody: content: application/json: schema: type: object properties: attributes: $ref: '#/components/schemas/Saved_objects_attributes' initialNamespaces: $ref: '#/components/schemas/Saved_objects_initial_namespaces' references: $ref: '#/components/schemas/Saved_objects_initial_namespaces' required: - attributes required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '409': content: application/json: schema: type: object description: Indicates a conflict error. summary: Create a saved object tags: - saved objects put: deprecated: true description: Update the attributes for Kibana saved objects. operationId: updateSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' requestBody: content: application/json: schema: type: object required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '404': content: application/json: schema: type: object description: Indicates the object was not found. '409': content: application/json: schema: type: object description: Indicates a conflict error. summary: Update a saved object tags: - saved objects /api/saved_objects/resolve/{type}/{id}: get: deprecated: true description: | Retrieve a single Kibana saved object by identifier using any legacy URL alias if it exists. Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved using either its new ID or its old ID. operationId: resolveSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request. summary: Resolve a saved object tags: - saved objects /api/security_ai_assistant/anonymization_fields/_bulk_action: post: description: Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. operationId: PerformAnonymizationFieldsBulkAction requestBody: content: application/json: schema: example: create: - allowed: true anonymized: false field: host.name - allowed: false anonymized: true field: user.name delete: ids: - field5 - field6 query: 'field: host.name' update: - allowed: true anonymized: false id: field8 - allowed: false anonymized: true id: field9 type: object properties: create: description: Array of anonymization fields to create. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' type: array delete: description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. type: object properties: ids: description: Array of IDs to apply the action to. example: - '1234' - '5678' items: type: string minItems: 1 type: array query: description: Query to filter the bulk action. example: 'status: ''inactive''' type: string update: description: Array of anonymization fields to update. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' type: array responses: '200': content: application/json: example: anonymization_fields_count: 5 attributes: results: created: - allowed: false anonymized: true createdAt: '2023-10-31T12:00:00Z' createdBy: user1 field: host.name id: field2 namespace: default timestamp: '2023-10-31T12:00:00Z' updatedAt: '2023-10-31T12:00:00Z' updatedBy: user1 deleted: - field3 skipped: - id: field4 name: user.name skip_reason: ANONYMIZATION_FIELD_NOT_MODIFIED updated: - allowed: true anonymized: false createdAt: '2023-10-31T12:00:00Z' createdBy: user1 field: url.domain id: field8 namespace: default timestamp: '2023-10-31T12:00:00Z' updatedAt: '2023-10-31T12:00:00Z' updatedBy: user1 summary: failed: 1 skipped: 1 succeeded: 2 total: 5 message: Bulk action completed successfully status_code: 200 success: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' description: Indicates a successful call. '400': content: application/json: example: error: Bad Request message: Invalid request body statusCode: 400 schema: type: object properties: error: description: Error type or name. type: string message: description: Detailed error message. type: string statusCode: description: Status code of the response. type: number description: Generic Error summary: Apply a bulk action to anonymization fields tags: - Security AI Assistant API /api/security_ai_assistant/anonymization_fields/_find: get: description: Get a list of all anonymization fields. operationId: FindAnonymizationFields parameters: - description: Fields to return example: - id - field - anonymized - allowed in: query name: fields required: false schema: items: type: string type: array - description: Search query example: 'field: "user.name"' in: query name: filter required: false schema: type: string - description: Field to sort by example: created_at in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' - description: Sort order example: asc in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - description: Page number example: 1 in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: AnonymizationFields per page example: 20 in: query name: per_page required: false schema: default: 20 minimum: 0 type: integer responses: '200': content: application/json: example: data: - allowed: true anonymized: true createdAt: '2023-10-31T12:00:00Z' createdBy: user1 field: user.name id: '1' namespace: default timestamp: '2023-10-31T12:00:00Z' updatedAt: '2023-10-31T12:00:00Z' updatedBy: user1 page: 1 perPage: 20 total: 100 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array page: type: integer perPage: type: integer total: type: integer required: - page - perPage - total - data description: Successful response '400': content: application/json: example: error: Bad Request message: Invalid request parameters statusCode: 400 schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Get anonymization fields tags: - Security AI Assistant API /api/security_ai_assistant/chat/complete: post: description: Create a model response for the given chat conversation. operationId: ChatComplete parameters: - description: If true, the response will not include content references. example: false in: query name: content_references_disabled required: false schema: default: false type: boolean requestBody: content: application/json: example: connectorId: conn-001 conversationId: abc123 isStream: true langSmithApiKey: sk-abc123 langSmithProject: security_ai_project messages: - content: What are some common phishing techniques? data: user_id: user_789 fields_to_anonymize: - user.name - source.ip role: user model: gpt-4 persist: true promptId: prompt_456 responseLanguage: en schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' required: true responses: '200': content: application/octet-stream: schema: format: binary type: string description: Indicates a successful model response call. '400': content: application/json: schema: type: object properties: error: description: Error type. example: Bad Request type: string message: description: Human-readable error message. example: Invalid request payload. type: string statusCode: description: HTTP status code. example: 400 type: number description: Generic Error summary: Create a model response tags: - Security AI Assistant API /api/security_ai_assistant/current_user/conversations: delete: description: This endpoint allows users to permanently delete all conversations. operationId: DeleteAllConversations requestBody: content: application/json: schema: type: object properties: excludedIds: description: Optional list of conversation IDs to delete. example: - abc123 - def456 items: type: string type: array required: false responses: '200': content: application/json: example: success: true schema: type: object properties: failures: items: type: string type: array success: example: true type: boolean totalDeleted: example: 10 type: number description: Indicates a successful call. The conversations were deleted successfully. '400': content: application/json: schema: type: object properties: error: example: Bad Request type: string message: example: Invalid conversation ID type: string statusCode: example: 400 type: number description: Generic Error. This response indicates an issue with the request. summary: Delete conversations tags: - Security AI Assistant API post: description: Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. operationId: CreateConversation requestBody: content: application/json: example: apiConfig: actionTypeId: '67890' connectorId: '12345' category: assistant excludeFromLastConversationStorage: false messages: - content: Hello, how can I assist you today? role: system timestamp: '2023-10-31T12:00:00Z' replacements: {} title: Security Discussion schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' required: true responses: '200': content: application/json: example: apiConfig: actionTypeId: '67890' connectorId: '12345' category: assistant createdAt: '2023-10-31T12:01:00Z' excludeFromLastConversationStorage: false id: abc123 messages: - content: Hello, how can I assist you today? role: system timestamp: '2023-10-31T12:00:00Z' replacements: {} title: Security Discussion updatedAt: '2023-10-31T12:01:00Z' users: - id: user1 name: John Doe schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. The conversation was created successfully. '400': content: application/json: schema: type: object properties: error: example: Bad Request type: string message: example: 'Missing required parameter: title' type: string statusCode: example: 400 type: number description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. summary: Create a conversation tags: - Security AI Assistant API /api/security_ai_assistant/current_user/conversations/_find: get: description: Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. operationId: FindConversations parameters: - description: A list of fields to include in the response. If omitted, all fields are returned. in: query name: fields required: false schema: example: - id - title - createdAt items: type: string type: array - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. in: query name: filter required: false schema: example: Security Issue type: string - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' example: created_at - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' example: desc - description: The page number of the results to retrieve. Default is 1. in: query name: page required: false schema: default: 1 example: 1 minimum: 1 type: integer - description: The number of conversations to return per page. Default is 20. in: query name: per_page required: false schema: default: 20 example: 20 minimum: 0 type: integer responses: '200': content: application/json: schema: type: object properties: data: description: A list of conversations. items: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' type: array page: description: The current page of the results. example: 1 type: integer perPage: description: The number of results returned per page. example: 20 type: integer total: description: The total number of conversations matching the filter criteria. example: 100 type: integer required: - page - perPage - total - data description: Successful response, returns a paginated list of conversations matching the specified criteria. '400': content: application/json: schema: type: object properties: error: example: Bad Request type: string message: example: Invalid filter query parameter type: string statusCode: example: 400 type: number description: Generic Error. The request could not be processed due to an invalid query parameter or other issue. summary: Get conversations tags: - Security AI Assistant API /api/security_ai_assistant/current_user/conversations/{id}: delete: description: Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. operationId: DeleteConversation parameters: - description: The conversation's `id` value. example: abc123 in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: example: apiConfig: actionTypeId: '67890' connectorId: '12345' category: assistant createdAt: '2023-10-31T12:01:00Z' excludeFromLastConversationStorage: false id: abc123 messages: - content: The conversation has been deleted. role: system timestamp: '2023-10-31T12:35:00Z' replacements: {} title: Deleted Security Discussion updatedAt: '2023-10-31T12:01:00Z' users: - id: user1 name: John Doe schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. The conversation was deleted successfully. '400': content: application/json: schema: type: object properties: error: example: Bad Request type: string message: example: Invalid conversation ID type: string statusCode: example: 400 type: number description: Generic Error. This response indicates an issue with the request. summary: Delete a conversation tags: - Security AI Assistant API get: description: Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. operationId: ReadConversation parameters: - description: The conversation's `id` value, a unique identifier for the conversation. example: abc123 in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: example: apiConfig: actionTypeId: '67890' connectorId: '12345' category: assistant createdAt: '2023-10-31T12:01:00Z' excludeFromLastConversationStorage: false id: abc123 messages: - content: Hello, how can I assist you today? role: system timestamp: '2023-10-31T12:00:00Z' replacements: {} title: Security Discussion updatedAt: '2023-10-31T12:01:00Z' users: - id: user1 name: John Doe schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. The conversation details are returned. '400': content: application/json: schema: type: object properties: error: example: Bad Request type: string message: example: Invalid conversation ID type: string statusCode: example: 400 type: number description: Generic Error. The request could not be processed due to an error. summary: Get a conversation tags: - Security AI Assistant API put: description: Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. operationId: UpdateConversation parameters: - description: The conversation's `id` value. example: abc123 in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: example: apiConfig: actionTypeId: '09876' connectorId: '54321' category: insights excludeFromLastConversationStorage: true messages: - content: The issue was resolved. role: assistant timestamp: '2023-10-31T12:30:00Z' replacements: {} title: Updated Security Discussion schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' required: true responses: '200': content: application/json: example: apiConfig: actionTypeId: '09876' connectorId: '54321' category: insights createdAt: '2023-10-31T12:01:00Z' excludeFromLastConversationStorage: true id: abc123 messages: - content: The issue was resolved. role: assistant timestamp: '2023-10-31T12:30:00Z' replacements: {} title: Updated Security Discussion updatedAt: '2023-10-31T12:31:00Z' users: - id: user1 name: John Doe schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. The conversation was updated successfully. '400': content: application/json: schema: type: object properties: error: example: Bad Request type: string message: example: 'Missing required field: title' type: string statusCode: example: 400 type: number description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. summary: Update a conversation tags: - Security AI Assistant API /api/security_ai_assistant/knowledge_base/{resource}: get: description: Read a single KB operationId: ReadKnowledgeBase parameters: - description: The KnowledgeBase `resource` value. example: kb12345 in: path name: resource schema: type: string responses: '200': content: application/json: schema: type: object properties: elser_exists: description: Indicates if the ELSER model exists for the KnowledgeBase. example: true type: boolean is_setup_available: description: Indicates if the setup process is available for the KnowledgeBase. example: true type: boolean is_setup_in_progress: description: Indicates if the setup process is currently in progress. example: false type: boolean product_documentation_status: description: The status of the product documentation in the KnowledgeBase. example: complete type: string security_labs_exists: description: Indicates if Security Labs documentation exists in the KnowledgeBase. example: true type: boolean user_data_exists: description: Indicates if user data exists in the KnowledgeBase. example: false type: boolean description: Indicates a successful call. '400': content: application/json: schema: type: object properties: error: description: A short description of the error. example: Bad Request type: string message: description: A detailed error message. example: Invalid resource ID provided. type: string statusCode: description: The HTTP status code of the error. example: 400 type: number description: Generic Error summary: Read a KnowledgeBase tags: - Security AI Assistant API post: description: Create a KnowledgeBase operationId: CreateKnowledgeBase parameters: - description: The KnowledgeBase `resource` value. example: kb12345 in: path name: resource schema: type: string - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. example: elser-model-001 in: query name: modelId required: false schema: type: string - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. example: true in: query name: ignoreSecurityLabs required: false schema: default: false type: boolean responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' description: Indicates a successful call. '400': content: application/json: schema: type: object properties: error: description: A short description of the error. example: Bad Request type: string message: description: A detailed error message. example: Invalid resource ID provided. type: string statusCode: description: The HTTP status code of the error. example: 400 type: number description: Generic Error summary: Create a KnowledgeBase tags: - Security AI Assistant API /api/security_ai_assistant/knowledge_base/entries: post: description: Create a Knowledge Base Entry operationId: CreateKnowledgeBaseEntry requestBody: content: application/json: example: content: To reset your password, go to the settings page and click 'Reset Password'. tags: - password - reset - help title: How to reset a password schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' required: true responses: '200': content: application/json: example: content: To reset your password, go to the settings page and click 'Reset Password'. id: '12345' tags: - password - reset - help title: How to reset a password schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' description: Successful request returning Knowledge Base Entries '400': content: application/json: example: error: Invalid input message: The 'title' field is required. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: A generic error occurred, such as invalid input or missing required fields. summary: Create a Knowledge Base Entry tags: - Security AI Assistant API /api/security_ai_assistant/knowledge_base/entries/_bulk_action: post: description: The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. operationId: PerformKnowledgeBaseEntryBulkAction requestBody: content: application/json: schema: type: object properties: create: description: List of Knowledge Base Entries to create. example: - content: This is the content of the new entry. title: New Entry items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' type: array delete: type: object properties: ids: description: Array of Knowledge Base Entry IDs. example: - '123' - '456' - '789' items: type: string minItems: 1 type: array query: description: Query to filter Knowledge Base Entries. example: status:active AND category:technology type: string update: description: List of Knowledge Base Entries to update. example: - content: Updated content. id: '123' title: Updated Entry items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' type: array responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' description: Successful bulk operation request '400': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: Generic Error summary: Applies a bulk action to multiple Knowledge Base Entries tags: - Security AI Assistant API /api/security_ai_assistant/knowledge_base/entries/_find: get: description: Finds Knowledge Base Entries that match the given query. operationId: FindKnowledgeBaseEntries parameters: - description: A list of fields to include in the response. If not provided, all fields will be included. in: query name: fields required: false schema: example: - title - created_at items: type: string type: array - description: Search query to filter Knowledge Base Entries by specific criteria. in: query name: filter required: false schema: example: error handling type: string - description: Field to sort the Knowledge Base Entries by. in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' example: created_at - description: Sort order for the results, either asc or desc. in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' example: asc - description: Page number for paginated results. Defaults to 1. in: query name: page required: false schema: default: 1 example: 2 minimum: 1 type: integer - description: Number of Knowledge Base Entries to return per page. Defaults to 20. in: query name: per_page required: false schema: default: 20 example: 10 minimum: 0 type: integer responses: '200': content: application/json: schema: type: object properties: data: description: The list of Knowledge Base Entries for the current page. items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array page: description: The current page number. example: 1 type: integer perPage: description: The number of Knowledge Base Entries returned per page. example: 20 type: integer total: description: The total number of Knowledge Base Entries available. example: 100 type: integer required: - page - perPage - total - data description: Successful response containing the paginated Knowledge Base Entries. '400': content: application/json: schema: type: object properties: error: description: A short description of the error. example: Bad Request type: string message: description: A detailed message explaining the error. example: 'Invalid query parameter: sort_order' type: string statusCode: description: The HTTP status code of the error. example: 400 type: number description: Generic Error indicating an issue with the request. summary: Finds Knowledge Base Entries that match the given query. tags: - Security AI Assistant API /api/security_ai_assistant/knowledge_base/entries/{id}: delete: description: Delete a Knowledge Base Entry by its unique `id`. operationId: DeleteKnowledgeBaseEntry parameters: - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. example: '12345' in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: example: id: '12345' message: Knowledge Base Entry successfully deleted. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' description: Successful request returning the `id` of the deleted Knowledge Base Entry. '400': content: application/json: example: error: Not Found message: No Knowledge Base Entry found with the provided `id`. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: A generic error occurred, such as an invalid `id` or the entry not being found. summary: Deletes a single Knowledge Base Entry using the `id` field tags: - Security AI Assistant API get: description: Retrieve a Knowledge Base Entry by its unique `id`. operationId: ReadKnowledgeBaseEntry parameters: - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. example: '12345' in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: example: content: To reset your password, go to the settings page and click 'Reset Password'. id: '12345' tags: - password - reset - help title: How to reset a password schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' description: Successful request returning the requested Knowledge Base Entry. '400': content: application/json: example: error: Not Found message: No Knowledge Base Entry found with the provided `id`. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: A generic error occurred, such as an invalid `id` or the entry not being found. summary: Read a Knowledge Base Entry tags: - Security AI Assistant API put: description: Update an existing Knowledge Base Entry by its unique `id`. operationId: UpdateKnowledgeBaseEntry parameters: - description: The unique identifier (`id`) of the Knowledge Base Entry to update. example: '12345' in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: example: content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. tags: - password - reset - help - update title: How to reset a password (updated) schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' required: true responses: '200': content: application/json: example: content: To reset your password, go to the settings page, click 'Reset Password', and follow the instructions. id: '12345' tags: - password - reset - help - update title: How to reset a password (updated) schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' description: Successful request returning the updated Knowledge Base Entry. '400': content: application/json: example: error: Invalid input message: The 'content' field cannot be empty. schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: A generic error occurred, such as invalid input or the entry not being found. summary: Update a Knowledge Base Entry tags: - Security AI Assistant API /api/security_ai_assistant/prompts/_bulk_action: post: description: Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. operationId: PerformPromptsBulkAction requestBody: content: application/json: example: create: - content: Please verify the security settings. name: New Security Prompt promptType: system delete: ids: - prompt1 - prompt2 update: - content: Updated content for security prompt. id: prompt123 schema: type: object properties: create: description: List of prompts to be created. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' type: array delete: description: Criteria for deleting prompts in bulk. type: object properties: ids: description: Array of IDs to apply the action to. example: - '1234' - '5678' items: type: string minItems: 1 type: array query: description: Query to filter the bulk action. example: 'status: ''inactive''' type: string update: description: List of prompts to be updated. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' type: array responses: '200': content: application/json: examples: success: value: attributes: errors: [] results: created: - content: Please verify the security settings. id: prompt6 name: New Security Prompt promptType: system deleted: - prompt2 - prompt3 skipped: - id: prompt4 name: Security Prompt skip_reason: PROMPT_FIELD_NOT_MODIFIED updated: - content: Updated security settings prompt id: prompt1 name: Security Prompt promptType: system summary: failed: 0 skipped: 1 succeeded: 4 total: 5 message: Bulk action completed successfully. prompts_count: 5 status_code: 200 success: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' description: Indicates a successful call with the results of the bulk action. '400': content: application/json: schema: type: object properties: error: description: A short error message. example: Bad Request type: string message: description: A detailed error message. example: Invalid prompt ID or missing required fields. type: string statusCode: description: The HTTP status code for the error. example: 400 type: number description: Indicates a generic error due to a bad request. summary: Apply a bulk action to prompts tags: - Security AI Assistant API /api/security_ai_assistant/prompts/_find: get: description: Get a list of all prompts based on optional filters, sorting, and pagination. operationId: FindPrompts parameters: - description: List of specific fields to include in each returned prompt. in: query name: fields required: false schema: example: - id - name - content items: type: string type: array - description: Search query string to filter prompts by matching fields. in: query name: filter required: false schema: example: error handling type: string - description: Field to sort prompts by. in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' - description: Sort order, either asc or desc. in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - description: Page number for pagination. in: query name: page required: false schema: default: 1 example: 1 minimum: 1 type: integer - description: Number of prompts per page. in: query name: per_page required: false schema: default: 20 example: 20 minimum: 0 type: integer responses: '200': content: application/json: schema: example: data: - categories: - troubleshooting - logging color: '#FF5733' consumer: security content: If you encounter an error, check the logs and retry. createdAt: '2025-04-20T21:00:00Z' createdBy: jdoe id: prompt-123 isDefault: true isNewConversationDefault: false name: Error Troubleshooting Prompt namespace: default promptType: standard timestamp: '2025-04-30T22:30:00Z' updatedAt: '2025-04-30T22:45:00Z' updatedBy: jdoe users: - full_name: John Doe username: jdoe page: 1 perPage: 20 total: 142 type: object properties: data: description: The list of prompts returned based on the search query, sorting, and pagination. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array page: description: Current page number. example: 1 type: integer perPage: description: Number of prompts per page. example: 20 type: integer total: description: Total number of prompts matching the query. example: 142 type: integer required: - page - perPage - total - data description: Successful response containing a list of prompts. '400': content: application/json: schema: type: object properties: error: description: Short error message. example: Bad Request type: string message: description: Detailed description of the error. example: Invalid sort order value provided. type: string statusCode: description: HTTP status code for the error. example: 400 type: number description: Bad request due to invalid parameters or malformed query. summary: Get prompts tags: - Security AI Assistant API /api/security/role: get: operationId: get-security-role parameters: - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query name: replaceDeprecatedPrivileges required: false schema: type: boolean responses: '200': description: Indicates a successful call. content: application/json: examples: getRolesResponse1: $ref: '#/components/examples/get_roles_response1' summary: Get all roles tags: - roles /api/security/role/_query: post: operationId: post-security-role-query parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: filters: additionalProperties: false type: object properties: showReservedRoles: type: boolean from: type: number query: type: string size: type: number sort: additionalProperties: false type: object properties: direction: enum: - asc - desc type: string field: type: string required: - field - direction responses: '200': description: Indicates a successful call. summary: Query roles tags: [] /api/security/role/{name}: delete: operationId: delete-security-role-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: minLength: 1 type: string responses: '204': description: Indicates a successful call. summary: Delete a role tags: - roles get: operationId: get-security-role-name parameters: - description: The role name. in: path name: name required: true schema: minLength: 1 type: string - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query name: replaceDeprecatedPrivileges required: false schema: type: boolean responses: '200': description: Indicates a successful call. content: application/json: examples: getRoleResponse1: $ref: '#/components/examples/get_role_response1' summary: Get a role tags: - roles put: description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. operationId: put-security-role-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The role name. in: path name: name required: true schema: maxLength: 1024 minLength: 1 type: string - description: When true, a role is not overwritten if it already exists. in: query name: createOnly required: false schema: default: false type: boolean requestBody: content: application/json: schema: additionalProperties: false type: object properties: description: description: A description for the role. maxLength: 2048 type: string elasticsearch: additionalProperties: false type: object properties: cluster: items: description: Cluster privileges that define the cluster level actions that users can perform. type: string type: array indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. type: boolean field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string type: array type: object names: items: description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). type: string minItems: 1 type: array privileges: items: description: The index level privileges that the role members have for the data streams and indices. type: string minItems: 1 type: array query: description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. type: string required: - names - privileges type: array remote_cluster: items: additionalProperties: false type: object properties: clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string minItems: 1 type: array privileges: items: description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. type: string minItems: 1 type: array required: - privileges - clusters type: array remote_indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. type: boolean clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string minItems: 1 type: array field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string type: array type: object names: items: description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). type: string minItems: 1 type: array privileges: items: description: The index level privileges that role members have for the specified indices. type: string minItems: 1 type: array query: description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' type: string required: - clusters - names - privileges type: array run_as: items: description: A user name that the role member can impersonate. type: string type: array kibana: items: additionalProperties: false type: object properties: base: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - items: description: A base privilege that grants applies to all spaces. type: string type: array - items: description: A base privilege that applies to specific spaces. type: string type: array feature: additionalProperties: items: description: The privileges that the role member has for the feature. type: string type: array type: object spaces: anyOf: - items: enum: - '*' type: string maxItems: 1 minItems: 1 type: array - items: description: A space that the privilege applies to. type: string type: array default: - '*' required: - base type: array metadata: additionalProperties: {} type: object required: - elasticsearch examples: createRoleRequest1: $ref: '#/components/examples/create_role_request1' createRoleRequest2: $ref: '#/components/examples/create_role_request2' createRoleRequest3: $ref: '#/components/examples/create_role_request3' createRoleRequest4: $ref: '#/components/examples/create_role_request4' responses: '204': description: Indicates a successful call. summary: Create or update a role tags: - roles /api/security/roles: post: operationId: post-security-roles parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: roles: additionalProperties: additionalProperties: false type: object properties: description: description: A description for the role. maxLength: 2048 type: string elasticsearch: additionalProperties: false type: object properties: cluster: items: description: Cluster privileges that define the cluster level actions that users can perform. type: string type: array indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. type: boolean field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string type: array type: object names: items: description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). type: string minItems: 1 type: array privileges: items: description: The index level privileges that the role members have for the data streams and indices. type: string minItems: 1 type: array query: description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. type: string required: - names - privileges type: array remote_cluster: items: additionalProperties: false type: object properties: clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string minItems: 1 type: array privileges: items: description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. type: string minItems: 1 type: array required: - privileges - clusters type: array remote_indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. type: boolean clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string minItems: 1 type: array field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string type: array type: object names: items: description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). type: string minItems: 1 type: array privileges: items: description: The index level privileges that role members have for the specified indices. type: string minItems: 1 type: array query: description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' type: string required: - clusters - names - privileges type: array run_as: items: description: A user name that the role member can impersonate. type: string type: array kibana: items: additionalProperties: false type: object properties: base: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - items: description: A base privilege that grants applies to all spaces. type: string type: array - items: description: A base privilege that applies to specific spaces. type: string type: array feature: additionalProperties: items: description: The privileges that the role member has for the feature. type: string type: array type: object spaces: anyOf: - items: enum: - '*' type: string maxItems: 1 minItems: 1 type: array - items: description: A space that the privilege applies to. type: string type: array default: - '*' required: - base type: array metadata: additionalProperties: {} type: object required: - elasticsearch type: object required: - roles responses: '200': description: Indicates a successful call. summary: Create or update roles tags: - roles /api/security/session/_invalidate: post: description: | Invalidate user sessions that match a query. To use this API, you must be a superuser. operationId: post-security-session-invalidate parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: invalidateRequestExample1: description: Run `POST api/security/session/_invalidate` to invalidate all existing sessions. summary: Invalidate all sessions value: |- { "match" : "all" } invalidateRequestExample2: description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any SAML authentication provider. summary: Invalidate all SAML sessions value: |- { "match" : "query", "query": { "provider" : { "type": "saml" } } } invalidateRequestExample3: description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by the SAML authentication provider named `saml1`. summary: Invalidate sessions for a provider value: |- { "match" : "query", "query": { "provider" : { "type": "saml", "name": "saml1" } } } invalidateRequestExample4: description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any OpenID Connect authentication provider for the user with the username `user@my-oidc-sso.com`. summary: Invalidate sessions for a user value: |- { "match" : "query", "query": { "provider" : { "type": "oidc" }, "username": "user@my-oidc-sso.com" } } schema: type: object properties: match: description: | The method Kibana uses to determine which sessions to invalidate. If it is `all`, all existing sessions will be invalidated. If it is `query`, only the sessions that match the query will be invalidated. enum: - all - query type: string query: description: | The query that Kibana uses to match the sessions to invalidate when the `match` parameter is set to `query`. type: object properties: provider: description: The authentication providers that will have their user sessions invalidated. type: object properties: name: description: The authentication provider name. type: string type: description: | The authentication provide type. For example: `basic`, `token`, `saml`, `oidc`, `kerberos`, or `pki`. type: string required: - type username: description: The username that will have its sessions invalidated. type: string required: - provider required: - match responses: '200': content: application/json: schema: type: object properties: total: description: The number of sessions that were successfully invalidated. type: integer description: Indicates a successful call '403': description: Indicates that the user may not be authorized to invalidate sessions for other users. summary: Invalidate user sessions tags: - user session /api/short_url: post: description: | Kibana URLs may be long and cumbersome, short URLs are much easier to remember and share. Short URLs are created by specifying the locator ID and locator parameters. When a short URL is resolved, the locator ID and locator parameters are used to redirect user to the right Kibana page. operationId: post-url requestBody: content: application/json: schema: type: object properties: humanReadableSlug: description: | When the `slug` parameter is omitted, the API will generate a random human-readable slug if `humanReadableSlug` is set to true. type: boolean locatorId: description: The identifier for the locator. type: string params: description: | An object which contains all necessary parameters for the given locator to resolve to a Kibana location. > warn > When you create a short URL, locator params are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. type: object slug: description: | A custom short URL slug. The slug is the part of the short URL that identifies it. You can provide a custom slug which consists of latin alphabet letters, numbers, and `-._` characters. The slug must be at least 3 characters long, but no longer than 255 characters. type: string required: - locatorId - params required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. summary: Create a short URL tags: - short url x-state: Technical Preview /api/short_url/_slug/{slug}: get: description: | Resolve a Kibana short URL by its slug. operationId: resolve-url parameters: - description: The slug of the short URL. in: path name: slug required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. summary: Resolve a short URL tags: - short url x-state: Technical Preview /api/short_url/{id}: delete: description: | Delete a Kibana short URL. operationId: delete-url parameters: - $ref: '#/components/parameters/Short_URL_APIs_idParam' responses: '200': description: Indicates a successful call. summary: Delete a short URL tags: - short url x-state: Technical Preview get: description: | Get a single Kibana short URL. operationId: get-url parameters: - $ref: '#/components/parameters/Short_URL_APIs_idParam' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. summary: Get a short URL tags: - short url x-state: Technical Preview /api/spaces/_copy_saved_objects: post: description: 'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' operationId: post-spaces-copy-saved-objects parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: compatibilityMode: default: false description: Apply various adjustments to the saved objects that are being copied to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with copied saved objects. This option cannot be used with the `createNewCopies` option. type: boolean createNewCopies: default: true description: Create new copies of saved objects, regenerate each object identifier, and reset the origin. When used, potential conflict errors are avoided. This option cannot be used with the `overwrite` and `compatibilityMode` options. type: boolean includeReferences: default: false description: When set to true, all saved objects related to the specified saved objects will also be copied into the target spaces. type: boolean objects: items: additionalProperties: false type: object properties: id: description: The identifier of the saved object to copy. type: string type: description: The type of the saved object to copy. type: string required: - type - id type: array overwrite: default: false description: When set to true, all conflicts are automatically overridden. When a saved object with a matching type and identifier exists in the target space, that version is replaced with the version from the source space. This option cannot be used with the `createNewCopies` option. type: boolean spaces: items: description: The identifiers of the spaces where you want to copy the specified objects. type: string type: array required: - spaces - objects examples: copySavedObjectsRequestExample1: $ref: '#/components/examples/copy_saved_objects_request1' copySavedObjectsRequestExample2: $ref: '#/components/examples/copy_saved_objects_request2' responses: '200': content: application/json: examples: copySavedObjectsResponseExample1: $ref: '#/components/examples/copy_saved_objects_response1' copySavedObjectsResponseExample2: $ref: '#/components/examples/copy_saved_objects_response2' copySavedObjectsResponseExample3: $ref: '#/components/examples/copy_saved_objects_response3' copySavedObjectsResponseExample4: $ref: '#/components/examples/copy_saved_objects_response4' summary: Copy saved objects between spaces tags: - spaces /api/spaces/_disable_legacy_url_aliases: post: operationId: post-spaces-disable-legacy-url-aliases parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: aliases: items: additionalProperties: false type: object properties: sourceId: description: The alias source object identifier. This is the legacy object identifier. type: string targetSpace: description: The space where the alias target object exists. type: string targetType: description: 'The type of alias target object. ' type: string required: - targetSpace - targetType - sourceId type: array required: - aliases examples: disableLegacyURLRequestExample1: $ref: '#/components/examples/disable_legacy_url_request1' responses: {} summary: Disable legacy URL aliases tags: - spaces /api/spaces/_get_shareable_references: post: description: Collect references and space contexts for saved objects. operationId: post-spaces-get-shareable-references parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: objects: items: additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id type: array required: - objects responses: {} summary: Get shareable references tags: - spaces /api/spaces/_resolve_copy_saved_objects_errors: post: description: 'Overwrite saved objects that are returned as errors from the copy saved objects to space API.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' operationId: post-spaces-resolve-copy-saved-objects-errors parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: compatibilityMode: default: false type: boolean createNewCopies: default: true type: boolean includeReferences: default: false type: boolean objects: items: additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id type: array retries: additionalProperties: items: additionalProperties: false type: object properties: createNewCopy: description: Creates new copies of the saved objects, regenerates each object ID, and resets the origin. type: boolean destinationId: description: Specifies the destination identifier that the copied object should have, if different from the current identifier. type: string id: description: The saved object identifier. type: string ignoreMissingReferences: description: When set to true, any missing references errors are ignored. type: boolean overwrite: default: false description: When set to true, the saved object from the source space overwrites the conflicting object in the destination space. type: boolean type: description: The saved object type. type: string required: - type - id type: array type: object required: - retries - objects examples: resolveCopySavedObjectsRequestExample1: $ref: '#/components/examples/resolve_copy_saved_objects_request1' resolveCopySavedObjectsRequestExample2: $ref: '#/components/examples/resolve_copy_saved_objects_request2' responses: '200': content: application/json: examples: resolveCopySavedObjectsResponseExample1: $ref: '#/components/examples/copy_saved_objects_response1' resolveCopySavedObjectsResponseExample2: $ref: '#/components/examples/copy_saved_objects_response2' summary: Resolve conflicts copying saved objects tags: [] /api/spaces/_update_objects_spaces: post: description: Update one or more saved objects to add or remove them from some spaces. operationId: post-spaces-update-objects-spaces parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: objects: items: additionalProperties: false type: object properties: id: description: The identifier of the saved object to update. type: string type: description: The type of the saved object to update. type: string required: - type - id type: array spacesToAdd: items: description: The identifiers of the spaces the saved objects should be added to or removed from. type: string type: array spacesToRemove: items: description: The identifiers of the spaces the saved objects should be added to or removed from. type: string type: array required: - objects - spacesToAdd - spacesToRemove examples: updateObjectSpacesRequestExample1: $ref: '#/components/examples/update_saved_objects_spaces_request1' responses: '200': content: application/json: examples: updateObjectSpacesResponseExample1: $ref: '#/components/examples/update_saved_objects_spaces_response1' summary: Update saved objects in spaces tags: - spaces /api/spaces/space: get: operationId: get-spaces-space parameters: - description: Specifies which authorization checks are applied to the API call. The default value is `any`. in: query name: purpose required: false schema: enum: - any - copySavedObjectsIntoSpace - shareSavedObjectsIntoSpace type: string - description: When enabled, the API returns any spaces that the user is authorized to access in any capacity and each space will contain the purposes for which the user is authorized. This can be useful to determine which spaces a user can read but not take a specific action in. If the security plugin is not enabled, this parameter has no effect, since no authorization checks take place. This parameter cannot be used in with the `purpose` parameter. in: query name: include_authorized_purposes required: true schema: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - enum: - false type: boolean x-oas-optional: true - type: boolean x-oas-optional: true responses: '200': description: Indicates a successful call. content: application/json: examples: getSpacesResponseExample1: $ref: '#/components/examples/get_spaces_response1' getSpacesResponseExample2: $ref: '#/components/examples/get_spaces_response2' summary: Get all spaces tags: - spaces post: operationId: post-spaces-space parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: _reserved: type: boolean color: description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string description: description: A description for the space. type: string disabledFeatures: default: [] items: description: The list of features that are turned off in the space. type: string type: array id: description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. type: string imageUrl: description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. type: string initials: description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. maxLength: 2 type: string name: description: 'The display name for the space. ' minLength: 1 type: string solution: enum: - security - oblt - es - classic type: string required: - id - name examples: createSpaceRequest: $ref: '#/components/examples/create_space_request' responses: '200': description: Indicates a successful call. summary: Create a space tags: - spaces /api/spaces/space/{id}: delete: description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. operationId: delete-spaces-space-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The space identifier. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '404': description: Indicates that the request failed. summary: Delete a space tags: - spaces get: operationId: get-spaces-space-id parameters: - description: The space identifier. in: path name: id required: true schema: type: string responses: '200': description: Indicates a successful call. content: application/json: examples: getSpaceResponseExample: $ref: '#/components/examples/get_space_response' summary: Get a space tags: - spaces put: operationId: put-spaces-space-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The space identifier. You are unable to change the ID with the update operation. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: _reserved: type: boolean color: description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string description: description: A description for the space. type: string disabledFeatures: default: [] items: description: The list of features that are turned off in the space. type: string type: array id: description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. type: string imageUrl: description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. type: string initials: description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. maxLength: 2 type: string name: description: 'The display name for the space. ' minLength: 1 type: string solution: enum: - security - oblt - es - classic type: string required: - id - name examples: updateSpaceRequest: $ref: '#/components/examples/update_space_request' responses: '200': description: Indicates a successful call. summary: Update a space tags: - spaces /api/status: get: operationId: get-status parameters: - description: Set to "true" to get the response in v7 format. in: query name: v7format required: false schema: type: boolean - description: Set to "true" to get the response in v8 format. in: query name: v8format required: false schema: type: boolean responses: '200': content: application/json: schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' description: Kibana's operational status. A minimal response is sent for unauthorized users. description: Overall status is OK and Kibana should be functioning normally. '503': content: application/json: schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' description: Kibana's operational status. A minimal response is sent for unauthorized users. description: Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable. summary: Get Kibana's current status tags: - system /api/streams: get: description: 'Fetches list of all streams

[Required authorization] Route required privileges: read_stream.' operationId: get-streams parameters: [] requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Get stream list tags: - streams x-state: Technical Preview /api/streams/_disable: post: description: 'Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.

[Required authorization] Route required privileges: manage_stream.' operationId: post-streams-disable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Disable streams tags: - streams x-state: Technical Preview /api/streams/_enable: post: description: 'Enables wired streams

[Required authorization] Route required privileges: manage_stream.' operationId: post-streams-enable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Enable streams tags: - streams x-state: Technical Preview /api/streams/_resync: post: description: 'Resyncs all streams, making sure that Elasticsearch assets are up to date

[Required authorization] Route required privileges: manage_stream.' operationId: post-streams-resync parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Resync streams tags: - streams x-state: Technical Preview /api/streams/{name}: delete: description: 'Deletes a stream definition and the underlying data stream

[Required authorization] Route required privileges: manage_stream.' operationId: delete-streams-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Delete a stream tags: - streams x-state: Technical Preview get: description: 'Fetches a stream definition and associated dashboards

[Required authorization] Route required privileges: read_stream.' operationId: get-streams-name parameters: - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Get a stream tags: - streams x-state: Technical Preview put: description: 'Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream.' operationId: put-streams-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - anyOf: - allOf: - type: object properties: {} - type: object properties: stream: allOf: - additionalProperties: true type: object properties: name: not: {} - additionalProperties: false type: object properties: description: type: string name: type: string required: - name - description required: - stream - type: object properties: dashboards: items: type: string type: array queries: items: allOf: - type: object properties: id: minLength: 1 type: string title: minLength: 1 type: string required: - id - title - type: object properties: kql: additionalProperties: false type: object properties: query: minLength: 1 type: string required: - query required: - kql type: array required: - dashboards - queries - type: object properties: stream: allOf: - additionalProperties: true type: object properties: name: not: {} - allOf: - type: object properties: {} - type: object properties: description: type: string name: type: string required: - name - description - type: object properties: ingest: additionalProperties: false type: object properties: lifecycle: anyOf: - additionalProperties: false type: object properties: dsl: additionalProperties: false type: object properties: data_retention: minLength: 1 type: string required: - dsl - additionalProperties: false type: object properties: ilm: additionalProperties: false type: object properties: policy: minLength: 1 type: string required: - policy required: - ilm - additionalProperties: false type: object properties: inherit: additionalProperties: false type: object properties: {} required: - inherit processing: items: anyOf: - additionalProperties: false type: object properties: date: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string formats: items: minLength: 1 type: string type: array locale: minLength: 1 type: string output_format: minLength: 1 type: string target_field: minLength: 1 type: string timezone: minLength: 1 type: string required: - field - formats required: - date - additionalProperties: false type: object properties: dissect: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: append_separator: minLength: 1 type: string field: minLength: 1 type: string ignore_missing: type: boolean pattern: minLength: 1 type: string required: - field - pattern required: - dissect - additionalProperties: false type: object properties: grok: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean pattern_definitions: additionalProperties: type: string type: object patterns: items: minLength: 1 type: string minItems: 1 type: array required: - field - patterns required: - grok - additionalProperties: false type: object properties: manual_ingest_pipeline: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: on_failure: items: additionalProperties: {} type: object type: array processors: items: additionalProperties: false type: object properties: append: {} attachment: {} bytes: {} circle: {} community_id: {} convert: {} csv: {} date: {} date_index_name: {} dissect: {} dot_expander: {} drop: {} enrich: {} fail: {} fingerprint: {} foreach: {} geo_grid: {} geoip: {} grok: {} gsub: {} html_strip: {} inference: {} ip_location: {} join: {} json: {} kv: {} lowercase: {} network_direction: {} pipeline: {} redact: {} registered_domain: {} remove: {} rename: {} reroute: {} script: {} set: {} set_security_user: {} sort: {} split: {} terminate: {} trim: {} uppercase: {} uri_parts: {} urldecode: {} user_agent: {} required: - append - attachment - bytes - circle - community_id - convert - csv - date - date_index_name - dissect - dot_expander - drop - enrich - fail - fingerprint - foreach - ip_location - geo_grid - geoip - grok - gsub - html_strip - inference - join - json - kv - lowercase - network_direction - pipeline - redact - registered_domain - remove - rename - reroute - script - set - set_security_user - sort - split - terminate - trim - uppercase - urldecode - uri_parts - user_agent type: array tag: type: string required: - processors required: - manual_ingest_pipeline - additionalProperties: false type: object properties: kv: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: exclude_keys: items: minLength: 1 type: string type: array field: minLength: 1 type: string field_split: type: string ignore_missing: type: boolean include_keys: items: minLength: 1 type: string type: array prefix: minLength: 1 type: string strip_brackets: type: boolean target_field: minLength: 1 type: string trim_key: minLength: 1 type: string trim_value: minLength: 1 type: string value_split: type: string required: - field - field_split - value_split required: - kv - additionalProperties: false type: object properties: geoip: additionalProperties: false type: object properties: database_file: minLength: 1 type: string field: minLength: 1 type: string first_only: type: boolean ignore_missing: type: boolean properties: items: minLength: 1 type: string type: array target_field: minLength: 1 type: string required: - field required: - geoip - additionalProperties: false type: object properties: rename: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean override: type: boolean target_field: minLength: 1 type: string required: - field - target_field required: - rename - additionalProperties: false type: object properties: set: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_empty_value: type: boolean media_type: type: string override: type: boolean value: minLength: 1 type: string required: - field - value required: - set - additionalProperties: false type: object properties: urldecode: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean target_field: minLength: 1 type: string required: - field required: - urldecode - additionalProperties: false type: object properties: user_agent: additionalProperties: false type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean properties: items: minLength: 1 type: string type: array regex_file: minLength: 1 type: string target_field: minLength: 1 type: string required: - field required: - user_agent type: array required: - lifecycle - processing required: - ingest - type: object properties: ingest: additionalProperties: false type: object properties: wired: additionalProperties: false type: object properties: fields: additionalProperties: allOf: - additionalProperties: anyOf: - anyOf: - type: string - type: number - type: boolean - enum: - 'null' nullable: true - not: {} - items: anyOf: - type: string - type: number - type: boolean - enum: - 'null' nullable: true - not: {} type: array - {} type: object - anyOf: - additionalProperties: false type: object properties: format: minLength: 1 type: string type: enum: - keyword - match_only_text - long - double - date - boolean - ip type: string required: - type - additionalProperties: false type: object properties: type: enum: - system type: string required: - type type: object routing: items: additionalProperties: false type: object properties: destination: minLength: 1 type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always required: - destination - if type: array required: - fields - routing required: - wired required: - ingest required: - stream - type: object properties: {} - type: object properties: stream: allOf: - additionalProperties: true type: object properties: name: not: {} - additionalProperties: false type: object properties: description: type: string name: type: string required: - name - description required: - stream - type: object properties: dashboards: items: type: string type: array queries: items: allOf: - type: object properties: id: minLength: 1 type: string title: minLength: 1 type: string required: - id - title - type: object properties: kql: additionalProperties: false type: object properties: query: minLength: 1 type: string required: - query required: - kql type: array required: - dashboards - queries - type: object properties: stream: allOf: - additionalProperties: true type: object properties: name: not: {} - additionalProperties: false type: object properties: ingest: additionalProperties: false type: object properties: lifecycle: anyOf: - additionalProperties: false type: object properties: dsl: additionalProperties: false type: object properties: data_retention: minLength: 1 type: string required: - dsl - additionalProperties: false type: object properties: ilm: additionalProperties: false type: object properties: policy: minLength: 1 type: string required: - policy required: - ilm - additionalProperties: false type: object properties: inherit: additionalProperties: false type: object properties: {} required: - inherit processing: items: anyOf: - additionalProperties: false type: object properties: date: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string formats: items: minLength: 1 type: string type: array locale: minLength: 1 type: string output_format: minLength: 1 type: string target_field: minLength: 1 type: string timezone: minLength: 1 type: string required: - field - formats required: - date - additionalProperties: false type: object properties: dissect: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: append_separator: minLength: 1 type: string field: minLength: 1 type: string ignore_missing: type: boolean pattern: minLength: 1 type: string required: - field - pattern required: - dissect - additionalProperties: false type: object properties: grok: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean pattern_definitions: additionalProperties: type: string type: object patterns: items: minLength: 1 type: string minItems: 1 type: array required: - field - patterns required: - grok - additionalProperties: false type: object properties: manual_ingest_pipeline: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: on_failure: items: additionalProperties: {} type: object type: array processors: items: additionalProperties: false type: object properties: append: {} attachment: {} bytes: {} circle: {} community_id: {} convert: {} csv: {} date: {} date_index_name: {} dissect: {} dot_expander: {} drop: {} enrich: {} fail: {} fingerprint: {} foreach: {} geo_grid: {} geoip: {} grok: {} gsub: {} html_strip: {} inference: {} ip_location: {} join: {} json: {} kv: {} lowercase: {} network_direction: {} pipeline: {} redact: {} registered_domain: {} remove: {} rename: {} reroute: {} script: {} set: {} set_security_user: {} sort: {} split: {} terminate: {} trim: {} uppercase: {} uri_parts: {} urldecode: {} user_agent: {} required: - append - attachment - bytes - circle - community_id - convert - csv - date - date_index_name - dissect - dot_expander - drop - enrich - fail - fingerprint - foreach - ip_location - geo_grid - geoip - grok - gsub - html_strip - inference - join - json - kv - lowercase - network_direction - pipeline - redact - registered_domain - remove - rename - reroute - script - set - set_security_user - sort - split - terminate - trim - uppercase - urldecode - uri_parts - user_agent type: array tag: type: string required: - processors required: - manual_ingest_pipeline - additionalProperties: false type: object properties: kv: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: exclude_keys: items: minLength: 1 type: string type: array field: minLength: 1 type: string field_split: type: string ignore_missing: type: boolean include_keys: items: minLength: 1 type: string type: array prefix: minLength: 1 type: string strip_brackets: type: boolean target_field: minLength: 1 type: string trim_key: minLength: 1 type: string trim_value: minLength: 1 type: string value_split: type: string required: - field - field_split - value_split required: - kv - additionalProperties: false type: object properties: geoip: additionalProperties: false type: object properties: database_file: minLength: 1 type: string field: minLength: 1 type: string first_only: type: boolean ignore_missing: type: boolean properties: items: minLength: 1 type: string type: array target_field: minLength: 1 type: string required: - field required: - geoip - additionalProperties: false type: object properties: rename: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean override: type: boolean target_field: minLength: 1 type: string required: - field - target_field required: - rename - additionalProperties: false type: object properties: set: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_empty_value: type: boolean media_type: type: string override: type: boolean value: minLength: 1 type: string required: - field - value required: - set - additionalProperties: false type: object properties: urldecode: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean target_field: minLength: 1 type: string required: - field required: - urldecode - additionalProperties: false type: object properties: user_agent: additionalProperties: false type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean properties: items: minLength: 1 type: string type: array regex_file: minLength: 1 type: string target_field: minLength: 1 type: string required: - field required: - user_agent type: array required: - lifecycle - processing required: - ingest required: - stream - type: object properties: {} - type: object properties: {} - allOf: - type: object properties: {} - type: object properties: stream: allOf: - additionalProperties: true type: object properties: name: not: {} - additionalProperties: false type: object properties: description: type: string name: type: string required: - name - description required: - stream - type: object properties: dashboards: items: type: string type: array queries: items: allOf: - type: object properties: id: minLength: 1 type: string title: minLength: 1 type: string required: - id - title - type: object properties: kql: additionalProperties: false type: object properties: query: minLength: 1 type: string required: - query required: - kql type: array required: - dashboards - queries - type: object properties: stream: allOf: - additionalProperties: true type: object properties: name: not: {} - allOf: - type: object properties: {} - type: object properties: description: type: string name: type: string required: - name - description - type: object properties: ingest: additionalProperties: false type: object properties: lifecycle: anyOf: - additionalProperties: false type: object properties: dsl: additionalProperties: false type: object properties: data_retention: minLength: 1 type: string required: - dsl - additionalProperties: false type: object properties: ilm: additionalProperties: false type: object properties: policy: minLength: 1 type: string required: - policy required: - ilm - additionalProperties: false type: object properties: inherit: additionalProperties: false type: object properties: {} required: - inherit processing: items: anyOf: - additionalProperties: false type: object properties: date: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string formats: items: minLength: 1 type: string type: array locale: minLength: 1 type: string output_format: minLength: 1 type: string target_field: minLength: 1 type: string timezone: minLength: 1 type: string required: - field - formats required: - date - additionalProperties: false type: object properties: dissect: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: append_separator: minLength: 1 type: string field: minLength: 1 type: string ignore_missing: type: boolean pattern: minLength: 1 type: string required: - field - pattern required: - dissect - additionalProperties: false type: object properties: grok: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean pattern_definitions: additionalProperties: type: string type: object patterns: items: minLength: 1 type: string minItems: 1 type: array required: - field - patterns required: - grok - additionalProperties: false type: object properties: manual_ingest_pipeline: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: on_failure: items: additionalProperties: {} type: object type: array processors: items: additionalProperties: false type: object properties: append: {} attachment: {} bytes: {} circle: {} community_id: {} convert: {} csv: {} date: {} date_index_name: {} dissect: {} dot_expander: {} drop: {} enrich: {} fail: {} fingerprint: {} foreach: {} geo_grid: {} geoip: {} grok: {} gsub: {} html_strip: {} inference: {} ip_location: {} join: {} json: {} kv: {} lowercase: {} network_direction: {} pipeline: {} redact: {} registered_domain: {} remove: {} rename: {} reroute: {} script: {} set: {} set_security_user: {} sort: {} split: {} terminate: {} trim: {} uppercase: {} uri_parts: {} urldecode: {} user_agent: {} required: - append - attachment - bytes - circle - community_id - convert - csv - date - date_index_name - dissect - dot_expander - drop - enrich - fail - fingerprint - foreach - ip_location - geo_grid - geoip - grok - gsub - html_strip - inference - join - json - kv - lowercase - network_direction - pipeline - redact - registered_domain - remove - rename - reroute - script - set - set_security_user - sort - split - terminate - trim - uppercase - urldecode - uri_parts - user_agent type: array tag: type: string required: - processors required: - manual_ingest_pipeline - additionalProperties: false type: object properties: kv: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: exclude_keys: items: minLength: 1 type: string type: array field: minLength: 1 type: string field_split: type: string ignore_missing: type: boolean include_keys: items: minLength: 1 type: string type: array prefix: minLength: 1 type: string strip_brackets: type: boolean target_field: minLength: 1 type: string trim_key: minLength: 1 type: string trim_value: minLength: 1 type: string value_split: type: string required: - field - field_split - value_split required: - kv - additionalProperties: false type: object properties: geoip: additionalProperties: false type: object properties: database_file: minLength: 1 type: string field: minLength: 1 type: string first_only: type: boolean ignore_missing: type: boolean properties: items: minLength: 1 type: string type: array target_field: minLength: 1 type: string required: - field required: - geoip - additionalProperties: false type: object properties: rename: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean override: type: boolean target_field: minLength: 1 type: string required: - field - target_field required: - rename - additionalProperties: false type: object properties: set: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_empty_value: type: boolean media_type: type: string override: type: boolean value: minLength: 1 type: string required: - field - value required: - set - additionalProperties: false type: object properties: urldecode: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean target_field: minLength: 1 type: string required: - field required: - urldecode - additionalProperties: false type: object properties: user_agent: additionalProperties: false type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean properties: items: minLength: 1 type: string type: array regex_file: minLength: 1 type: string target_field: minLength: 1 type: string required: - field required: - user_agent type: array required: - lifecycle - processing required: - ingest - type: object properties: ingest: additionalProperties: false type: object properties: unwired: additionalProperties: false type: object properties: {} required: - unwired required: - ingest required: - stream - type: object properties: {} - type: object properties: stream: allOf: - additionalProperties: true type: object properties: name: not: {} - additionalProperties: false type: object properties: description: type: string name: type: string required: - name - description required: - stream - type: object properties: dashboards: items: type: string type: array queries: items: allOf: - type: object properties: id: minLength: 1 type: string title: minLength: 1 type: string required: - id - title - type: object properties: kql: additionalProperties: false type: object properties: query: minLength: 1 type: string required: - query required: - kql type: array required: - dashboards - queries - type: object properties: stream: allOf: - additionalProperties: true type: object properties: name: not: {} - additionalProperties: false type: object properties: ingest: additionalProperties: false type: object properties: lifecycle: anyOf: - additionalProperties: false type: object properties: dsl: additionalProperties: false type: object properties: data_retention: minLength: 1 type: string required: - dsl - additionalProperties: false type: object properties: ilm: additionalProperties: false type: object properties: policy: minLength: 1 type: string required: - policy required: - ilm - additionalProperties: false type: object properties: inherit: additionalProperties: false type: object properties: {} required: - inherit processing: items: anyOf: - additionalProperties: false type: object properties: date: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string formats: items: minLength: 1 type: string type: array locale: minLength: 1 type: string output_format: minLength: 1 type: string target_field: minLength: 1 type: string timezone: minLength: 1 type: string required: - field - formats required: - date - additionalProperties: false type: object properties: dissect: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: append_separator: minLength: 1 type: string field: minLength: 1 type: string ignore_missing: type: boolean pattern: minLength: 1 type: string required: - field - pattern required: - dissect - additionalProperties: false type: object properties: grok: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean pattern_definitions: additionalProperties: type: string type: object patterns: items: minLength: 1 type: string minItems: 1 type: array required: - field - patterns required: - grok - additionalProperties: false type: object properties: manual_ingest_pipeline: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: on_failure: items: additionalProperties: {} type: object type: array processors: items: additionalProperties: false type: object properties: append: {} attachment: {} bytes: {} circle: {} community_id: {} convert: {} csv: {} date: {} date_index_name: {} dissect: {} dot_expander: {} drop: {} enrich: {} fail: {} fingerprint: {} foreach: {} geo_grid: {} geoip: {} grok: {} gsub: {} html_strip: {} inference: {} ip_location: {} join: {} json: {} kv: {} lowercase: {} network_direction: {} pipeline: {} redact: {} registered_domain: {} remove: {} rename: {} reroute: {} script: {} set: {} set_security_user: {} sort: {} split: {} terminate: {} trim: {} uppercase: {} uri_parts: {} urldecode: {} user_agent: {} required: - append - attachment - bytes - circle - community_id - convert - csv - date - date_index_name - dissect - dot_expander - drop - enrich - fail - fingerprint - foreach - ip_location - geo_grid - geoip - grok - gsub - html_strip - inference - join - json - kv - lowercase - network_direction - pipeline - redact - registered_domain - remove - rename - reroute - script - set - set_security_user - sort - split - terminate - trim - uppercase - urldecode - uri_parts - user_agent type: array tag: type: string required: - processors required: - manual_ingest_pipeline - additionalProperties: false type: object properties: kv: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: exclude_keys: items: minLength: 1 type: string type: array field: minLength: 1 type: string field_split: type: string ignore_missing: type: boolean include_keys: items: minLength: 1 type: string type: array prefix: minLength: 1 type: string strip_brackets: type: boolean target_field: minLength: 1 type: string trim_key: minLength: 1 type: string trim_value: minLength: 1 type: string value_split: type: string required: - field - field_split - value_split required: - kv - additionalProperties: false type: object properties: geoip: additionalProperties: false type: object properties: database_file: minLength: 1 type: string field: minLength: 1 type: string first_only: type: boolean ignore_missing: type: boolean properties: items: minLength: 1 type: string type: array target_field: minLength: 1 type: string required: - field required: - geoip - additionalProperties: false type: object properties: rename: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean override: type: boolean target_field: minLength: 1 type: string required: - field - target_field required: - rename - additionalProperties: false type: object properties: set: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_empty_value: type: boolean media_type: type: string override: type: boolean value: minLength: 1 type: string required: - field - value required: - set - additionalProperties: false type: object properties: urldecode: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean target_field: minLength: 1 type: string required: - field required: - urldecode - additionalProperties: false type: object properties: user_agent: additionalProperties: false type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean properties: items: minLength: 1 type: string type: array regex_file: minLength: 1 type: string target_field: minLength: 1 type: string required: - field required: - user_agent type: array required: - lifecycle - processing required: - ingest required: - stream - type: object properties: {} - type: object properties: {} - allOf: - type: object properties: {} - type: object properties: stream: allOf: - additionalProperties: true type: object properties: name: not: {} - additionalProperties: false type: object properties: description: type: string name: type: string required: - name - description required: - stream - type: object properties: dashboards: items: type: string type: array queries: items: allOf: - type: object properties: id: minLength: 1 type: string title: minLength: 1 type: string required: - id - title - type: object properties: kql: additionalProperties: false type: object properties: query: minLength: 1 type: string required: - query required: - kql type: array required: - dashboards - queries - type: object properties: stream: allOf: - additionalProperties: true type: object properties: name: not: {} - additionalProperties: false type: object properties: group: additionalProperties: false type: object properties: members: items: type: string type: array required: - members required: - group required: - stream - type: object properties: {} responses: {} summary: Create or update a stream tags: - streams x-state: Technical Preview /api/streams/{name}/_fork: post: description: 'Forks a wired stream and creates a child stream

[Required authorization] Route required privileges: manage_stream.' operationId: post-streams-name-fork parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always stream: additionalProperties: false type: object properties: name: type: string required: - name required: - stream - if responses: {} summary: Fork a stream tags: - streams x-state: Technical Preview /api/streams/{name}/_group: get: description: 'Fetches the group settings of a group stream definition

[Required authorization] Route required privileges: read_stream.' operationId: get-streams-name-group parameters: - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Get group stream settings tags: - streams x-state: Technical Preview put: description: 'Upserts the group settings of a group stream definition

[Required authorization] Route required privileges: manage_stream.' operationId: put-streams-name-group parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: group: additionalProperties: false type: object properties: members: items: type: string type: array required: - members required: - group responses: {} summary: Upsert group stream settings tags: - streams x-state: Technical Preview /api/streams/{name}/_ingest: get: description: 'Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream.' operationId: get-streams-name-ingest parameters: - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Get ingest stream settings tags: - streams x-state: Technical Preview put: description: 'Upserts the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: manage_stream.' operationId: put-streams-name-ingest parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: ingest: anyOf: - allOf: - type: object properties: lifecycle: anyOf: - additionalProperties: false type: object properties: dsl: additionalProperties: false type: object properties: data_retention: minLength: 1 type: string required: - dsl - additionalProperties: false type: object properties: ilm: additionalProperties: false type: object properties: policy: minLength: 1 type: string required: - policy required: - ilm - additionalProperties: false type: object properties: inherit: additionalProperties: false type: object properties: {} required: - inherit processing: items: anyOf: - additionalProperties: false type: object properties: date: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string formats: items: minLength: 1 type: string type: array locale: minLength: 1 type: string output_format: minLength: 1 type: string target_field: minLength: 1 type: string timezone: minLength: 1 type: string required: - field - formats required: - date - additionalProperties: false type: object properties: dissect: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: append_separator: minLength: 1 type: string field: minLength: 1 type: string ignore_missing: type: boolean pattern: minLength: 1 type: string required: - field - pattern required: - dissect - additionalProperties: false type: object properties: grok: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean pattern_definitions: additionalProperties: type: string type: object patterns: items: minLength: 1 type: string minItems: 1 type: array required: - field - patterns required: - grok - additionalProperties: false type: object properties: manual_ingest_pipeline: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: on_failure: items: additionalProperties: {} type: object type: array processors: items: additionalProperties: false type: object properties: append: {} attachment: {} bytes: {} circle: {} community_id: {} convert: {} csv: {} date: {} date_index_name: {} dissect: {} dot_expander: {} drop: {} enrich: {} fail: {} fingerprint: {} foreach: {} geo_grid: {} geoip: {} grok: {} gsub: {} html_strip: {} inference: {} ip_location: {} join: {} json: {} kv: {} lowercase: {} network_direction: {} pipeline: {} redact: {} registered_domain: {} remove: {} rename: {} reroute: {} script: {} set: {} set_security_user: {} sort: {} split: {} terminate: {} trim: {} uppercase: {} uri_parts: {} urldecode: {} user_agent: {} required: - append - attachment - bytes - circle - community_id - convert - csv - date - date_index_name - dissect - dot_expander - drop - enrich - fail - fingerprint - foreach - ip_location - geo_grid - geoip - grok - gsub - html_strip - inference - join - json - kv - lowercase - network_direction - pipeline - redact - registered_domain - remove - rename - reroute - script - set - set_security_user - sort - split - terminate - trim - uppercase - urldecode - uri_parts - user_agent type: array tag: type: string required: - processors required: - manual_ingest_pipeline - additionalProperties: false type: object properties: kv: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: exclude_keys: items: minLength: 1 type: string type: array field: minLength: 1 type: string field_split: type: string ignore_missing: type: boolean include_keys: items: minLength: 1 type: string type: array prefix: minLength: 1 type: string strip_brackets: type: boolean target_field: minLength: 1 type: string trim_key: minLength: 1 type: string trim_value: minLength: 1 type: string value_split: type: string required: - field - field_split - value_split required: - kv - additionalProperties: false type: object properties: geoip: additionalProperties: false type: object properties: database_file: minLength: 1 type: string field: minLength: 1 type: string first_only: type: boolean ignore_missing: type: boolean properties: items: minLength: 1 type: string type: array target_field: minLength: 1 type: string required: - field required: - geoip - additionalProperties: false type: object properties: rename: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean override: type: boolean target_field: minLength: 1 type: string required: - field - target_field required: - rename - additionalProperties: false type: object properties: set: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_empty_value: type: boolean media_type: type: string override: type: boolean value: minLength: 1 type: string required: - field - value required: - set - additionalProperties: false type: object properties: urldecode: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean target_field: minLength: 1 type: string required: - field required: - urldecode - additionalProperties: false type: object properties: user_agent: additionalProperties: false type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean properties: items: minLength: 1 type: string type: array regex_file: minLength: 1 type: string target_field: minLength: 1 type: string required: - field required: - user_agent type: array required: - lifecycle - processing - type: object properties: wired: additionalProperties: false type: object properties: fields: additionalProperties: allOf: - additionalProperties: anyOf: - anyOf: - type: string - type: number - type: boolean - enum: - 'null' nullable: true - not: {} - items: anyOf: - type: string - type: number - type: boolean - enum: - 'null' nullable: true - not: {} type: array - {} type: object - anyOf: - additionalProperties: false type: object properties: format: minLength: 1 type: string type: enum: - keyword - match_only_text - long - double - date - boolean - ip type: string required: - type - additionalProperties: false type: object properties: type: enum: - system type: string required: - type type: object routing: items: additionalProperties: false type: object properties: destination: minLength: 1 type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always required: - destination - if type: array required: - fields - routing required: - wired - allOf: - type: object properties: lifecycle: anyOf: - additionalProperties: false type: object properties: dsl: additionalProperties: false type: object properties: data_retention: minLength: 1 type: string required: - dsl - additionalProperties: false type: object properties: ilm: additionalProperties: false type: object properties: policy: minLength: 1 type: string required: - policy required: - ilm - additionalProperties: false type: object properties: inherit: additionalProperties: false type: object properties: {} required: - inherit processing: items: anyOf: - additionalProperties: false type: object properties: date: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string formats: items: minLength: 1 type: string type: array locale: minLength: 1 type: string output_format: minLength: 1 type: string target_field: minLength: 1 type: string timezone: minLength: 1 type: string required: - field - formats required: - date - additionalProperties: false type: object properties: dissect: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: append_separator: minLength: 1 type: string field: minLength: 1 type: string ignore_missing: type: boolean pattern: minLength: 1 type: string required: - field - pattern required: - dissect - additionalProperties: false type: object properties: grok: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean pattern_definitions: additionalProperties: type: string type: object patterns: items: minLength: 1 type: string minItems: 1 type: array required: - field - patterns required: - grok - additionalProperties: false type: object properties: manual_ingest_pipeline: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: on_failure: items: additionalProperties: {} type: object type: array processors: items: additionalProperties: false type: object properties: append: {} attachment: {} bytes: {} circle: {} community_id: {} convert: {} csv: {} date: {} date_index_name: {} dissect: {} dot_expander: {} drop: {} enrich: {} fail: {} fingerprint: {} foreach: {} geo_grid: {} geoip: {} grok: {} gsub: {} html_strip: {} inference: {} ip_location: {} join: {} json: {} kv: {} lowercase: {} network_direction: {} pipeline: {} redact: {} registered_domain: {} remove: {} rename: {} reroute: {} script: {} set: {} set_security_user: {} sort: {} split: {} terminate: {} trim: {} uppercase: {} uri_parts: {} urldecode: {} user_agent: {} required: - append - attachment - bytes - circle - community_id - convert - csv - date - date_index_name - dissect - dot_expander - drop - enrich - fail - fingerprint - foreach - ip_location - geo_grid - geoip - grok - gsub - html_strip - inference - join - json - kv - lowercase - network_direction - pipeline - redact - registered_domain - remove - rename - reroute - script - set - set_security_user - sort - split - terminate - trim - uppercase - urldecode - uri_parts - user_agent type: array tag: type: string required: - processors required: - manual_ingest_pipeline - additionalProperties: false type: object properties: kv: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: exclude_keys: items: minLength: 1 type: string type: array field: minLength: 1 type: string field_split: type: string ignore_missing: type: boolean include_keys: items: minLength: 1 type: string type: array prefix: minLength: 1 type: string strip_brackets: type: boolean target_field: minLength: 1 type: string trim_key: minLength: 1 type: string trim_value: minLength: 1 type: string value_split: type: string required: - field - field_split - value_split required: - kv - additionalProperties: false type: object properties: geoip: additionalProperties: false type: object properties: database_file: minLength: 1 type: string field: minLength: 1 type: string first_only: type: boolean ignore_missing: type: boolean properties: items: minLength: 1 type: string type: array target_field: minLength: 1 type: string required: - field required: - geoip - additionalProperties: false type: object properties: rename: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean override: type: boolean target_field: minLength: 1 type: string required: - field - target_field required: - rename - additionalProperties: false type: object properties: set: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_empty_value: type: boolean media_type: type: string override: type: boolean value: minLength: 1 type: string required: - field - value required: - set - additionalProperties: false type: object properties: urldecode: allOf: - type: object properties: description: type: string if: anyOf: - anyOf: - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - exists - notExists type: string required: - field - operator - additionalProperties: false type: object properties: field: minLength: 1 type: string operator: enum: - eq - neq - lt - lte - gt - gte - contains - startsWith - endsWith type: string value: anyOf: - type: string - type: number - type: boolean required: - field - operator - value - additionalProperties: false type: object properties: and: items: {} type: array required: - and - additionalProperties: false type: object properties: or: items: {} type: array required: - or - additionalProperties: false type: object properties: never: additionalProperties: false type: object properties: {} required: - never - additionalProperties: false type: object properties: always: additionalProperties: false type: object properties: {} required: - always ignore_failure: type: boolean - type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean target_field: minLength: 1 type: string required: - field required: - urldecode - additionalProperties: false type: object properties: user_agent: additionalProperties: false type: object properties: field: minLength: 1 type: string ignore_missing: type: boolean properties: items: minLength: 1 type: string type: array regex_file: minLength: 1 type: string target_field: minLength: 1 type: string required: - field required: - user_agent type: array required: - lifecycle - processing - type: object properties: unwired: additionalProperties: false type: object properties: {} required: - unwired required: - ingest responses: {} summary: Update ingest stream settings tags: - streams x-state: Technical Preview /api/streams/{name}/content/export: post: description: 'Exports the content associated to a stream.

[Required authorization] Route required privileges: manage_stream.' operationId: post-streams-name-content-export parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: description: type: string include: anyOf: - additionalProperties: false type: object properties: objects: additionalProperties: false type: object properties: dashboards: items: type: string type: array required: - dashboards required: - objects - additionalProperties: false type: object properties: all: additionalProperties: false type: object properties: {} required: - all name: type: string replaced_patterns: items: type: string type: array version: type: string required: - name - description - version - replaced_patterns - include responses: {} summary: Export stream content tags: - streams /api/streams/{name}/content/import: post: description: 'Links content objects to a stream.

[Required authorization] Route required privileges: manage_stream.' operationId: post-streams-name-content-import parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: multipart/form-data: schema: additionalProperties: false type: object properties: content: {} include: type: string required: - include - content responses: {} summary: Import content into a stream tags: - streams /api/streams/{name}/dashboards: get: description: 'Fetches all dashboards linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream.' operationId: get-streams-name-dashboards parameters: - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Get stream dashboards tags: - streams x-state: Technical Preview /api/streams/{name}/dashboards/_bulk: post: description: 'Bulk update dashboards linked to a stream. Can link new dashboards and delete existing ones.

[Required authorization] Route required privileges: manage_stream.' operationId: post-streams-name-dashboards-bulk parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: operations: items: anyOf: - additionalProperties: false type: object properties: index: additionalProperties: false type: object properties: id: type: string required: - id required: - index - additionalProperties: false type: object properties: delete: additionalProperties: false type: object properties: id: type: string required: - id required: - delete type: array required: - operations responses: {} summary: Bulk update dashboards tags: - streams x-state: Technical Preview /api/streams/{name}/dashboards/{dashboardId}: delete: description: 'Unlinks a dashboard from a stream. Noop if the dashboard is not linked to the stream.

[Required authorization] Route required privileges: manage_stream.' operationId: delete-streams-name-dashboards-dashboardid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string - in: path name: dashboardId required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Unlink a dashboard from a stream tags: - streams x-state: Technical Preview put: description: 'Links a dashboard to a stream. Noop if the dashboard is already linked to the stream.

[Required authorization] Route required privileges: manage_stream.' operationId: put-streams-name-dashboards-dashboardid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string - in: path name: dashboardId required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Link a dashboard to a stream tags: - streams x-state: Technical Preview /api/streams/{name}/queries: get: description: 'Fetches all queries linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream.' operationId: get-streams-name-queries parameters: - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Get stream queries tags: - streams x-state: Technical Preview /api/streams/{name}/queries/_bulk: post: description: 'Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream.' operationId: post-streams-name-queries-bulk parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: operations: items: anyOf: - additionalProperties: false type: object properties: index: allOf: - type: object properties: id: minLength: 1 type: string title: minLength: 1 type: string required: - id - title - type: object properties: kql: additionalProperties: false type: object properties: query: minLength: 1 type: string required: - query required: - kql required: - index - additionalProperties: false type: object properties: delete: additionalProperties: false type: object properties: id: type: string required: - id required: - delete type: array required: - operations responses: {} summary: Bulk update queries tags: - streams x-state: Technical Preview /api/streams/{name}/queries/{queryId}: delete: description: 'Remove a query from a stream. Noop if the query is not found on the stream.

[Required authorization] Route required privileges: manage_stream.' operationId: delete-streams-name-queries-queryid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string - in: path name: queryId required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Remove a query from a stream tags: - streams x-state: Technical Preview put: description: 'Adds a query to a stream. Noop if the query is already present on the stream.

[Required authorization] Route required privileges: manage_stream.' operationId: put-streams-name-queries-queryid parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: type: string - in: path name: queryId required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: kql: additionalProperties: false type: object properties: query: minLength: 1 type: string required: - query title: minLength: 1 type: string required: - title - kql responses: {} summary: Upsert a query to a stream tags: - streams x-state: Technical Preview /api/streams/{name}/significant_events: get: description: 'Read the significant events

[Required authorization] Route required privileges: read_stream.' operationId: get-streams-name-significant-events parameters: - in: path name: name required: true schema: type: string - in: query name: from required: true schema: format: date-time type: string - in: query name: to required: true schema: format: date-time type: string - in: query name: bucketSize required: true schema: type: string requestBody: content: application/json: schema: anyOf: - additionalProperties: false type: object properties: {} - enum: - 'null' nullable: true - not: {} responses: {} summary: Read the significant events tags: - streams x-state: Technical Preview /api/synthetics/monitors: get: description: | Get a list of monitors. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: get-synthetic-monitors parameters: - description: Additional filtering criteria. in: query name: filter schema: type: string - description: The locations to filter by. in: query name: locations schema: oneOf: - type: string - type: array - description: The monitor types to filter. in: query name: monitorTypes schema: oneOf: - enum: - browser - http - icmp - tcp type: string - type: array - description: The page number for paginated results. in: query name: page schema: type: integer - description: The number of items to return per page. in: query name: per_page schema: type: integer - description: The projects to filter by. in: query name: projects schema: oneOf: - type: string - type: array - description: A free-text query string. in: query name: query schema: type: string - description: The schedules to filter by. in: query name: schedules schema: oneOf: - type: array - type: string - description: The field to sort the results by. in: query name: sortField schema: enum: - name - createdAt - updatedAt - status type: string - description: The sort order. in: query name: sortOrder schema: enum: - asc - desc type: string - description: The status to filter by. in: query name: status schema: oneOf: - type: array - type: string - description: Tags to filter monitors. in: query name: tags schema: oneOf: - type: string - type: array - description: | Specifies whether to apply logical AND filtering for specific fields. Accepts either a string with values "tags" or "locations" or an array containing both. in: query name: useLogicalAndFor schema: oneOf: - enum: - tags - locations type: string - items: enum: - tags - locations type: string type: array responses: '200': content: application/json: examples: getSyntheticMonitorsResponseExample1: description: A successful response from `GET /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. value: |- { "page": 1, "total": 24, "monitors": [ { "type": "icmp", "enabled": false, "alert": { "status": { "enabled": true }, "tls": { "enabled": true } }, "schedule": { "number": "3", "unit": "m" }, "config_id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", "timeout": "16", "name": "8.8.8.8:80", "locations": [ { "id": "us_central", "label": "North America - US Central", "geo": { "lat": 41.25, "lon": -95.86 }, "isServiceManaged": true } ], "namespace": "default", "origin": "ui", "id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", "max_attempts": 2, "wait": "7", "revision": 3, "mode": "all", "ipv4": true, "ipv6": true, "created_at": "2023-11-07T09:57:04.152Z", "updated_at": "2023-12-04T19:19:34.039Z", "host": "8.8.8.8:80" } ], "absoluteTotal": 24, "perPage": 10, } schema: type: object description: A successful response. summary: Get monitors tags: - synthetics post: description: | Create a new monitor with the specified attributes. A monitor can be one of the following types: HTTP, TCP, ICMP, or Browser. The required and default fields may vary based on the monitor type. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: post-synthetic-monitors requestBody: content: application/json: examples: postSyntheticMonitorsRequestExample1: description: Create an HTTP monitor to check a website's availability. summary: HTTP monitor value: |- { "type": "http", "name": "Website Availability", "url": "https://example.com", "tags": ["website", "availability"], "locations": ["united_kingdom"] } postSyntheticMonitorsRequestExample2: description: Create a TCP monitor to monitor a server's availability. summary: TCP monitor value: |- { "type": "tcp", "name": "Server Availability", "host": "example.com", "private_locations": ["my_private_location"] } postSyntheticMonitorsRequestExample3: description: Create an ICMP monitor to perform ping checks. summary: ICMP monitor value: |- { "type": "icmp", "name": "Ping Test", "host": "example.com", "locations": ["united_kingdom"] } postSyntheticMonitorsRequestExample4: description: Create a browser monitor to check a website. summary: Browser monitor value: |- { "type": "browser", "name": "Example journey", "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", "locations": ["united_kingdom"] } schema: description: | The request body should contain the attributes of the monitor you want to create. The required and default fields differ depending on the monitor type. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' required: true responses: '200': description: A successful response. summary: Create a monitor tags: - synthetics /api/synthetics/monitors/_bulk_delete: post: description: | Delete multiple monitors by sending a list of config IDs. operationId: delete-synthetic-monitors requestBody: content: application/json: examples: bulkDeleteRequestExample1: description: Run `POST /api/synthetics/monitors/_bulk_delete` to delete a list of monitors. value: |- { "ids": [ "monitor1-id", "monitor2-id" ] } schema: type: object properties: ids: description: An array of monitor IDs to delete. items: type: string type: array required: - ids required: true responses: '200': content: application/json: examples: deleteMonitorsResponseExample1: description: A response from successfully deleting multiple monitors. value: |- [ { "id": "monitor1-id", "deleted": true }, { "id": "monitor2-id", "deleted": true } ] schema: items: description: The API response includes information about the deleted monitors. type: object properties: deleted: description: | If it is `true`, the monitor was successfully deleted If it is `false`, the monitor was not deleted. type: boolean ids: description: The unique identifier of the deleted monitor. type: string type: array summary: Delete monitors tags: - synthetics /api/synthetics/monitors/{id}: delete: description: | Delete a monitor from the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: delete-synthetic-monitor parameters: - description: The identifier for the monitor that you want to delete. in: path name: id required: true schema: type: string summary: Delete a monitor tags: - synthetics get: operationId: get-synthetic-monitor parameters: - description: The ID of the monitor. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getSyntheticMonitorResponseExample1: description: A successful response from `GET /api/synthetics/monitors/`. value: |- { "type": "http", "enabled": true, "alert": { "status": { "enabled": true }, "tls": { "enabled": true } }, "schedule": { "number": "3", "unit": "m" }, "config_id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", "timeout": "16", "name": "am i something", "locations": [ { "id": "us_central", "label": "North America - US Central", "geo": { "lat": 41.25, "lon": -95.86 }, "isServiceManaged": true } ], "namespace": "default", "origin": "ui", "id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", "max_attempts": 2, "__ui": { "is_tls_enabled": false }, "max_redirects": "0", "response.include_body": "on_error", "response.include_headers": true, "check.request.method": "GET", "mode": "any", "response.include_body_max_bytes": "1024", "ipv4": true, "ipv6": true, "ssl.verification_mode": "full", "ssl.supported_protocols": [ "TLSv1.1", "TLSv1.2", "TLSv1.3" ], "revision": 13, "created_at": "2023-11-08T08:45:29.334Z", "updated_at": "2023-12-18T20:31:44.770Z", "url": "https://fast.com" } schema: type: object '404': description: If the monitor is not found, the API returns a 404 error. summary: Get a monitor tags: - synthetics put: description: | Update a monitor with the specified attributes. The required and default fields may vary based on the monitor type. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. You can also partially update a monitor. This will only update the fields that are specified in the request body. All other fields are left unchanged. The specified fields should conform to the monitor type. For example, you can't update the `inline_scipt` field of a HTTP monitor. operationId: put-synthetic-monitor parameters: - description: The identifier for the monitor that you want to update. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: putSyntheticMonitorsRequestExample1: description: Update an HTTP monitor that checks a website's availability. summary: HTTP monitor value: |- { "type": "http", "name": "Website Availability", "url": "https://example.com", "tags": ["website", "availability"], "locations": ["united_kingdom"] } putSyntheticMonitorsRequestExample2: description: Update a TCP monitor that monitors a server's availability. summary: TCP monitor value: |- { "type": "tcp", "name": "Server Availability", "host": "example.com", "private_locations": ["my_private_location"] } putSyntheticMonitorsRequestExample3: description: Update an ICMP monitor that performs ping checks. summary: ICMP monitor value: |- { "type": "icmp", "name": "Ping Test", "host": "example.com", "locations": ["united_kingdom"] } putSyntheticMonitorsRequestExample4: description: Update a browser monitor that checks a website. summary: Browser monitor value: |- { "type": "browser", "name": "Example journey", "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", "locations": ["united_kingdom"] } schema: description: | The request body should contain the attributes of the monitor you want to update. The required and default fields differ depending on the monitor type. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' type: object required: true summary: Update a monitor tags: - synthetics /api/synthetics/params: get: description: | Get a list of all parameters. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: get-parameters responses: '200': content: application/json: examples: getParametersResponseExample1: description: A successful response for a user with read-only permissions to get a list of parameters. summary: Read access value: |- [ { "id": "param1-id", "key": "param1", "description": "Description for param1", "tags": ["tag1", "tag2"], "namespaces": ["namespace1"] }, { "id": "param2-id", "key": "param2", "description": "Description for param2", "tags": ["tag3"], "namespaces": ["namespace2"] } ] getParametersResponseExample2: description: A successful response for a user with write permissions to get a list of parameters. summary: Write access value: |- [ { "id": "param1-id", "key": "param1", "description": "Description for param1", "tags": ["tag1", "tag2"], "namespaces": ["namespace1"], "value": "value1" }, { "id": "param2-id", "key": "param2", "description": "Description for param2", "tags": ["tag3"], "namespaces": ["namespace2"], "value": "value2" } ] schema: items: - $ref: '#/components/schemas/Synthetics_getParameterResponse' type: array description: A successful response. summary: Get parameters tags: - synthetics post: description: | Add one or more parameters to the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: post-parameters requestBody: content: application/json: examples: postParametersRequestExample1: description: Add a single parameter. summary: Single parameter value: |- { "key": "your-key-name", "value": "your-parameter-value", "description": "Param to use in browser monitor", "tags": ["authentication", "security"], "share_across_spaces": true } postParametersRequestExample2: description: Add multiple parameters. summary: Multiple parameters value: |- [ { "key": "param1", "value": "value1" }, { "key": "param2", "value": "value2" } ] schema: oneOf: - items: $ref: '#/components/schemas/Synthetics_parameterRequest' type: array - $ref: '#/components/schemas/Synthetics_parameterRequest' description: The request body can contain either a single parameter object or an array of parameter objects. required: true responses: '200': content: application/json: examples: postParametersResponseExample1: description: A successful response for a single added parameter. summary: Single parameter value: |- { "id": "unique-parameter-id", "key": "your-key-name", "value": "your-param-value", "description": "Param to use in browser monitor", "tags": ["authentication", "security"], "share_across_spaces": true } postParametersResponseExample2: description: A successful response for multiple added parameters. summary: Multiple parameters value: |- [ { "id": "param1-id", "key": "param1", "value": "value1" }, { "id": "param2-id", "key": "param2", "value": "value2" } ] schema: oneOf: - items: $ref: '#/components/schemas/Synthetics_postParameterResponse' type: array - $ref: '#/components/schemas/Synthetics_postParameterResponse' description: A successful response. summary: Add parameters tags: - synthetics /api/synthetics/params/_bulk_delete: delete: description: | Delete parameters from the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: delete-parameters requestBody: content: application/json: examples: deleteParametersRequestExample1: description: Run `POST /api/synthetics/params/_bulk_delete` to delete multiple parameters. value: |- { "ids": ["param1-id", "param2-id"] } schema: property: ids: description: An array of parameter IDs to delete. items: type: string type: array type: object required: true responses: '200': content: application/json: examples: deleteParametersResponseExample1: value: |- [ { "id": "param1-id", "deleted": true } ] schema: items: type: object properties: deleted: description: | Indicates whether the parameter was successfully deleted. It is `true` if it was deleted. It is `false` if it was not deleted. type: boolean id: description: The unique identifier for the deleted parameter. type: string type: array description: A successful response. summary: Delete parameters tags: - synthetics /api/synthetics/params/{id}: delete: description: | Delete a parameter from the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: delete-parameter parameters: - description: The ID for the parameter to delete. in: path name: id required: true schema: type: string summary: Delete a parameter tags: - synthetics get: description: | Get a parameter from the Synthetics app. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: get-parameter parameters: - description: The unique identifier for the parameter. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getParameterResponseExample1: description: A successful response for a user with read-only permissions to get a single parameter. summary: Read access value: |- { "id": "unique-parameter-id", "key": "your-api-key", "description": "Param to use in browser monitor", "tags": ["authentication", "security"], "namespaces": ["namespace1", "namespace2"] } getParameterResponseExample2: description: A successful response for a user with write permissions to get a single parameter. summary: Write access value: |- { "id": "unique-parameter-id", "key": "your-param-key", "description": "Param to use in browser monitor", "tags": ["authentication", "security"], "namespaces": ["namespace1", "namespace2"], "value": "your-param-value" } schema: $ref: '#/components/schemas/Synthetics_getParameterResponse' description: A successful response. summary: Get a parameter tags: - synthetics put: description: | Update a parameter in the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: put-parameter parameters: - description: The unique identifier for the parameter. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: putParameterRequestExample1: value: |- { "key": "updated_param_key", "value": "updated-param-value", "description": "Updated Param to be used in browser monitor", "tags": ["authentication", "security", "updated"] } schema: type: object properties: description: description: The updated description of the parameter. type: string key: description: The key of the parameter. type: string tags: description: An array of updated tags to categorize the parameter. items: type: string type: array value: description: The updated value associated with the parameter. type: string description: The request body cannot be empty; at least one attribute is required. required: true responses: '200': content: application/json: examples: putParameterResponseExample1: value: |- { "id": "param_id1", "key": "updated_param_key", "value": "updated-param-value", "description": "Updated Param to be used in browser monitor", "tags": ["authentication", "security", "updated"] } schema: type: object description: A successful response. summary: Update a parameter tags: - synthetics /api/synthetics/private_locations: get: description: | Get a list of private locations. You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. operationId: get-private-locations responses: '200': content: application/json: examples: getPrivateLocationsResponseExample1: value: |- [ { "label": "Test private location", "id": "fleet-server-policy", "agentPolicyId": "fleet-server-policy", "isInvalid": false, "geo": { "lat": 0, "lon": 0 }, "namespace": "default" }, { "label": "Test private location 2", "id": "691225b0-6ced-11ee-8f5a-376306ee85ae", "agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae", "isInvalid": false, "geo": { "lat": 0, "lon": 0 }, "namespace": "test" } ] schema: items: $ref: '#/components/schemas/Synthetics_getPrivateLocation' type: array description: A successful response. summary: Get private locations tags: - synthetics post: description: You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. operationId: post-private-location requestBody: content: application/json: examples: postPrivateLocationRequestExample1: description: Run `POST /api/private_locations` to create a private location. value: |- { "label": "Private Location 1", "agentPolicyId": "abcd1234", "tags": ["private", "testing"], "geo": { "lat": 40.7128, "lon": -74.0060 } "spaces": ["default"] } schema: type: object properties: agentPolicyId: description: The ID of the agent policy associated with the private location. type: string geo: description: Geographic coordinates (WGS84) for the location. type: object properties: lat: description: The latitude of the location. type: number lon: description: The longitude of the location. type: number required: - lat - lon label: description: A label for the private location. type: string spaces: description: | An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces. items: type: string type: array tags: description: An array of tags to categorize the private location. items: type: string type: array required: - agentPolicyId - label required: true responses: '200': content: application/json: examples: postPrivateLocationResponseExample1: value: |- { "id": "abcd1234", "label": "Private Location 1", "agentPolicyId": "abcd1234", "tags": ["private", "testing"], "geo": { "lat": 40.7128, "lon": -74.0060 } } schema: type: object description: A successful response. '400': description: If the `agentPolicyId` is already used by an existing private location or if the `label` already exists, the API will return a 400 Bad Request response with a corresponding error message. summary: Create a private location tags: - synthetics /api/synthetics/private_locations/{id}: delete: description: | You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. The API does not return a response body for deletion, but it will return an appropriate status code upon successful deletion. A location cannot be deleted if it has associated monitors in use. You must delete all monitors associated with the location before deleting the location. operationId: delete-private-location parameters: - description: The unique identifier of the private location to be deleted. in: path name: id required: true schema: maxLength: 1024 minLength: 1 type: string summary: Delete a private location tags: - synthetics get: description: | You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. operationId: get-private-location parameters: - description: A private location identifier or label. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getPrivateLocationResponseExample1: value: |- { "label": "Test private location", "id": "test-private-location-id", "agentPolicyId": "test-private-location-id", "isServiceManaged": false, "isInvalid": false, "geo": { "lat": 0, "lon": 0 }, "namespace": "default" } schema: $ref: '#/components/schemas/Synthetics_getPrivateLocation' description: A successful response. summary: Get a private location tags: - synthetics put: description: | Update an existing private location's label. You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. When a private location's label is updated, all monitors using this location will also be updated to maintain data consistency. operationId: put-private-location parameters: - description: The unique identifier of the private location to be updated. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: putPrivateLocationRequestExample1: description: Update a private location's label. value: |- { "label": "Updated Private Location Name" } schema: type: object properties: label: description: A new label for the private location. Must be at least 1 character long. minLength: 1 type: string required: - label required: true responses: '200': content: application/json: examples: putPrivateLocationResponseExample1: value: |- { "label": "Updated Private Location Name", "id": "test-private-location-id", "agentPolicyId": "test-private-location-id", "isServiceManaged": false, "isInvalid": false, "tags": ["private", "testing", "updated"], "geo": { "lat": 37.7749, "lon": -122.4194 }, "spaces": ["*"] } schema: $ref: '#/components/schemas/Synthetics_getPrivateLocation' description: A successful response. '400': description: If the `label` is shorter than 1 character the API will return a 400 Bad Request response with a corresponding error message. '404': description: If the private location with the specified ID does not exist, the API will return a 404 Not Found response. summary: Update a private location tags: - synthetics /api/task_manager/_health: get: description: | Get the health status of the Kibana task manager. operationId: task-manager-health responses: '200': content: application/json: examples: taskManagerHealthResponse1: $ref: '#/components/examples/Task_manager_health_APIs_health_200response' schema: $ref: '#/components/schemas/Task_manager_health_APIs_health_response' description: Indicates a successful call summary: Get the task manager health tags: - task manager /api/timeline: delete: description: Delete one or more Timelines or Timeline templates. operationId: DeleteTimelines requestBody: content: application/json: schema: type: object properties: savedObjectIds: description: The list of IDs of the Timelines or Timeline templates to delete example: - 15c1929b-0af7-42bd-85a8-56e234cc7c4e items: type: string type: array searchIds: description: Saved search IDs that should be deleted alongside the timelines example: - 23f3-43g34g322-e5g5hrh6h-45454 - 6ce1b592-84e3-4b4a-9552-f189d4b82075 items: type: string type: array required: - savedObjectIds description: The IDs of the Timelines or Timeline templates to delete. required: true responses: '200': description: Indicates the Timeline was successfully deleted. summary: Delete Timelines or Timeline templates tags: - Security Timeline API get: description: Get the details of an existing saved Timeline or Timeline template. operationId: GetTimeline parameters: - description: The `savedObjectId` of the template timeline to retrieve in: query name: template_timeline_id schema: type: string - description: The `savedObjectId` of the Timeline to retrieve. in: query name: id schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' description: Indicates that the (template) Timeline was found and returned. summary: Get Timeline or Timeline template details tags: - Security Timeline API patch: description: Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. operationId: PatchTimeline requestBody: content: application/json: schema: type: object properties: timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' description: The timeline object of the Timeline or Timeline template that you’re updating. timelineId: description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e nullable: true type: string version: description: The version of the Timeline or Timeline template that you’re updating. example: WzE0LDFd nullable: true type: string required: - timelineId - version - timeline description: The Timeline updates, along with the Timeline ID and version. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' description: Indicates that the Timeline was successfully updated. '405': content: application/json: schema: type: object properties: body: description: The error message example: update timeline error type: string statusCode: example: 405 type: number description: Indicates that the user does not have the required access to create a Timeline. summary: Update a Timeline tags: - Security Timeline API post: description: Create a new Timeline or Timeline template. operationId: CreateTimelines requestBody: content: application/json: schema: type: object properties: status: $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true templateTimelineId: description: A unique identifier for the Timeline template. example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string templateTimelineVersion: description: Timeline template version number. example: 12 nullable: true type: number timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' timelineId: description: A unique identifier for the Timeline. example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true version: nullable: true type: string required: - timeline description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' description: Indicates the Timeline was successfully created. '405': content: application/json: schema: type: object properties: body: description: The error message example: update timeline error type: string statusCode: example: 405 type: number description: Indicates that there was an error in the Timeline creation. summary: Create a Timeline or Timeline template tags: - Security Timeline API /api/timeline/_copy: get: description: | Copies and returns a timeline or timeline template. operationId: CopyTimeline requestBody: content: application/json: schema: type: object properties: timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' timelineIdToCopy: type: string required: - timeline - timelineIdToCopy required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' description: Indicates that the timeline has been successfully copied. summary: Copies timeline or timeline template tags: - Security Timeline API /api/timeline/_draft: get: description: Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. operationId: GetDraftTimelines parameters: - in: query name: timelineType required: true schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' description: Indicates that the draft Timeline was successfully retrieved. '403': content: application:json: schema: type: object properties: message: type: string status_code: type: number description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. '409': content: application:json: schema: type: object properties: message: type: string status_code: type: number description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. summary: Get draft Timeline or Timeline template details tags: - Security Timeline API post: description: | Create a clean draft Timeline or Timeline template for the current user. > info > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. operationId: CleanDraftTimelines requestBody: content: application/json: schema: type: object properties: timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' required: - timelineType description: The type of Timeline to create. Valid values are `default` and `template`. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' description: Indicates that the draft Timeline was successfully created. In the event the user already has a draft Timeline, the existing draft Timeline is cleared and returned. '403': content: application:json: schema: type: object properties: message: type: string status_code: type: number description: Indicates that the user does not have the required permissions to create a draft Timeline. '409': content: application:json: schema: type: object properties: message: type: string status_code: type: number description: Indicates that there is already a draft Timeline with the given `timelineId`. summary: Create a clean draft Timeline or Timeline template tags: - Security Timeline API /api/timeline/_export: post: description: Export Timelines as an NDJSON file. operationId: ExportTimelines parameters: - description: The name of the file to export in: query name: file_name required: true schema: type: string requestBody: content: application/json: schema: type: object properties: ids: items: type: string nullable: true type: array description: The IDs of the Timelines to export. required: true responses: '200': content: application/ndjson: schema: description: NDJSON of the exported Timelines type: string description: Indicates the Timelines were successfully exported. '400': content: application/ndjson: schema: type: object properties: body: type: string statusCode: type: number description: Indicates that the export size limit was exceeded. summary: Export Timelines tags: - Security Timeline API /api/timeline/_favorite: patch: description: Favorite a Timeline or Timeline template for the current user. operationId: PersistFavoriteRoute requestBody: content: application/json: schema: type: object properties: templateTimelineId: nullable: true type: string templateTimelineVersion: nullable: true type: number timelineId: nullable: true type: string timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true required: - timelineId - templateTimelineId - templateTimelineVersion - timelineType description: The required fields used to favorite a (template) Timeline. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' description: Indicates the favorite status was successfully updated. '403': content: application:json: schema: type: object properties: body: type: string statusCode: type: number description: Indicates the user does not have the required permissions to persist the favorite status. summary: Favorite a Timeline or Timeline template tags: - Security Timeline API /api/timeline/_import: post: description: Import Timelines. operationId: ImportTimelines requestBody: content: application/json: schema: type: object properties: file: {} isImmutable: description: Whether the Timeline should be immutable enum: - 'true' - 'false' type: string required: - file description: The Timelines to import as a readable stream. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' description: Indicates the import of Timelines was successful. '400': content: application/json: schema: type: object properties: body: description: The error message example: Invalid file extension type: string statusCode: example: 400 type: number description: Indicates the import of Timelines was unsuccessful because of an invalid file extension. '404': content: application/json: schema: type: object properties: body: description: The error message example: Unable to find saved object client type: string statusCode: example: 404 type: number description: Indicates that we were unable to locate the saved object client necessary to handle the import. '409': content: application/json: schema: type: object properties: body: description: The error message example: Could not import timelines type: string statusCode: example: 409 type: number description: Indicates the import of Timelines was unsuccessful. summary: Import Timelines tags: - Security Timeline API /api/timeline/_prepackaged: post: description: Install or update prepackaged Timelines. operationId: InstallPrepackedTimelines requestBody: content: application/json: schema: type: object properties: prepackagedTimelines: items: $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' nullable: true type: array timelinesToInstall: items: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' nullable: true type: array timelinesToUpdate: items: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' nullable: true type: array required: - timelinesToInstall - timelinesToUpdate - prepackagedTimelines description: The Timelines to install or update. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' description: Indicates the installation of prepackaged Timelines was successful. '500': content: application:json: schema: type: object properties: body: type: string statusCode: type: number description: Indicates the installation of prepackaged Timelines was unsuccessful. summary: Install prepackaged Timelines tags: - Security Timeline API /api/timeline/resolve: get: operationId: ResolveTimeline parameters: - description: The ID of the template timeline to resolve in: query name: template_timeline_id schema: type: string - description: The ID of the timeline to resolve in: query name: id schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' description: The (template) Timeline has been found '400': description: The request is missing parameters '404': description: The (template) Timeline was not found summary: Get an existing saved Timeline or Timeline template tags: - Security Timeline API /api/timelines: get: description: Get a list of all saved Timelines or Timeline templates. operationId: GetTimelines parameters: - description: If true, only timelines that are marked as favorites by the user are returned. in: query name: only_user_favorite schema: enum: - 'true' - 'false' nullable: true type: string - in: query name: timeline_type schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true - in: query name: sort_field schema: $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - description: Whether to sort the results `ascending` or `descending` in: query name: sort_order schema: enum: - asc - desc type: string - description: How many results should returned at once in: query name: page_size schema: nullable: true type: string - description: How many pages should be skipped in: query name: page_index schema: nullable: true type: string - description: Allows to search for timelines by their title in: query name: search schema: nullable: true type: string - in: query name: status schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true responses: '200': content: application/json: schema: type: object properties: customTemplateTimelineCount: description: The amount of custom Timeline templates in the results example: 2 type: number defaultTimelineCount: description: The amount of `default` type Timelines in the results example: 90 type: number elasticTemplateTimelineCount: description: The amount of Elastic's Timeline templates in the results example: 8 type: number favoriteCount: description: The amount of favorited Timelines example: 5 type: number templateTimelineCount: description: The amount of Timeline templates in the results example: 10 type: number timeline: items: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' type: array totalCount: description: The total amount of results example: 100 type: number required: - timeline - totalCount description: Indicates that the (template) Timelines were found and returned. '400': content: application:json: schema: type: object properties: body: description: The error message example: get timeline error type: string statusCode: example: 405 type: number description: Bad request. The user supplied invalid data. summary: Get Timelines or Timeline templates tags: - Security Timeline API /api/upgrade_assistant/status: get: description: Check the status of your cluster. operationId: get-upgrade-status responses: '200': content: application/json: examples: getUpgradeStatusResponseExample1: value: |- { "readyForUpgrade": false, "cluster": [ { "message": "Cluster deprecated issue", "details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading." } ] } description: Indicates a successful call. summary: Get the upgrade readiness status tags: - upgrade x-state: Technical Preview /api/uptime/settings: get: description: | You must have `read` privileges for the uptime feature in the Observability section of the Kibana feature privileges. operationId: get-uptime-settings responses: '200': content: application/json: examples: getUptimeSettingsResponseExample1: value: |- { "heartbeatIndices": "heartbeat-8*", "certExpirationThreshold": 30, "certAgeThreshold": 730, "defaultConnectors": [ "08990f40-09c5-11ee-97ae-912b222b13d4", "db25f830-2318-11ee-9391-6b0c030836d6" ], "defaultEmail": { "to": [], "cc": [], "bcc": [] } } schema: type: object description: Indicates a successful call summary: Get uptime settings tags: - uptime put: description: | Update uptime setting attributes like `heartbeatIndices`, `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or `defaultEmail`. You must have `all` privileges for the uptime feature in the Observability section of the Kibana feature privileges. A partial update is supported, provided settings keys will be merged with existing settings. operationId: put-uptime-settings requestBody: content: application/json: examples: putUptimeSettingsRequestExample1: description: Run `PUT api/uptime/settings` to update multiple Uptime settings. summary: Update multiple settings value: |- { "heartbeatIndices": "heartbeat-8*", "certExpirationThreshold": 30, "certAgeThreshold": 730, "defaultConnectors": [ "08990f40-09c5-11ee-97ae-912b222b13d4", "db25f830-2318-11ee-9391-6b0c030836d6" ], "defaultEmail": { "to": [], "cc": [], "bcc": [] } } putUptimeSettingsRequestExample2: description: Run `PUT api/uptime/settings` to update a single Uptime setting. summary: Update a setting value: |- { "heartbeatIndices": "heartbeat-8*", } schema: type: object properties: certAgeThreshold: default: 730 description: The number of days after a certificate is created to trigger an alert. type: number certExpirationThreshold: default: 30 description: The number of days before a certificate expires to trigger an alert. type: number defaultConnectors: default: [] description: A list of connector IDs to be used as default connectors for new alerts. type: array defaultEmail: description: | The default email configuration for new alerts. type: object properties: bcc: default: [] items: - type: string type: array cc: default: [] items: - type: string type: array to: default: [] items: - type: string type: array heartbeatIndices: default: heartbeat-* description: | An index pattern string to be used within the Uptime app and alerts to query Heartbeat data. type: string responses: '200': content: application/json: examples: putUptimeSettingsResponseExample1: description: A successful response from `PUT api/uptime/settings`. value: |- { "heartbeatIndices": "heartbeat-8*", "certExpirationThreshold": 30, "certAgeThreshold": 730, "defaultConnectors": [ "08990f40-09c5-11ee-97ae-912b222b13d4", "db25f830-2318-11ee-9391-6b0c030836d6" ], "defaultEmail": { "to": [], "cc": [], "bcc": [] } } schema: type: object description: Indicates a successful call summary: Update uptime settings tags: - uptime /s/{spaceId}/api/observability/slos: get: description: | You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: findSlosOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - description: A valid kql query to filter the SLO with example: 'slo.name:latency* and slo.tags : "prod"' in: query name: kqlQuery schema: type: string - description: The page size to use for cursor-based pagination, must be greater or equal than 1 example: 1 in: query name: size schema: default: 1 type: integer - description: The cursor to use for fetching the results from, when using a cursor-base pagination. in: query name: searchAfter schema: items: type: string type: array - description: The page to use for pagination, must be greater or equal than 1 example: 1 in: query name: page schema: default: 1 type: integer - description: Number of SLOs returned by page example: 25 in: query name: perPage schema: default: 25 maximum: 5000 type: integer - description: Sort by field example: status in: query name: sortBy schema: default: status enum: - sli_value - status - error_budget_consumed - error_budget_remaining type: string - description: Sort order example: asc in: query name: sortDirection schema: default: asc enum: - asc - desc type: string - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings in: query name: hideStale schema: type: boolean responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_find_slo_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Get a paginated list of SLOs tags: - slo post: description: | You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: createSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: schema: $ref: '#/components/schemas/SLOs_create_slo_request' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_create_slo_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '409': content: application/json: schema: $ref: '#/components/schemas/SLOs_409_response' description: Conflict - The SLO id already exists summary: Create an SLO tags: - slo /s/{spaceId}/api/observability/slos/_bulk_delete: post: description: | Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. operationId: bulkDeleteOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: schema: $ref: '#/components/schemas/SLOs_bulk_delete_request' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_bulk_delete_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response summary: Bulk delete SLO definitions and their associated summary and rollup data. tags: - slo /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: get: description: | Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. operationId: bulkDeleteStatusOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - description: The task id of the bulk delete operation in: path name: taskId required: true schema: example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_bulk_delete_status_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response summary: Retrieve the status of the bulk deletion tags: - slo /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: post: description: | The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteRollupDataOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: schema: $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response summary: Batch delete rollup and summary data tags: - slo /s/{spaceId}/api/observability/slos/_delete_instances: post: description: | The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloInstancesOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: schema: $ref: '#/components/schemas/SLOs_delete_slo_instances_request' required: true responses: '204': description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response summary: Batch delete rollup and summary data tags: - slo /s/{spaceId}/api/observability/slos/{sloId}: delete: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '204': description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Delete an SLO tags: - slo get: description: | You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' - description: the specific instanceId used by the summary calculation example: host-abcde in: query name: instanceId schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_slo_with_summary_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Get an SLO tags: - slo put: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: updateSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' requestBody: content: application/json: schema: $ref: '#/components/schemas/SLOs_update_slo_request' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_slo_definition_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Update an SLO tags: - slo /s/{spaceId}/api/observability/slos/{sloId}/_reset: post: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: resetSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_slo_definition_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Reset an SLO tags: - slo /s/{spaceId}/api/observability/slos/{sloId}/disable: post: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: disableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '204': description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Disable an SLO tags: - slo /s/{spaceId}/api/observability/slos/{sloId}/enable: post: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: enableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '204': description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Enable an SLO tags: - slo /s/{spaceId}/internal/observability/slos/_definitions: get: description: | You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getDefinitionsOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - description: Indicates if the API returns only outdated SLO or all SLO definitions example: true in: query name: includeOutdatedOnly schema: type: boolean - description: Filters the SLOs by tag in: query name: tags schema: type: string - description: Filters the SLOs by name example: my service availability in: query name: search schema: type: string - description: The page to use for pagination, must be greater or equal than 1 example: 1 in: query name: page schema: type: number - description: Number of SLOs returned by page example: 100 in: query name: perPage schema: default: 100 maximum: 1000 type: integer responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_find_slo_definitions_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response summary: Get the SLO definitions tags: - slo components: examples: Alerting_get_health_response: summary: Retrieve information about the health of the alerting framework. value: alerting_framework_health: decryption_health: status: ok timestamp: '2023-01-13T01:28:00.280Z' execution_health: status: ok timestamp: '2023-01-13T01:28:00.280Z' read_health: status: ok timestamp: '2023-01-13T01:28:00.280Z' has_permanent_encryption_key: true is_sufficiently_secure: true Alerting_get_rule_types_response: summary: Retrieve rule types associated with Kibana machine learning features value: - action_groups: - id: anomaly_score_match name: Anomaly score matched the condition - id: recovered name: Recovered action_variables: context: - description: The bucket timestamp of the anomaly name: timestamp - description: The bucket time of the anomaly in ISO8601 format name: timestampIso8601 - description: List of job IDs that triggered the alert name: jobIds - description: Alert info message name: message - description: Indicate if top hits contain interim results name: isInterim - description: Anomaly score at the time of the notification action name: score - description: Top records name: topRecords - description: Top influencers name: topInfluencers - description: URL to open in the Anomaly Explorer name: anomalyExplorerUrl useWithTripleBracesInTemplates: true params: [] state: [] alerts: context: ml.anomaly-detection mappings: fieldMap: kibana.alert.anomaly_score: array: false type: double required: false kibana.alert.anomaly_timestamp: array: false type: date required: false kibana.alert.is_interim: array: false type: boolean required: false kibana.alert.job_id: array: false type: keyword required: true kibana.alert.top_influencers: array: true dynamic: false type: object properties: influencer_field_name: type: keyword influencer_field_value: type: keyword influencer_score: type: double initial_influencer_score: type: double is_interim: type: boolean job_id: type: keyword timestamp: type: date required: false kibana.alert.top_records: array: true dynamic: false type: object properties: actual: type: double by_field_name: type: keyword by_field_value: type: keyword detector_index: type: integer field_name: type: keyword function: type: keyword initial_record_score: type: double is_interim: type: boolean job_id: type: keyword over_field_name: type: keyword over_field_value: type: keyword partition_field_name: type: keyword partition_field_value: type: keyword record_score: type: double timestamp: type: date typical: type: double required: false shouldWrite: true authorized_consumers: alerts: all: true read: true apm: all: true read: true discover: all: true read: true infrastructure: all: true read: true logs: all: true read: true ml: all: true read: true monitoring: all: true read: true siem: all: true read: true slo: all: true read: true stackAlerts: all: true read: true uptime: all: true read: true category: management default_action_group_id: anomaly_score_match does_set_recovery_context: true enabled_in_license: true has_alerts_mappings: true has_fields_for_a_a_d: true id: xpack.ml.anomaly_detection_alert is_exportable: true minimum_license_required: platinum name: Anomaly detection alert producer: ml recovery_action_group: id: recovered name: Recovered rule_task_timeout: 5m - action_groups: - id: anomaly_detection_realtime_issue name: Issue detected - id: recovered name: Recovered action_variables: context: - description: Results of the rule execution name: results - description: Alert info message name: message params: [] state: [] authorized_consumers: alerts: all: true read: true apm: all: true read: true discover: all: true read: true infrastructure: all: true read: true logs: all: true read: true ml: all: true read: true monitoring: all: true read: true siem: all: true read: true slo: all: true read: true stackAlerts: all: true read: true uptime: all: true read: true category: management default_action_group_id: anomaly_detection_realtime_issue does_set_recovery_context: true enabled_in_license: true has_alerts_mappings: false has_fields_for_a_a_d: false id: xpack.ml.anomaly_detection_jobs_health is_exportable: true minimum_license_required: platinum name: Anomaly detection jobs health producer: ml recovery_action_group: id: recovered name: Recovered rule_task_timeout: 5m APM_UI_agent_configuration_intake_object_delete_request1: description: Run `DELETE /api/apm/settings/agent-configuration` to delete a configuration. value: | { "service" : { "name": "frontend", "environment": "production" } } APM_UI_agent_configuration_intake_object_get_200_response1: description: An example of a successful response from `GET /api/apm/settings/agent-configuration`. value: | [ { "agent_name": "go", "service": { "name": "opbeans-go", "environment": "production" }, "settings": { "transaction_sample_rate": "1", "capture_body": "off", "transaction_max_spans": "200" }, "@timestamp": 1581934104843, "applied_by_agent": false, "etag": "1e58c178efeebae15c25c539da740d21dee422fc" }, { "agent_name": "go", "service": { "name": "opbeans-go" }, "settings": { "transaction_sample_rate": "1", "capture_body": "off", "transaction_max_spans": "300" }, "@timestamp": 1581934111727, "applied_by_agent": false, "etag": "3eed916d3db434d9fb7f039daa681c7a04539a64" }, { "agent_name": "nodejs", "service": { "name": "frontend" }, "settings": { "transaction_sample_rate": "1", }, "@timestamp": 1582031336265, "applied_by_agent": false, "etag": "5080ed25785b7b19f32713681e79f46996801a5b" } ] APM_UI_agent_configuration_intake_object_put_request1: description: Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details. value: | { "service": { "name": "frontend", "environment": "production" }, "settings": { "transaction_sample_rate": "0.4", "capture_body": "off", "transaction_max_spans": "500" }, "agent_name": "nodejs" } APM_UI_agent_configuration_intake_object_search_200_response1: description: An example of a successful response from `POST /api/apm/settings/agent-configuration/search`. value: | { "_index": ".apm-agent-configuration", "_id": "CIaqXXABmQCdPphWj8EJ", "_score": 2, "_source": { "agent_name": "nodejs", "service": { "name": "frontend" }, "settings": { "transaction_sample_rate": "1", }, "@timestamp": 1582031336265, "applied_by_agent": false, "etag": "5080ed25785b7b19f32713681e79f46996801a5b" } } APM_UI_agent_configuration_intake_object_search_request1: description: Run `POST /api/apm/settings/agent-configuration/search` to search configuration details. value: | { "etag": "1e58c178efeebae15c25c539da740d21dee422fc", "service" : { "name": "frontend", "environment": "production" } } APM_UI_agent_keys_object_post_200_response1: description: An example of a successful response from `POST /api/apm/agent_keys`, which creates an APM agent API key. value: | { "agentKey": { "id": "3DCLmn0B3ZMhLUa7WBG9", "name": "apm-key", "api_key": "PjGloCGOTzaZr8ilUPvkjA", "encoded": "M0RDTG1uMEIzWk1oTFVhN1dCRzk6UGpHbG9DR09UemFacjhpbFVQdmtqQQ==" } } APM_UI_agent_keys_object_post_request1: description: Run `POST /api/apm/agent_keys` to create an APM agent API key with the specified privileges. value: | { "name": "apm-key", "privileges": ["event:write", "config_agent:read"] } APM_UI_annotation_object_post_200_response1: description: An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`. value: | { "_index": "observability-annotations", "_id": "Lc9I93EBh6DbmkeV7nFX", "_version": 1, "_seq_no": 12, "_primary_term": 1, "found": true, "_source": { "message": "Deployment 1.2", "@timestamp": "2020-05-08T10:31:30.452Z", "service": { "version": "1.2", "name": "opbeans-java" }, "tags": [ "apm", "elastic.co", "customer" ], "annotation": { "type": "deployment" }, "event": { "created": "2020-05-09T02:34:43.937Z" } } } APM_UI_source_maps_get_200_response1: description: A successful response from `GET /api/apm/sourcemaps`. value: | { "artifacts": [ { "type": "sourcemap", "identifier": "foo-1.0.0", "relative_url": "/api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456", "body": { "serviceName": "foo", "serviceVersion": "1.0.0", "bundleFilepath": "/test/e2e/general-usecase/bundle.js", "sourceMap": { "version": 3, "file": "static/js/main.chunk.js", "sources": [ "fleet-source-map-client/src/index.css", "fleet-source-map-client/src/App.js", "webpack:///./src/index.css?bb0a", "fleet-source-map-client/src/index.js", "fleet-source-map-client/src/reportWebVitals.js" ], "sourcesContent": [ "content" ], "mappings": "mapping", "sourceRoot": "" } }, "created": "2021-07-09T20:47:44.812Z", "id": "apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456", "compressionAlgorithm": "zlib", "decodedSha256": "644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456", "decodedSize": 441, "encodedSha256": "024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24", "encodedSize": 237, "encryptionAlgorithm": "none", "packageName": "apm" } ] } APM_UI_source_maps_upload_200_response1: description: A successful response from `POST /api/apm/sourcemaps`. value: body: eJyFkL1OwzAUhd/Fc+MbYMuCEBIbHRjKgBgc96R16tiWr1OQqr47NwqJxEK3q/PzWccXxchnZ7E1A1SjuhjVZtF2yOxiEPlO17oWox3D3uPFeSRTjmJQARfCPeiAgGx8NTKsYdAc1T3rwaSJGcds8Sp3c1HnhfywUZ3QhMTFFGepZxqMC9oex3CS9tpk1XyozgOlmoVKuJX1DqEQZ0su7PGtLU+V/3JPKc3cL7TJ2FNDRPov4bFta3MDM4f7W69lpJjLO9qdK8bzVPhcJz3HUCQ4LbO/p5hCSC4cZPByrp/wFqOklbpefwAhzpqI compressionAlgorithm: zlib created: '2021-07-09T20:47:44.812Z' decodedSha256: 644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 decodedSize: 441 encodedSha256: 024c72749c3e3dd411b103f7040ae62633558608f480bce4b108cf5b2275bd24 encodedSize: 237 encryptionAlgorithm: none id: apm:foo-1.0.0-644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 identifier: foo-1.0.0 packageName: apm relative_url: /api/fleet/artifacts/foo-1.0.0/644fd5a997d1ddd90ee131ba18e2b3d03931d89dd1fe4599143c0b3264b3e456 type: sourcemap Cases_add_comment_request: summary: Adds a comment to a case. value: comment: A new comment. owner: cases type: user Cases_add_comment_response: summary: The add comment to case API returns a JSON object that contains details about the case and its comments. value: assignees: [] category: null closed_at: null closed_by: null comments: - comment: A new comment. created_at: '2022-10-02T00:49:47.716Z' created_by: email: null full_name: null username: elastic id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 owner: cases type: user version: WzIwNDMxLDFd connector: fields: null id: none name: none type: .none created_at: '2022-03-24T00:37:03.906Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: Field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: true description: A case description. duration: null external_service: null id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 owner: cases settings: syncAlerts: false severity: low status: open tags: - tag 1 title: Case title 1 totalAlerts: 0 totalComment: 1 updated_at: '2022-06-03T00:49:47.716Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzIzMzgsMV0= Cases_create_case_request: summary: Create a security case that uses a Jira connector. value: connector: fields: issueType: '10006' parent: null priority: High id: 131d4448-abe0-4789-939d-8ef60680b498 name: My connector type: .jira customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value description: A case description. owner: cases settings: syncAlerts: true tags: - tag-1 title: Case title 1 Cases_create_case_response: summary: The create case API returns a JSON object that contains details about the case. value: assignees: [] closed_at: null closed_by: null comments: [] connector: fields: issueType: '10006' parent: null priority: High id: 131d4448-abe0-4789-939d-8ef60680b498 name: My connector type: .jira created_at: '2022-10-13T15:33:50.604Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: null description: A case description. duration: null external_service: null id: 66b9aa00-94fa-11ea-9f74-e7e108796192 owner: cases settings: syncAlerts: true severity: low status: open tags: - tag 1 title: Case title 1 totalAlerts: 0 totalComment: 0 updated_at: null updated_by: null version: WzUzMiwxXQ== Cases_find_case_activity_response: summary: Retrieves all activity for a case value: page: 1 perPage: 20 total: 3 userActions: - action: create comment_id: null created_at: '2023-10-20T01:17:22.150Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: b4cd0770-07c9-11ed-a5fd-47154cb8767e owner: cases payload: assignees: [] category: null connector: fields: null id: none name: none type: .none customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: null description: A case description. owner: cases settings: syncAlerts: false severity: low status: open tags: - tag 1 title: Case title 1 type: create_case version: WzM1ODg4LDFd - action: create comment_id: 578608d0-03b1-11ed-920c-974bfa104448 created_at: '2023-10-14T20:12:53.354Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 57af14a0-03b1-11ed-920c-974bfa104448 owner: cases payload: comment: A new comment owner: cases type: user type: comment version: WzM1ODg4LDFa - action: add comment_id: null created_at: '2023-10-20T01:10:28.238Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 573c6980-6123-11ed-aa41-81a0a61fe447 owner: cases payload: assignees: uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 type: assignees version: WzM1ODg4LDFb Cases_find_case_response: summary: Retrieve the first five cases with the `tag-1` tag, in ascending order by last update time. value: cases: - assignees: [] category: null closed_at: null closed_by: null comments: [] connector: fields: null id: none name: none type: .none created_at: '2023-10-12T00:16:36.371Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: null description: Case description duration: null external_service: null id: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 owner: cases settings: syncAlerts: true severity: low status: open tags: - tag-1 title: Case title totalAlerts: 0 totalComment: 1 updated_at: '2023-10-12T00:27:58.162Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzExMCwxXQ== count_closed_cases: 0 count_in_progress_cases: 0 count_open_cases: 1 page: 1 per_page: 5 total: 1 Cases_find_connector_response: summary: Retrieve information about the connectors and their settings. value: - actionTypeId: .jira config: apiUrl: https://elastic.atlassian.net/ projectKey: ES id: 61787f53-4eee-4741-8df6-8fe84fa616f7 isDeprecated: false isMissingSecrets: false isPreconfigured: false name: my-Jira referencedByCount: 0 Cases_get_case_alerts_response: summary: Retrieves all alerts attached to a case value: - attached_at: '2022-07-25T20:09:40.963Z' id: f6a7d0c3-d52d-432c-b2e6-447cd7fce04d index: .alerts-observability.logs.alerts-default Cases_get_case_configuration_response: summary: Get the case configuration. value: - closure_type: close-by-user connector: fields: null id: none name: none type: .none created_at: '2024-07-01T17:07:17.767Z' created_by: email: null full_name: null username: elastic customFields: - defaultValue: Custom text field value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: false error: null id: 856ee650-6c82-11ee-a20a-6164169afa58 mappings: [] owner: cases templates: - caseFields: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 category: Default-category connector: fields: null id: none name: none type: .none customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: Default text field value. description: A default description for cases. settings: syncAlerts: false tags: - Default case tag title: Default case title description: A description of the template. key: 505932fe-ee3a-4960-a661-c781b5acdb05 name: template-1 tags: - Template tag 1 updated_at: null updated_by: null version: WzEyLDNd Cases_get_case_observability_response: summary: Retrieves information about an Observability case including its alerts and comments. value: assignees: - uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 category: null closed_at: null closed_by: null comments: - alertId: - a6e12ac4-7bce-457b-84f6-d7ce8deb8446 created_at: '2023-11-06T19:29:38.424Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 59d438d0-79a9-4864-8d4b-e63adacebf6e index: - .internal.alerts-observability.logs.alerts-default-000001 owner: observability pushed_at: null pushed_by: null rule: id: 03e4eb87-62ca-4e5d-9570-3d7625e9669d name: Observability rule type: alert updated_at: null updated_by: null version: WzY3LDJd - comment: The first comment. created_at: '2023-11-06T19:29:57.812Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: d99342d3-3aa3-4b80-90ec-a702607604f5 owner: observability pushed_at: null pushed_by: null type: user updated_at: null updated_by: null version: WzcyLDJd connector: fields: null id: none name: none type: .none created_at: '2023-11-06T19:29:04.086Z' created_by: email: null full_name: null username: elastic customFields: [] description: An Observability case description. duration: null external_service: null id: c3ff7550-def1-4e90-b6bc-c9969a4a09b1 owner: observability settings: syncAlerts: false severity: low status: in-progress tags: - observability - tag 1 title: Observability case title 1 totalAlerts: 1 totalComment: 1 updated_at: '2023-11-06T19:47:55.662Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzI0NywyXQ== Cases_get_case_response: summary: Retrieves information about a case including its comments. value: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 category: null closed_at: null closed_by: null comments: - comment: A new comment created_at: '2023-10-13T15:40:32.335Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 2134c1d0-02c2-11ed-85f2-4f7c222ca2fa owner: cases pushed_at: null pushed_by: null type: user updated_at: null updated_by: null version: WzM3LDFd connector: fields: null id: none name: none type: .none created_at: '2023-10-13T15:33:50.604Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: null description: A case description duration: null external_service: null id: 31cdada0-02c1-11ed-85f2-4f7c222ca2fa owner: cases settings: syncAlerts: true severity: low status: open tags: - tag 1 title: Case title 1 totalAlerts: 0 totalComment: 1 updated_at: '2023-10-13T15:40:32.335Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzM2LDFd Cases_get_comment_response: summary: A single user comment retrieved from a case value: comment: A new comment created_at: '2023-10-07T19:32:13.104Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 8048b460-fe2b-11ec-b15d-779a7c8bbcc3 owner: cases pushed_at: null pushed_by: null type: user updated_at: null updated_by: null version: WzIzLDFd Cases_get_reporters_response: summary: A list of two users that opened cases value: - email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic - email: jdoe@example.com full_name: Jane Doe profile_uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 username: jdoe Cases_get_tags_response: summary: A list of tags that are used in cases value: - observability - security - tag 1 - tag 2 Cases_push_case_response: summary: The push case API returns a JSON object with details about the case and the external service. value: closed_at: null closed_by: null comments: [] connector: fields: issueType: '10006' parent: null priority: Low id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 name: My connector type: .jira created_at: '2022-07-29T00:59:39.444Z' created_by: email: null full_name: null username: elastic description: A case description. duration: null external_service: connector_id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 connector_name: My connector external_id: '71926' external_title: ES-554 external_url: https://cases.jira.com pushed_at: '2022-07-29T01:20:58.436Z' pushed_by: email: null full_name: null username: elastic id: b917f300-0ed9-11ed-bd18-65557fe66949 owner: cases settings: syncAlerts: true severity: low status: open tags: - tag 1 title: Case title 1 totalAlerts: 0 totalComment: 0 updated_at: '2022-07-29T01:20:58.436Z' updated_by: email: null full_name: null username: elastic version: WzE3NjgsM10= Cases_set_case_configuration_request: summary: Set the closure type, custom fields, and default connector for Stack Management cases. value: closure_type: close-by-user connector: fields: null id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 name: my-jira-connector type: .jira customFields: - defaultValue: My custom field default value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: false owner: cases templates: - caseFields: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 category: Default-category customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: A text field value for the template. description: A default description for cases. tags: - Default case tag title: Default case title description: A description of the template. key: 505932fe-ee3a-4960-a661-c781b5acdb05 name: template-1 tags: - Template tag 1 Cases_set_case_configuration_response: summary: This is an example response for case settings. value: closure_type: close-by-user connector: fields: null id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 name: my-jira-connector type: .jira created_at: '2024-07-01T17:07:17.767Z' created_by: email: null, full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - defaultValue: My custom field default value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: false error: null id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 mappings: - action_type: overwrite source: title target: summary - action_type: overwrite source: description target: description - action_type: append source: comments target: comments - action_type: overwrite source: tags target: labels owner: cases templates: - caseFields: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 category: Default-category customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: A text field value for the template. description: A default description for cases. tags: - Default case tag title: Default case title description: A description of the template. key: 505932fe-ee3a-4960-a661-c781b5acdb05 name: template-1 tags: - Template tag 1 updated_at: null updated_by: null version: WzIwNzMsMV0= Cases_update_case_configuration_request: summary: Update the case settings. value: closure_type: close-by-user connector: fields: null id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 name: my-jira-connector type: .jira customFields: - defaultValue: A new default value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: true - key: fcc6840d-eb14-42df-8aaf-232201a705ec label: my-toggle type: toggle required: false version: WzExOSw0XQ== Cases_update_case_configuration_response: summary: This is an example response when the case configuration was updated. value: closure_type: close-by-user connector: fields: null id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 name: my-jira-connector type: .jira created_at: '2024-07-01T17:07:17.767Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - defaultValue: A new default value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: true - key: fcc6840d-eb14-42df-8aaf-232201a705ec label: my-toggle type: toggle required: false error: null id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 mappings: - action_type: overwrite source: title target: summary - action_type: overwrite source: description target: description - action_type: overwrite source: tags target: labels - action_type: append source: comments target: comments owner: cases templates: [] updated_at: '2024-07-19T00:52:42.401Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzI2LDNd Cases_update_case_request: summary: Update the case description, tags, and connector. value: cases: - connector: fields: issueType: '10006' parent: null priority: null id: 131d4448-abe0-4789-939d-8ef60680b498 name: My connector type: .jira customFields: - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: false - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My new field value description: A case description. id: a18b38a0-71b0-11ea-a0b2-c51ea50a58e2 settings: syncAlerts: true tags: - tag-1 version: WzIzLDFd Cases_update_case_response: summary: This is an example response when the case description, tags, and connector were updated. value: - assignees: [] category: null closed_at: null closed_by: null comments: [] connector: fields: issueType: '10006' parent: null priority: null id: 131d4448-abe0-4789-939d-8ef60680b498 name: My connector type: .jira created_at: '2023-10-13T09:16:17.416Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My new field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: false description: A case description. duration: null external_service: connector_id: 05da469f-1fde-4058-99a3-91e4807e2de8 connector_name: Jira external_id: '10003' external_title: IS-4 external_url: https://hms.atlassian.net/browse/IS-4 pushed_at: '2023-10-13T09:20:40.672Z' pushed_by: email: null full_name: null username: elastic id: 66b9aa00-94fa-11ea-9f74-e7e108796192 owner: cases settings: syncAlerts: true severity: low status: open tags: - tag-1 title: Case title 1 totalAlerts: 0 totalComment: 0 updated_at: '2023-10-13T09:48:33.043Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzU0OCwxXQ== Cases_update_comment_request: summary: Updates a comment of a case. value: comment: An updated comment. id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 owner: cases type: user version: Wzk1LDFd Cases_update_comment_response: summary: The add comment to case API returns a JSON object that contains details about the case and its comments. value: assignees: [] category: null closed_at: null closed_by: null comments: - comment: An updated comment. created_at: '2023-10-24T00:37:10.832Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 owner: cases pushed_at: null pushed_by: null type: user updated_at: '2023-10-24T01:27:06.210Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzIwNjM3LDFd connector: fields: null id: none name: none type: .none created_at: '2023-10-24T00:37:03.906Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My new field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: false description: A case description. duration: null external_service: null id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 owner: cases settings: syncAlerts: false severity: low status: open tags: - tag 1 title: Case title 1 totalAlerts: 0 totalComment: 1 updated_at: '2023-10-24T01:27:06.210Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzIwNjM2LDFd Data_views_create_data_view_request: summary: Create a data view with runtime fields. value: data_view: name: My Logstash data view runtimeFieldMap: runtime_shape_name: script: source: emit(doc['shape_name'].value) type: keyword title: logstash-* Data_views_create_runtime_field_request: summary: Create a runtime field. value: name: runtimeFoo runtimeField: script: source: emit(doc["foo"].value) type: long Data_views_get_data_view_response: summary: The get data view API returns a JSON object that contains information about the data view. value: data_view: allowNoIndex: false fieldAttrs: products.manufacturer: count: 1 products.price: count: 1 products.product_name: count: 1 total_quantity: count: 1 fieldFormats: products.base_price: id: number params: pattern: $0,0.00 products.base_unit_price: id: number params: pattern: $0,0.00 products.min_price: id: number params: pattern: $0,0.00 products.price: id: number params: pattern: $0,0.00 products.taxful_price: id: number params: pattern: $0,0.00 products.taxless_price: id: number params: pattern: $0,0.00 taxful_total_price: id: number params: pattern: $0,0.[00] taxless_total_price: id: number params: pattern: $0,0.00 fields: _id: aggregatable: false count: 0 esTypes: - _id format: id: string isMapped: true name: _id readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _index: aggregatable: true count: 0 esTypes: - _index format: id: string isMapped: true name: _index readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _score: aggregatable: false count: 0 format: id: number isMapped: true name: _score readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: number _source: aggregatable: false count: 0 esTypes: - _source format: id: _source isMapped: true name: _source readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: _source category: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: category readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string category.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: category.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: category type: string currency: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: currency readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string customer_birth_date: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: customer_birth_date readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date customer_first_name: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: customer_first_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string customer_first_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_first_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: customer_first_name type: string customer_full_name: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: customer_full_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string customer_full_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_full_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: customer_full_name type: string customer_gender: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_gender readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string customer_id: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_id readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string customer_last_name: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: customer_last_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string customer_last_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_last_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: customer_last_name type: string customer_phone: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_phone readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string day_of_week: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: day_of_week readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string day_of_week_i: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: day_of_week_i readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number email: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: email readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string event.dataset: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: event.dataset readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.city_name: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.city_name readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.continent_name: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.continent_name readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.country_iso_code: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.country_iso_code readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.location: aggregatable: true count: 0 esTypes: - geo_point format: id: geo_point params: transform: wkt isMapped: true name: geoip.location readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: geo_point geoip.region_name: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.region_name readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string manufacturer: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: manufacturer readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string manufacturer.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: manufacturer.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: manufacturer type: string order_date: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: order_date readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date order_id: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: order_id readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string products._id: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: products._id readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products._id.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products._id.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products._id type: string products.base_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.base_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.base_unit_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.base_unit_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.category: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: products.category readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products.category.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.category.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products.category type: string products.created_on: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: products.created_on readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date products.discount_amount: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.discount_amount readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.discount_percentage: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.discount_percentage readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.manufacturer: aggregatable: false count: 1 esTypes: - text format: id: string isMapped: true name: products.manufacturer readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products.manufacturer.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.manufacturer.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products.manufacturer type: string products.min_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.min_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.price: aggregatable: true count: 1 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.product_id: aggregatable: true count: 0 esTypes: - long format: id: number isMapped: true name: products.product_id readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.product_name: aggregatable: false count: 1 esTypes: - text format: id: string isMapped: true name: products.product_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products.product_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.product_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products.product_name type: string products.quantity: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: products.quantity readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.sku: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.sku readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string products.tax_amount: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.tax_amount readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.taxful_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.taxful_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.taxless_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.taxless_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.unit_discount_amount: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.unit_discount_amount readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number sku: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: sku readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string taxful_total_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.[00] isMapped: true name: taxful_total_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number taxless_total_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: taxless_total_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number total_quantity: aggregatable: true count: 1 esTypes: - integer format: id: number isMapped: true name: total_quantity readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number total_unique_products: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: total_unique_products readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number type: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: type readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string user: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: user readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string id: ff959d40-b880-11e8-a6d9-e546fe2bba5f name: Kibana Sample Data eCommerce namespaces: - default runtimeFieldMap: {} sourceFilters: [] timeFieldName: order_date title: kibana_sample_data_ecommerce typeMeta: {} version: WzUsMV0= Data_views_get_data_views_response: summary: The get all data views API returns a list of data views. value: data_view: - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f name: Kibana Sample Data eCommerce namespaces: - default title: kibana_sample_data_ecommerce typeMeta: {} - id: d3d7af60-4c81-11e8-b3d7-01146121b73d name: Kibana Sample Data Flights namespaces: - default title: kibana_sample_data_flights - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: Kibana Sample Data Logs namespaces: - default title: kibana_sample_data_logs Data_views_get_default_data_view_response: summary: The get default data view API returns the default data view identifier. value: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f Data_views_get_runtime_field_response: summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). value: data_view: allowNoIndex: false fieldAttrs: {} fieldFormats: AvgTicketPrice: id: number params: pattern: $0,0.[00] hour_of_day: id: number params: pattern: '00' fields: _id: aggregatable: false count: 0 esTypes: - _id format: id: string isMapped: true name: _id readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _index: aggregatable: true count: 0 esTypes: - _index format: id: string isMapped: true name: _index readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _score: aggregatable: false count: 0 format: id: number isMapped: true name: _score readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: number _source: aggregatable: false count: 0 esTypes: - _source format: id: _source isMapped: true name: _source readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: _source AvgTicketPrice: aggregatable: true count: 0 esTypes: - float format: id: number params: pattern: $0,0.[00] isMapped: true name: AvgTicketPrice readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number Cancelled: aggregatable: true count: 0 esTypes: - boolean format: id: boolean isMapped: true name: Cancelled readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: boolean Carrier: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: Carrier readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string dayOfWeek: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: dayOfWeek readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number Dest: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: Dest readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestAirportID: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestAirportID readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestCityName: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestCityName readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestCountry: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestCountry readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestLocation: aggregatable: true count: 0 esTypes: - geo_point format: id: geo_point params: transform: wkt isMapped: true name: DestLocation readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: geo_point DestRegion: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestRegion readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestWeather: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestWeather readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DistanceKilometers: aggregatable: true count: 0 esTypes: - float format: id: number isMapped: true name: DistanceKilometers readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number DistanceMiles: aggregatable: true count: 0 esTypes: - float format: id: number isMapped: true name: DistanceMiles readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number FlightDelay: aggregatable: true count: 0 esTypes: - boolean format: id: boolean isMapped: true name: FlightDelay readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: boolean FlightDelayMin: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: FlightDelayMin readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number FlightDelayType: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: FlightDelayType readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string FlightNum: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: FlightNum readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string FlightTimeHour: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: FlightTimeHour readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string FlightTimeMin: aggregatable: true count: 0 esTypes: - float format: id: number isMapped: true name: FlightTimeMin readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number hour_of_day: aggregatable: true count: 0 esTypes: - long format: id: number params: pattern: '00' name: hour_of_day readFromDocValues: false runtimeField: script: source: emit(doc['timestamp'].value.getHour()); type: long scripted: false searchable: true shortDotsEnable: false type: number Origin: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: Origin readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginAirportID: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginAirportID readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginCityName: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginCityName readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginCountry: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginCountry readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginLocation: aggregatable: true count: 0 esTypes: - geo_point format: id: geo_point params: transform: wkt isMapped: true name: OriginLocation readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: geo_point OriginRegion: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginRegion readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginWeather: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginWeather readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string timestamp: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: timestamp readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date id: d3d7af60-4c81-11e8-b3d7-01146121b73d name: Kibana Sample Data Flights runtimeFieldMap: hour_of_day: script: source: emit(doc['timestamp'].value.getHour()); type: long sourceFilters: [] timeFieldName: timestamp title: kibana_sample_data_flights version: WzM2LDJd fields: - aggregatable: true count: 0 esTypes: - long name: hour_of_day readFromDocValues: false runtimeField: script: source: emit(doc['timestamp'].value.getHour()); type: long scripted: false searchable: true shortDotsEnable: false type: number Data_views_preview_swap_data_view_request: summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". value: fromId: abcd-efg toId: xyz-123 Data_views_set_default_data_view_request: summary: Set the default data view identifier. value: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f force: true Data_views_swap_data_view_request: summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. value: delete: true fromId: abcd-efg toId: xyz-123 Data_views_update_data_view_request: summary: Update some properties for a data view. value: data_view: allowNoIndex: false name: Kibana Sample Data eCommerce timeFieldName: order_date title: kibana_sample_data_ecommerce refresh_fields: true Data_views_update_field_metadata_request: summary: Update metadata for multiple fields. value: fields: field1: count: 123 customLabel: Field 1 label field2: customDescription: Field 2 description customLabel: Field 2 label Data_views_update_runtime_field_request: summary: Update an existing runtime field on a data view. value: runtimeField: script: source: emit(doc["bar"].value) Machine_learning_APIs_mlSyncExample: summary: Two anomaly detection jobs required synchronization in this example. value: datafeedsAdded: {} datafeedsRemoved: {} savedObjectsCreated: anomaly-detector: myjob1: success: true myjob2: success: true savedObjectsDeleted: {} Saved_objects_key_rotation_response: summary: Encryption key rotation using default parameters. value: failed: 0 successful: 300 total: 1000 Saved_objects_resolve_missing_reference_request: value: file: file.ndjson retries: - id: my-pattern overwrite: true type: index-pattern - destinationId: another-vis id: my-vis overwrite: true type: visualization - destinationId: yet-another-canvas id: my-canvas overwrite: true type: canvas - id: my-dashboard type: dashboard Saved_objects_resolve_missing_reference_response: summary: Resolve missing reference errors. value: success: true successCount: 3 successResults: - id: my-vis meta: icon: visualizeApp title: Look at my visualization type: visualization - id: my-search meta: icon: searchApp title: Look at my search type: search - id: my-dashboard meta: icon: dashboardApp title: Look at my dashboard type: dashboard Task_manager_health_APIs_health_200response: description: A successful response from `GET api/task_manager/_health`. value: |- { "id": "330bbc6a-56cd-44d5-88e3-e3229f14d619", "timestamp": "2025-03-21T21:30:04.780Z", "status": "OK", "last_update": "2025-03-21T21:30:04.455Z", "stats": { "configuration": { "timestamp": "2025-03-21T21:26:10.002Z", "value": { "request_capacity": 1000, "monitored_aggregated_stats_refresh_rate": 60000, "monitored_stats_running_average_window": 50, "monitored_task_execution_thresholds": { "custom": {}, "default": { "error_threshold": 90, "warn_threshold": 80 } }, "claim_strategy": "mget", "poll_interval": 500, "capacity": { "config": 10, "as_workers": 10, "as_cost": 20 } }, "status": "OK" }, "runtime": { "timestamp": "2025-03-21T21:30:04.455Z", "value": { "polling": { "last_successful_poll": "2025-03-21T21:30:04.455Z", "last_polling_delay": "2025-03-21T21:26:10.001Z", "claim_duration": { "p50": 17, "p90": 22, "p95": 25, "p99": 27 }, "duration": { "p50": 19, "p90": 25.5, "p95": 28, "p99": 28 }, "claim_conflicts": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "claim_mismatches": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "claim_stale_tasks": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "result_frequency_percent_as_number": { "Failed": 0, "NoAvailableWorkers": 0, "NoTasksClaimed": 100, "RanOutOfCapacity": 0, "RunningAtCapacity": 0, "PoolFilled": 0 }, "persistence": { "recurring": 88, "non_recurring": 12 } }, "drift": { "p50": 2089, "p90": 3037, "p95": 3037, "p99": 3037 }, "drift_by_type": { "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { "p50": 2082, "p90": 2082, "p95": 2082, "p99": 2082 }, "fleet:check-deleted-files-task": { "p50": 2080, "p90": 2080, "p95": 2080, "p99": 2080 }, "osquery:telemetry-saved-queries": { "p50": 2080, "p90": 2080, "p95": 2080, "p99": 2080 }, "task_manager:mark_removed_tasks_as_unrecognized": { "p50": 2089, "p90": 2089, "p95": 2089, "p99": 2089 }, "task_manager:delete_inactive_background_task_nodes": { "p50": 336.5, "p90": 2089, "p95": 2089, "p99": 2089 }, "alerts_invalidate_api_keys": { "p50": 2086, "p90": 2086, "p95": 2086, "p99": 2086 }, "fleet:unenroll-inactive-agents-task": { "p50": 2080, "p90": 2080, "p95": 2080, "p99": 2080 }, "alerting_health_check": { "p50": 2086, "p90": 2086, "p95": 2086, "p99": 2086 }, "Fleet-Usage-Sender": { "p50": 2079, "p90": 2079, "p95": 2079, "p99": 2079 }, "security:endpoint-diagnostics": { "p50": 2525, "p90": 2525, "p95": 2525, "p99": 2525 }, "logs-data-telemetry": { "p50": 2525, "p90": 2525, "p95": 2525, "p99": 2525 }, "security:telemetry-lists": { "p50": 2525, "p90": 2525, "p95": 2525, "p99": 2525 }, "security:telemetry-timelines": { "p50": 2526, "p90": 2526, "p95": 2526, "p99": 2526 }, "cases-telemetry-task": { "p50": 2083, "p90": 2083, "p95": 2083, "p99": 2083 }, "osquery:telemetry-packs": { "p50": 2530, "p90": 2530, "p95": 2530, "p99": 2530 }, "Fleet-Metrics-Task": { "p50": 133.5, "p90": 2530, "p95": 2530, "p99": 2530 }, "fleet:delete-unenrolled-agents-task": { "p50": 2530, "p90": 2530, "p95": 2530, "p99": 2530 }, "osquery:telemetry-configs": { "p50": 2529, "p90": 2529, "p95": 2529, "p99": 2529 }, "endpoint:complete-external-response-actions": { "p50": 519, "p90": 2526, "p95": 2526, "p99": 2526 }, "security:telemetry-detection-rules": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:telemetry-prebuilt-rule-alerts": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:endpoint-meta-telemetry": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:telemetry-filterlist-artifact": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:telemetry-diagnostic-timelines": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:telemetry-configuration": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:indices-metadata-telemetry": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "Fleet-Usage-Logger": { "p50": 2190, "p90": 2190, "p95": 2190, "p99": 2190 }, "obs-ai-assistant:knowledge-base-migration": { "p50": 2189, "p90": 2189, "p95": 2189, "p99": 2189 }, "dashboard_telemetry": { "p50": 2452, "p90": 2452, "p95": 2452, "p99": 2452 }, "session_cleanup": { "p50": 2569, "p90": 2569, "p95": 2569, "p99": 2569 }, "ProductDocBase:EnsureUpToDate": { "p50": 2452, "p90": 2452, "p95": 2452, "p99": 2452 }, "apm-telemetry-task": { "p50": 2591, "p90": 2591, "p95": 2591, "p99": 2591 }, "ML:saved-objects-sync": { "p50": 2475, "p90": 2475, "p95": 2475, "p99": 2475 }, "apm-source-map-migration-task": { "p50": 1603.5, "p90": 2987, "p95": 2987, "p99": 2987 }, "actions_telemetry": { "p50": 771, "p90": 771, "p95": 771, "p99": 771 }, "alerting_telemetry": { "p50": 768, "p90": 768, "p95": 768, "p99": 768 }, "endpoint:metadata-check-transforms-task": { "p50": 834, "p90": 834, "p95": 834, "p99": 834 }, "endpoint:user-artifact-packager": { "p50": 529.5, "p90": 835, "p95": 835, "p99": 835 }, "fleet:bump_agent_policies": { "p50": 361, "p90": 361, "p95": 361, "p99": 361 } }, "load": { "p50": 10, "p90": 100, "p95": 100, "p99": 100 }, "execution": { "duration": { "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { "p50": 24, "p90": 24, "p95": 24, "p99": 24 }, "fleet:check-deleted-files-task": { "p50": 24, "p90": 24, "p95": 24, "p99": 24 }, "osquery:telemetry-saved-queries": { "p50": 25, "p90": 25, "p95": 25, "p99": 25 }, "task_manager:mark_removed_tasks_as_unrecognized": { "p50": 28, "p90": 28, "p95": 28, "p99": 28 }, "task_manager:delete_inactive_background_task_nodes": { "p50": 7.5, "p90": 29, "p95": 29, "p99": 29 }, "alerts_invalidate_api_keys": { "p50": 34, "p90": 34, "p95": 34, "p99": 34 }, "fleet:unenroll-inactive-agents-task": { "p50": 39, "p90": 39, "p95": 39, "p99": 39 }, "alerting_health_check": { "p50": 42, "p90": 42, "p95": 42, "p99": 42 }, "Fleet-Usage-Sender": { "p50": 78, "p90": 78, "p95": 78, "p99": 78 }, "security:endpoint-diagnostics": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "logs-data-telemetry": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:telemetry-lists": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:telemetry-timelines": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "cases-telemetry-task": { "p50": 458, "p90": 458, "p95": 458, "p99": 458 }, "osquery:telemetry-packs": { "p50": 10, "p90": 10, "p95": 10, "p99": 10 }, "Fleet-Metrics-Task": { "p50": 5, "p90": 10, "p95": 10, "p99": 10 }, "fleet:delete-unenrolled-agents-task": { "p50": 11, "p90": 11, "p95": 11, "p99": 11 }, "osquery:telemetry-configs": { "p50": 12, "p90": 12, "p95": 12, "p99": 12 }, "endpoint:complete-external-response-actions": { "p50": 7, "p90": 11, "p95": 11, "p99": 11 }, "security:telemetry-detection-rules": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:telemetry-prebuilt-rule-alerts": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:endpoint-meta-telemetry": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:telemetry-filterlist-artifact": { "p50": 5, "p90": 5, "p95": 5, "p99": 5 }, "security:telemetry-diagnostic-timelines": { "p50": 5, "p90": 5, "p95": 5, "p99": 5 }, "security:telemetry-configuration": { "p50": 5, "p90": 5, "p95": 5, "p99": 5 }, "security:indices-metadata-telemetry": { "p50": 5, "p90": 5, "p95": 5, "p99": 5 }, "Fleet-Usage-Logger": { "p50": 18, "p90": 18, "p95": 18, "p99": 18 }, "obs-ai-assistant:knowledge-base-migration": { "p50": 8, "p90": 8, "p95": 8, "p99": 8 }, "dashboard_telemetry": { "p50": 12, "p90": 12, "p95": 12, "p99": 12 }, "session_cleanup": { "p50": 58, "p90": 58, "p95": 58, "p99": 58 }, "ProductDocBase:EnsureUpToDate": { "p50": 147, "p90": 147, "p95": 147, "p99": 147 }, "apm-telemetry-task": { "p50": 543, "p90": 543, "p95": 543, "p99": 543 }, "ML:saved-objects-sync": { "p50": 544, "p90": 544, "p95": 544, "p99": 544 }, "apm-source-map-migration-task": { "p50": 1649, "p90": 3282, "p95": 3282, "p99": 3282 }, "actions_telemetry": { "p50": 19, "p90": 19, "p95": 19, "p99": 19 }, "alerting_telemetry": { "p50": 64, "p90": 64, "p95": 64, "p99": 64 }, "endpoint:metadata-check-transforms-task": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "endpoint:user-artifact-packager": { "p50": 10, "p90": 13, "p95": 13, "p99": 13 }, "fleet:bump_agent_policies": { "p50": 9, "p90": 9, "p95": 9, "p99": 9 } }, "duration_by_persistence": { "recurring": { "p50": 9, "p90": 63.39999999999999, "p95": 474.99999999999966, "p99": 544 }, "non_recurring": { "p50": 14, "p90": 2968.500000000001, "p95": 3282, "p99": 3282 } }, "persistence": { "recurring": 88, "non_recurring": 12 }, "result_frequency_percent_as_number": { "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "fleet:check-deleted-files-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "osquery:telemetry-saved-queries": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "task_manager:mark_removed_tasks_as_unrecognized": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "task_manager:delete_inactive_background_task_nodes": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "alerts_invalidate_api_keys": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "fleet:unenroll-inactive-agents-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "alerting_health_check": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "Fleet-Usage-Sender": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:endpoint-diagnostics": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "logs-data-telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-lists": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-timelines": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "cases-telemetry-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "osquery:telemetry-packs": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "Fleet-Metrics-Task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "fleet:delete-unenrolled-agents-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "osquery:telemetry-configs": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "endpoint:complete-external-response-actions": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-detection-rules": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-prebuilt-rule-alerts": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:endpoint-meta-telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-filterlist-artifact": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-diagnostic-timelines": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-configuration": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:indices-metadata-telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "Fleet-Usage-Logger": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "obs-ai-assistant:knowledge-base-migration": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "dashboard_telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "session_cleanup": { "Success": 0, "RetryScheduled": 100, "Failed": 0, "status": "OK" }, "ProductDocBase:EnsureUpToDate": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "apm-telemetry-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "ML:saved-objects-sync": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "apm-source-map-migration-task": { "Success": 50, "RetryScheduled": 50, "Failed": 0, "status": "OK" }, "actions_telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "alerting_telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "endpoint:metadata-check-transforms-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "endpoint:user-artifact-packager": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "fleet:bump_agent_policies": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" } } } }, "status": "OK" }, "workload": { "timestamp": "2025-03-21T21:29:10.367Z", "value": { "count": 35, "cost": 70, "task_types": { "Fleet-Metrics-Task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "Fleet-Usage-Logger": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "Fleet-Usage-Sender": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "ML:saved-objects-sync": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "actions_telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "alerting_health_check": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "alerting_telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "alerts_invalidate_api_keys": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "apm-telemetry-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "cases-telemetry-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "dashboard_telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "endpoint:complete-external-response-actions": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "endpoint:metadata-check-transforms-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "endpoint:user-artifact-packager": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:check-deleted-files-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:delete-unenrolled-agents-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:unenroll-inactive-agents-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "logs-data-telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "osquery:telemetry-configs": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "osquery:telemetry-packs": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "osquery:telemetry-saved-queries": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:endpoint-diagnostics": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:endpoint-meta-telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:indices-metadata-telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-configuration": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-detection-rules": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-diagnostic-timelines": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-filterlist-artifact": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-lists": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-prebuilt-rule-alerts": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-timelines": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "session_cleanup": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "task_manager:delete_inactive_background_task_nodes": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "task_manager:mark_removed_tasks_as_unrecognized": { "count": 1, "cost": 2, "status": { "idle": 1 } } }, "non_recurring": 1, "non_recurring_cost": 2, "schedule": [ [ "1m", 2 ], [ "60s", 2 ], [ "5m", 2 ], [ "10m", 1 ], [ "15m", 1 ], [ "45m", 1 ], [ "1h", 9 ], [ "3600s", 1 ], [ "60m", 1 ], [ "2h", 1 ], [ "720m", 2 ], [ "24h", 7 ], [ "1d", 3 ], [ "1440m", 1 ] ], "overdue": 0, "overdue_cost": 0, "overdue_non_recurring": 0, "estimated_schedule_density": [ 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ], "capacity_requirements": { "per_minute": 4, "per_hour": 46, "per_day": 27 } }, "status": "OK" }, "capacity_estimation": { "status": "OK", "reason": "Task Manager is healthy, the assumedRequiredThroughputPerMinutePerKibana (148.78541666666666) < capacityPerMinutePerKibana (1200)", "timestamp": "2025-03-21T21:30:04.780Z", "value": { "observed": { "observed_kibana_instances": 1, "max_throughput_per_minute_per_kibana": 1200, "max_throughput_per_minute": 1200, "minutes_to_drain_overdue": 0, "avg_recurring_required_throughput_per_minute": 5, "avg_recurring_required_throughput_per_minute_per_kibana": 5, "avg_required_throughput_per_minute": 149, "avg_required_throughput_per_minute_per_kibana": 149 }, "proposed": { "provisioned_kibana": 2, "min_required_kibana": 1, "avg_recurring_required_throughput_per_minute_per_kibana": 3, "avg_required_throughput_per_minute_per_kibana": 75 } } } } } get_connector_types_generativeai_response: summary: A list of connector types for the `generativeAI` feature. value: - id: .gen-ai name: OpenAI enabled: true enabled_in_config: true enabled_in_license: true minimum_license_required: enterprise supported_feature_ids: - generativeAIForSecurity - generativeAIForObservability - generativeAIForSearchPlayground is_system_action_type: false - id: .bedrock name: AWS Bedrock enabled: true enabled_in_config: true enabled_in_license: true minimum_license_required: enterprise supported_feature_ids: - generativeAIForSecurity - generativeAIForObservability - generativeAIForSearchPlayground is_system_action_type: false - id: .gemini name: Google Gemini enabled: true enabled_in_config: true enabled_in_license: true minimum_license_required: enterprise supported_feature_ids: - generativeAIForSecurity is_system_action_type: false get_connector_response: summary: Get connector details. value: id: df770e30-8b8b-11ed-a780-3b746c987a81 name: my_server_log_connector config: {} connector_type_id: .server-log is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false update_index_connector_request: summary: Update an index connector. value: name: updated-connector config: index: updated-index create_email_connector_request: summary: Create an email connector. value: name: email-connector-1 connector_type_id: .email config: from: tester@example.com hasAuth: true host: https://example.com port: 1025 secure: false service: other secrets: user: username password: password create_index_connector_request: summary: Create an index connector. value: name: my-connector connector_type_id: .index config: index: test-index create_webhook_connector_request: summary: Create a webhook connector with SSL authentication. value: name: my-webhook-connector connector_type_id: .webhook config: method: post url: https://example.com authType: webhook-authentication-ssl certType: ssl-crt-key secrets: crt: QmFnIEF0dH... key: LS0tLS1CRUdJ... password: my-passphrase create_xmatters_connector_request: summary: Create an xMatters connector with URL authentication. value: name: my-xmatters-connector connector_type_id: .xmatters config: usesBasic: false secrets: secretsUrl: https://example.com?apiKey=xxxxx create_email_connector_response: summary: A new email connector. value: id: 90a82c60-478f-11ee-a343-f98a117c727f connector_type_id: .email name: email-connector-1 config: from: tester@example.com service: other host: https://example.com port: 1025 secure: false hasAuth: true tenantId: null clientId: null oauthTokenUrl: null is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false create_index_connector_response: summary: A new index connector. value: id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad connector_type_id: .index name: my-connector config: index: test-index refresh: false executionTimeField: null is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false create_webhook_connector_response: summary: A new webhook connector. value: id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd name: my-webhook-connector config: method: post url: https://example.com authType: webhook-authentication-ssl certType: ssl-crt-key verificationMode: full headers: null hasAuth: true connector_type_id: .webhook is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false run_index_connector_request: summary: Run an index connector. value: params: documents: - id: my_doc_id name: my_doc_name message: hello, world run_jira_connector_request: summary: Run a Jira connector to retrieve the list of issue types. value: params: subAction: issueTypes run_servicenow_itom_connector_request: summary: Run a ServiceNow ITOM connector to retrieve the list of choices. value: params: subAction: getChoices subActionParams: fields: - severity - urgency run_slack_api_connector_request: summary: Run a Slack connector that uses the web API method to post a message on a channel. value: params: subAction: postMessage subActionParams: channelIds: - C123ABC456 text: A test message. run_swimlane_connector_request: summary: Run a Swimlane connector to create an incident. value: params: subAction: pushToService subActionParams: comments: - commentId: 1 comment: A comment about the incident. incident: caseId: '1000' caseName: Case name description: Description of the incident. run_index_connector_response: summary: Response from running an index connector. value: connector_id: fd38c600-96a5-11ed-bb79-353b74189cba data: errors: false items: - create: _id: 4JtvwYUBrcyxt2NnfW3y _index: my-index _primary_term: 1 _seq_no: 0 _shards: failed: 0 successful: 1 total: 2 _version: 1 result: created status: 201 took: 135 status: ok run_jira_connector_response: summary: Response from retrieving the list of issue types for a Jira connector. value: connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 data: - id: 10024 name: Improvement - id: 10006 name: Task - id: 10007 name: Sub-task - id: 10025 name: New Feature - id: 10023 name: Bug - id: 10000 name: Epic status: ok run_server_log_connector_response: summary: Response from running a server log connector. value: connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 status: ok run_servicenow_itom_connector_response: summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. value: connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 data: - dependent_value: '' element: severity label: Critical value: 1 - dependent_value: '' element: severity label: Major value: 2 - dependent_value: '' element: severity label: Minor value: 3 - dependent_value: '' element: severity label: Warning value: 4 - dependent_value: '' element: severity label: OK value: 5 - dependent_value: '' element: severity label: Clear value: 0 - dependent_value: '' element: urgency label: 1 - High value: 1 - dependent_value: '' element: urgency label: 2 - Medium value: 2 - dependent_value: '' element: urgency label: 3 - Low value: 3 status: ok run_slack_api_connector_response: summary: Response from posting a message with a Slack connector. value: status: ok data: ok: true channel: C123ABC456 ts: '1234567890.123456' message: bot_id: B12BCDEFGHI type: message text: A test message user: U12A345BC6D ts: '1234567890.123456' app_id: A01BC2D34EF blocks: - type: rich_text block_id: /NXe elements: - type: rich_text_section elements: - type: text text: A test message. team: T01ABCDE2F bot_profile: id: B12BCDEFGHI app_id: A01BC2D34EF name: test icons: image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png deleted: false updated: 1672169705 team_id: T01ABCDE2F connector_id: .slack_api run_swimlane_connector_response: summary: Response from creating a Swimlane incident. value: connector_id: a4746470-2f94-11ed-b0e0-87533c532698 data: id: aKPmBHWzmdRQtx6Mx title: TEST-457 url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx pushedDate: '2022-09-08T16:52:27.866Z' comments: - commentId: 1 pushedDate: '2022-09-08T16:52:27.865Z' status: ok get_connectors_response: summary: A list of connectors value: - id: preconfigured-email-connector name: my-preconfigured-email-notification connector_type_id: .email is_preconfigured: true is_deprecated: false referenced_by_count: 0 is_system_action: false - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 name: my-index-connector config: index: test-index refresh: false executionTimeField: null connector_type_id: .index is_preconfigured: false is_deprecated: false referenced_by_count: 2 is_missing_secrets: false is_system_action: false get_roles_response1: summary: Get all role details value: - name: my_kibana_role description: My kibana role description metadata: version: 1 transient_metadata: enabled: true elasticsearch: indices: [] cluster: [] run_as: [] kibana: - base: - all feature: {} spaces: - '*' - name: my_admin_role description: My admin role description metadata: version: 1 transient_metadata: enabled: true elasticsearch: cluster: - all indices: - names: - index1 - index2 privileges: - all field_security: grant: - title - body query: '{\"match\": {\"title\": \"foo\"}}' kibana: [] get_role_response1: summary: Get role details value: name: my_kibana_role description: Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space. metadata: version: 1 transient_metadata: enabled: true elasticsearch: cluster: - all remote_cluster: - privileges: - monitor_enrich clusters: - remote_cluster1 indices: - names: - index1 - index2 privileges: - all allow_restricted_indices: false remote_indices: - names: - remote_index1 - remote_index2 privileges: - all allow_restricted_indices: false clusters: - remote_cluster1 run_as: [] kibana: - base: - all feature: {} spaces: - default _transform_error: [] _unrecognized_applications: [] create_role_request1: summary: Feature privileges in multiple spaces description: Grant access to various features in some spaces. value: description: Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces. metadata: version: 1 elasticsearch: cluster: [] indices: [] kibana: - base: [] feature: discover: - all dashboard: - all spaces: - default - base: - read spaces: - marketing - sales create_role_request2: summary: Dashboard privileges in a space description: Grant access to dashboard features in a Marketing space. value: description: Grant dashboard access in the Marketing space. metadata: version: 1 elasticsearch: cluster: [] indices: [] kibana: - base: [] feature: dashboard: - read spaces: - marketing create_role_request3: summary: Feature privileges in a space description: Grant full access to all features in the default space. value: metadata: version: 1 elasticsearch: cluster: [] indices: [] kibana: - base: - all feature: {} spaces: - default create_role_request4: summary: Elasticsearch and Kibana feature privileges description: Grant Elasticsearch and Kibana feature privileges. value: description: Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space. metadata: version: 1 elasticsearch: cluster: - all indices: - names: - index1 - index2 privileges: - all remote_indices: - clusters: - remote_cluster1 names: - remote_index1 - remote_index2 privileges: - all remote_cluster: - clusters: - remote_cluster1 privileges: - monitor_enrich kibana: - base: - all feature: {} spaces: - default copy_saved_objects_request1: summary: Copy with createNewCopies description: | Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. value: objects: - type: dashboard id: my-dashboard spaces: - marketing includeReferences: true copy_saved_objects_request2: summary: Copy without createNewCopies description: | Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. value: objects: - type: dashboard id: my-dashboard spaces: - marketing includeReferences: true createNewCopies: false copy_saved_objects_response1: summary: Copy with createNewCopies description: | The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. The result indicates a successful copy and all three objects are created. Since these objects were created as new copies, each entry in the successResults array includes a destinationId attribute. value: marketing: success: true successCount: 3 successResults: - id: my-dashboard type: dashboard destinationId: 1e127098-5b80-417f-b0f1-c60c8395358f meta: icon: dashboardApp title: Look at my dashboard - id: my-vis type: visualization destinationId: a610ed80-1c73-4507-9e13-d3af736c8e04 meta: icon: visualizeApp title: Look at my visualization - id: my-index-pattern type: index-pattern destinationId: bc3c9c70-bf6f-4bec-b4ce-f4189aa9e26b meta: icon: indexPatternApp title: my-pattern-* copy_saved_objects_response2: summary: Copy without createNewCopies description: | The response for successfully copying a dashboard with the my-dashboard ID with createNewCopies turned off. The result indicates a successful copy and all three objects are created. value: marketing: success: true successCount: 3 successResults: - id: my-dashboard type: dashboard meta: icon: dashboardApp title: Look at my dashboard - id: my-vis type: visualization meta: icon: visualizeApp title: Look at my visualization - id: my-index-pattern type: index-pattern meta: icon: indexPatternApp title: my-pattern-* copy_saved_objects_response3: summary: Failed copy response with conflict errors description: | A response for a failed copy of a dashboard with the my-dashboard ID including all references from the default space to the marketing and sales spaces. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to an index pattern. The result indicates a successful copy for the marketing space and an unsuccessful copy for the sales space because the data view, visualization, and Canvas workpad each resulted in a conflict error. Objects are created when the error is resolved using the resolve copy conflicts API. value: marketing: success: true successCount: 4 successResults: - id: my-dashboard type: dashboard meta: icon: dashboardApp title: Look at my dashboard - id: my-vis type: visualization meta: icon: visualizeApp title: Look at my visualization - id: my-canvas type: canvas-workpad meta: icon: canvasApp title: Look at my canvas - id: my-index-pattern type: index-pattern meta: icon: indexPatternApp title: my-pattern-* sales: success: false successCount: 1, errors: - id: my-pattern type: index-pattern title: my-pattern-* error: type: conflict meta: icon: indexPatternApp title: my-pattern-* - id: my-visualization type: my-vis title: Look at my visualization error: type: conflict destinationId: another-vis meta: icon: visualizeApp title: Look at my visualization - id: my-canvas type: canvas-workpad title: Look at my canvas error: type: ambiguous_conflict destinations: - id: another-canvas title: Look at another canvas updatedAt: '2020-07-08T16:36:32.377Z' - id: yet-another-canvas title: Look at yet another canvas updatedAt: '2020-07-05T12:29:54.849Z' meta: icon: canvasApp title: Look at my canvas successResults": - id: my-dashboard type: dashboard meta: icon: dashboardApp title: Look at my dashboard copy_saved_objects_response4: summary: Failed copy with missing reference errors description: | The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to a data view. The result indicates an unsuccessful copy because the visualization resulted in a missing references error. Objects are created when the errors are resolved using the resolve copy conflicts API. value: marketing: success: false successCount: 2 errors: - id: my-vis type: visualization title: Look at my visualization error: type: missing_references references: - type: index-pattern id: my-pattern-* meta: icon: visualizeApp title: Look at my visualization successResults: - id: my-dashboard type: dashboard meta: icon: dashboardApp title: Look at my dashboard - id: my-canvas type: canvas-workpad meta: icon: canvasApp title: Look at my canvas disable_legacy_url_request1: summary: Disable legacy URL aliases description: | This request leaves the alias intact but the legacy URL for this alias (http://localhost:5601/s/bills-space/app/dashboards#/view/123) will no longer function. The dashboard still exists and you can access it with the new URL. value: aliases: - targetSpace: bills-space targetType: dashboard sourceId: 123 resolve_copy_saved_objects_request1: summary: Resolve conflict errors description: | Resolve conflict errors for a data view, visualization, and Canvas workpad by overwriting the existing saved objects. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard accordingly. value: objects: - type: dashboard id: my-dashboard includeReferences: true createNewCopies: false retries: sales: - type: index-pattern id: my-pattern overwrite: true - type: visualization id: my-vis overwrite: true, destinationId: another-vis - type: canvas id: my-canvas overwrite: true destinationId: yet-another-canvas - type: dashboard id: my-dashboard resolve_copy_saved_objects_request2: summary: Resolve missing reference errors description: | Resolve missing reference errors for a visualization by ignoring the error. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard and canvas accordingly. value: objects: - type: dashboard id: my-dashboard includeReferences: true createNewCopies: false retries: marketing: - type: visualization id: my-vis ignoreMissingReferences: true - type: canvas id: my-canvas - type: dashboard id: my-dashboard update_saved_objects_spaces_request1: summary: Update saved object spaces description: Update the spaces of each saved object and all its references. value: objects: - type: index-pattern id: 90943e30-9a47-11e8-b64d-95841ca0b247 spacesToAdd: - test spacesToRemove: [] update_saved_objects_spaces_response1: summary: Update saved object spaces description: | The response from updating the spaces of saved objects. value: objects: - type: index-pattern id: 90943e30-9a47-11e8-b64d-95841ca0b247 spaces: - default - test get_spaces_response1: summary: Get all spaces description: Get all spaces without specifying any options. value: - id: default name: Default description: This is the Default Space disabledFeatures: [] imageUrl: '' _reserved: true - id: marketing name: Marketing description: This is the Marketing Space color: null disabledFeatures: - apm initials: MK imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU - id: sales name: Sales initials: MK disabledFeatures: - discover imageUr": '' solution: oblt get_spaces_response2: summary: Get all spaces with custom options description: | The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" value: - id: default name: Default description: This is the Default Space disabledFeatures: [] imageUrl: '' _reserved: true authorizedPurposes: any: true copySavedObjectsIntoSpace: true findSavedObjects: true shareSavedObjectsIntoSpace: true - id: marketing name: Marketing description: This is the Marketing Space color: null disabledFeatures: - apm initials: MK imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU authorizedPurposes: any: true copySavedObjectsIntoSpace: true findSavedObjects: true shareSavedObjectsIntoSpace: true - id: sales name: Sales initials: MK disabledFeatures: - discover imageUrl: '' authorizedPurposes: any: true copySavedObjectsIntoSpace: false findSavedObjects: true shareSavedObjectsIntoSpace: false create_space_request: summary: Create a marketing space value: id: marketing name: Marketing description: This is the Marketing Space color: null initials: MK disabledFeatures: [] imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== get_space_response: summary: Get details about a marketing space value: id: marketing name: Marketing description: This is the Marketing Space color: null initials: MK disabledFeatures: [] imageUrl: '' solution: es update_space_request: summary: Update a marketing space description: Update the marketing space to remove the imageUrl. value: id: marketing name: Marketing description: This is the Marketing Space color: null initials: MK disabledFeatures: [] imageUrl: '' parameters: APM_UI_elastic_api_version: description: The version of the API to use in: header name: elastic-api-version required: true schema: default: '2023-10-31' enum: - '2023-10-31' type: string APM_UI_kbn_xsrf: description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string Cases_alert_id: description: An identifier for the alert. in: path name: alertId required: true schema: example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 type: string Cases_assignees_filter: description: | Filters the returned cases by assignees. Valid values are `none` or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. in: query name: assignees schema: oneOf: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_case_id: description: The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. in: path name: caseId required: true schema: example: 9c235210-6834-11ea-a78c-6ffb38a34414 type: string Cases_category: description: Filters the returned cases by category. in: query name: category schema: oneOf: - $ref: '#/components/schemas/Cases_case_category' - $ref: '#/components/schemas/Cases_case_categories' Cases_comment_id: description: | The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. in: path name: commentId required: true schema: example: 71ec1870-725b-11ea-a0b2-c51ea50a58e2 type: string Cases_configuration_id: description: An identifier for the configuration. in: path name: configurationId required: true schema: example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 type: string Cases_connector_id: description: An identifier for the connector. To retrieve connector IDs, use the find connectors API. in: path name: connectorId required: true schema: example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 type: string Cases_defaultSearchOperator: description: he default operator to use for the simple_query_string. example: OR in: query name: defaultSearchOperator schema: default: OR type: string Cases_from: description: | Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. in: query name: from schema: example: now-1d type: string Cases_ids: description: | The cases that you want to removed. All non-ASCII characters must be URL encoded. example: d4e7abb0-b462-11ec-9a8d-698504725a43 in: query name: ids required: true schema: items: maxItems: 100 minItems: 1 type: string type: array Cases_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string Cases_owner_filter: description: | A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. example: cases in: query name: owner schema: oneOf: - $ref: '#/components/schemas/Cases_owner' - $ref: '#/components/schemas/Cases_owners' Cases_page_index: description: The page number to return. in: query name: page required: false schema: default: 1 type: integer Cases_page_size: description: The number of items to return. Limited to 100 items. in: query name: perPage required: false schema: default: 20 maximum: 100 type: integer Cases_reporters: description: Filters the returned cases by the user name of the reporter. example: elastic in: query name: reporters schema: oneOf: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_search: description: An Elasticsearch simple_query_string query that filters the objects in the response. in: query name: search schema: type: string Cases_searchFields: description: The fields to perform the simple_query_string parsed query against. in: query name: searchFields schema: oneOf: - $ref: '#/components/schemas/Cases_searchFieldsType' - $ref: '#/components/schemas/Cases_searchFieldsTypeArray' Cases_severity: description: The severity of the case. in: query name: severity schema: enum: - critical - high - low - medium type: string Cases_sort_order: description: Determines the sort order. in: query name: sortOrder required: false schema: default: desc enum: - asc - desc type: string Cases_sortField: description: Determines which field is used to sort the results. example: updatedAt in: query name: sortField schema: default: createdAt enum: - createdAt - updatedAt - closedAt - title - category - status - severity type: string Cases_status: description: Filters the returned cases by state. example: open in: query name: status schema: enum: - closed - in-progress - open type: string Cases_tags: description: Filters the returned cases by tags. example: tag-1 in: query name: tags schema: oneOf: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_to: description: | Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. example: now+1d in: query name: to schema: type: string Cases_user_action_types: description: Determines the types of user actions to return. example: create_case in: query name: types schema: items: enum: - action - alert - assignees - attachment - comment - connector - create_case - description - pushed - settings - severity - status - tags - title - user type: string type: array Data_views_field_name: description: The name of the runtime field. in: path name: fieldName required: true schema: example: hour_of_day type: string Data_views_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string Data_views_view_id: description: An identifier for the data view. in: path name: viewId required: true schema: example: ff959d40-b880-11e8-a6d9-e546fe2bba5f type: string Machine_learning_APIs_simulateParam: description: When true, simulates the synchronization by returning only the list of actions that would be performed. example: 'true' in: query name: simulate required: false schema: type: boolean Saved_objects_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string Saved_objects_saved_object_id: description: An identifier for the saved object. in: path name: id required: true schema: type: string Saved_objects_saved_object_type: description: Valid options include `visualization`, `dashboard`, `search`, `index-pattern`, `config`. in: path name: type required: true schema: type: string Short_URL_APIs_idParam: description: The identifier for the short URL. in: path name: id required: true schema: type: string SLOs_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string SLOs_slo_id: description: An identifier for the slo. in: path name: sloId required: true schema: example: 9c235211-6834-11ea-a78c-6feb38a34414 type: string SLOs_space_id: description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. in: path name: spaceId required: true schema: example: default type: string schemas: Alerting_401_response: properties: error: enum: - Unauthorized example: Unauthorized type: string message: type: string statusCode: enum: - 401 example: 401 type: integer title: Unsuccessful rule API response type: object Alerting_fieldmap_properties: title: Field map objects in the get rule types response type: object properties: array: description: Indicates whether the field is an array. type: boolean dynamic: description: Indicates whether it is a dynamic field mapping. type: boolean format: description: | Indicates the format of the field. For example, if the `type` is `date_range`, the `format` can be `epoch_millis||strict_date_optional_time`. type: string ignore_above: description: Specifies the maximum length of a string field. Longer strings are not indexed or stored. type: integer index: description: Indicates whether field values are indexed. type: boolean path: description: TBD type: string properties: additionalProperties: type: object properties: type: description: The data type for each object property. type: string description: | Details about the object properties. This property is applicable when `type` is `object`. type: object required: description: Indicates whether the field is required. type: boolean scaling_factor: description: | The scaling factor to use when encoding values. This property is applicable when `type` is `scaled_float`. Values will be multiplied by this factor at index time and rounded to the closest long value. type: integer type: description: Specifies the data type for the field. example: scaled_float type: string APM_UI_400_response: type: object properties: error: description: Error type example: Not Found type: string message: description: Error message example: Not Found type: string statusCode: description: Error status code example: 400 type: number APM_UI_401_response: type: object properties: error: description: Error type example: Unauthorized type: string message: description: Error message type: string statusCode: description: Error status code example: 401 type: number APM_UI_403_response: type: object properties: error: description: Error type example: Forbidden type: string message: description: Error message type: string statusCode: description: Error status code example: 403 type: number APM_UI_404_response: type: object properties: error: description: Error type example: Not Found type: string message: description: Error message example: Not Found type: string statusCode: description: Error status code example: 404 type: number APM_UI_500_response: type: object properties: error: description: Error type example: Internal Server Error type: string message: description: Error message type: string statusCode: description: Error status code example: 500 type: number APM_UI_501_response: type: object properties: error: description: Error type example: Not Implemented type: string message: description: Error message example: Not Implemented type: string statusCode: description: Error status code example: 501 type: number APM_UI_agent_configuration_intake_object: type: object properties: agent_name: description: The agent name is used by the UI to determine which settings to display. type: string service: $ref: '#/components/schemas/APM_UI_service_object' settings: $ref: '#/components/schemas/APM_UI_settings_object' required: - service - settings APM_UI_agent_configuration_object: description: Agent configuration type: object properties: '@timestamp': description: Timestamp example: 1730194190636 type: number agent_name: description: Agent name type: string applied_by_agent: description: Applied by agent example: true type: boolean etag: description: | `etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`. example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 type: string service: $ref: '#/components/schemas/APM_UI_service_object' settings: $ref: '#/components/schemas/APM_UI_settings_object' required: - service - settings - '@timestamp' - etag APM_UI_agent_configurations_response: type: object properties: configurations: description: Agent configuration items: $ref: '#/components/schemas/APM_UI_agent_configuration_object' type: array APM_UI_agent_keys_object: type: object properties: name: description: The name of the APM agent key. type: string privileges: description: | The APM agent key privileges. It can take one or more of the following values: * `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely. items: enum: - event:write - config_agent:read type: string type: array required: - name - privileges APM_UI_agent_keys_response: type: object properties: agentKey: description: Agent key type: object properties: api_key: type: string encoded: type: string expiration: format: int64 type: integer id: type: string name: type: string required: - id - name - api_key - encoded APM_UI_annotation_search_response: type: object properties: annotations: description: Annotations items: type: object properties: '@timestamp': type: number id: type: string text: type: string type: enum: - version type: string type: array APM_UI_base_source_map_object: type: object properties: compressionAlgorithm: description: Compression Algorithm type: string created: description: Created date type: string decodedSha256: description: Decoded SHA-256 type: string decodedSize: description: Decoded size type: number encodedSha256: description: Encoded SHA-256 type: string encodedSize: description: Encoded size type: number encryptionAlgorithm: description: Encryption Algorithm type: string id: description: Identifier type: string identifier: description: Identifier type: string packageName: description: Package name type: string relative_url: description: Relative URL type: string type: description: Type type: string APM_UI_create_annotation_object: type: object properties: '@timestamp': description: The date and time of the annotation. It must be in ISO 8601 format. type: string message: description: The message displayed in the annotation. It defaults to `service.version`. type: string service: description: The service that identifies the configuration to create or update. type: object properties: environment: description: The environment of the service. type: string version: description: The version of the service. type: string required: - version tags: description: | Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag. items: type: string type: array required: - '@timestamp' - service APM_UI_create_annotation_response: type: object properties: _id: description: Identifier type: string _index: description: Index type: string _source: description: Response type: object properties: '@timestamp': type: string annotation: type: object properties: title: type: string type: type: string event: type: object properties: created: type: string message: type: string service: type: object properties: environment: type: string name: type: string version: type: string tags: items: type: string type: array APM_UI_delete_agent_configurations_response: type: object properties: result: description: Result type: string APM_UI_search_agent_configuration_object: type: object properties: etag: description: If etags match then `applied_by_agent` field will be set to `true` example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 type: string mark_as_applied_by_agent: description: | `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags type: boolean service: $ref: '#/components/schemas/APM_UI_service_object' required: - service APM_UI_search_agent_configuration_response: type: object properties: _id: description: Identifier type: string _index: description: Index type: string _score: description: Score type: number _source: $ref: '#/components/schemas/APM_UI_agent_configuration_object' APM_UI_service_agent_name_response: type: object properties: agentName: description: Agent name example: nodejs type: string APM_UI_service_environment_object: type: object properties: alreadyConfigured: description: Already configured type: boolean name: description: Service environment name example: ALL_OPTION_VALUE type: string APM_UI_service_environments_response: type: object properties: environments: description: Service environment list items: $ref: '#/components/schemas/APM_UI_service_environment_object' type: array APM_UI_service_object: description: Service type: object properties: environment: description: The environment of the service. example: prod type: string name: description: The name of the service. example: node type: string APM_UI_settings_object: additionalProperties: type: string description: Agent configuration settings type: object APM_UI_single_agent_configuration_response: allOf: - type: object properties: id: type: string required: - id - $ref: '#/components/schemas/APM_UI_agent_configuration_object' APM_UI_source_maps_response: type: object properties: artifacts: description: Artifacts items: allOf: - type: object properties: body: type: object properties: bundleFilepath: type: string serviceName: type: string serviceVersion: type: string sourceMap: type: object properties: file: type: string mappings: type: string sourceRoot: type: string sources: items: type: string type: array sourcesContent: items: type: string type: array version: type: number - $ref: '#/components/schemas/APM_UI_base_source_map_object' type: array APM_UI_upload_source_map_object: type: object properties: bundle_filepath: description: The absolute path of the final bundle as used in the web application. type: string service_name: description: The name of the service that the service map should apply to. type: string service_version: description: The version of the service that the service map should apply to. type: string sourcemap: description: | The source map. It can be a string or file upload. It must follow the [source map format specification](https://tc39.es/ecma426/). format: binary type: string required: - service_name - service_version - bundle_filepath - sourcemap APM_UI_upload_source_maps_response: allOf: - type: object properties: body: type: string - $ref: '#/components/schemas/APM_UI_base_source_map_object' Cases_4xx_response: properties: error: example: Unauthorized type: string message: type: string statusCode: example: 401 type: integer title: Unsuccessful cases API response type: object Cases_actions: enum: - add - create - delete - push_to_service - update example: create type: string Cases_add_alert_comment_request_properties: description: Defines properties for case comment requests when type is alert. type: object properties: alertId: $ref: '#/components/schemas/Cases_alert_identifiers' index: $ref: '#/components/schemas/Cases_alert_indices' owner: $ref: '#/components/schemas/Cases_owner' rule: $ref: '#/components/schemas/Cases_rule' type: description: The type of comment. enum: - alert example: alert type: string required: - alertId - index - owner - rule - type title: Add case comment request properties for alerts Cases_add_case_comment_request: description: The add comment to case API request body varies depending on whether you are adding an alert or a comment. discriminator: mapping: alert: '#/components/schemas/Cases_add_alert_comment_request_properties' user: '#/components/schemas/Cases_add_user_comment_request_properties' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' title: Add case comment request Cases_add_case_file_request: description: Defines the file that will be attached to the case. Optional parameters will be generated automatically from the file metadata if not defined. type: object properties: file: description: The file being attached to the case. format: binary type: string filename: description: The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. **This should not include the file extension.** type: string required: - file title: Add case file request properties Cases_add_user_comment_request_properties: description: Defines properties for case comment requests when type is user. properties: comment: description: The new comment. It is required only when `type` is `user`. example: A new comment. maxLength: 30000 type: string owner: $ref: '#/components/schemas/Cases_owner' type: description: The type of comment. enum: - user example: user type: string required: - comment - owner - type title: Add case comment request properties for user comments type: object Cases_alert_comment_response_properties: title: Add case comment response properties for alerts type: object properties: alertId: items: example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 type: string type: array created_at: example: '2023-11-06T19:29:38.424Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username id: example: 73362370-ab1a-11ec-985f-97e55adae8b9 type: string index: items: example: .internal.alerts-security.alerts-default-000001 type: string type: array owner: $ref: '#/components/schemas/Cases_owner' pushed_at: example: null format: date-time nullable: true type: string pushed_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username rule: type: object properties: id: description: The rule identifier. example: 94d80550-aaf4-11ec-985f-97e55adae8b9 type: string name: description: The rule name. example: security_rule type: string type: enum: - alert example: alert type: string updated_at: format: date-time nullable: true type: string updated_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username version: example: WzMwNDgsMV0= type: string required: - type Cases_alert_identifiers: description: | The alert identifiers. It is required only when `type` is `alert`. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; `index` must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 oneOf: - type: string - items: type: string maxItems: 1000 type: array title: Alert identifiers x-state: Technical preview Cases_alert_indices: description: | The alert indices. It is required only when `type` is `alert`. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the `alertId` array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. oneOf: - type: string - items: type: string maxItems: 1000 type: array title: Alert indices x-state: Technical preview Cases_alert_response_properties: type: object properties: attached_at: format: date-time type: string id: description: The alert identifier. type: string index: description: The alert index. type: string Cases_assignees: description: An array containing users that are assigned to the case. items: type: object properties: uid: description: A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API. example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 type: string required: - uid maxItems: 10 nullable: true type: array Cases_case_categories: items: $ref: '#/components/schemas/Cases_case_category' maxItems: 100 type: array Cases_case_category: description: A word or phrase that categorizes the case. maxLength: 50 type: string Cases_case_description: description: The description for the case. maxLength: 30000 type: string Cases_case_response_closed_by_properties: nullable: true properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username title: Case response properties for closed_by type: object Cases_case_response_created_by_properties: title: Case response properties for created_by type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username Cases_case_response_properties: title: Case response properties type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: description: The case category. nullable: true type: string closed_at: format: date-time nullable: true type: string closed_by: $ref: '#/components/schemas/Cases_case_response_closed_by_properties' comments: description: An array of comment objects for the case. items: discriminator: mapping: alert: '#/components/schemas/Cases_alert_comment_response_properties' user: '#/components/schemas/Cases_user_comment_response_properties' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - $ref: '#/components/schemas/Cases_user_comment_response_properties' maxItems: 10000 title: Case response properties for comments type: array connector: discriminator: mapping: .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' .jira: '#/components/schemas/Cases_connector_properties_jira' .none: '#/components/schemas/Cases_connector_properties_none' .resilient: '#/components/schemas/Cases_connector_properties_resilient' .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_connector_properties_none' - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - $ref: '#/components/schemas/Cases_connector_properties_jira' - $ref: '#/components/schemas/Cases_connector_properties_resilient' - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - $ref: '#/components/schemas/Cases_connector_properties_swimlane' title: Case response properties for connectors created_at: example: '2022-05-13T09:16:17.416Z' format: date-time type: string created_by: $ref: '#/components/schemas/Cases_case_response_created_by_properties' customFields: description: Custom field values for the case. items: type: object properties: key: description: | The unique identifier for the custom field. The key value must exist in the case configuration settings. type: string type: description: | The custom field type. It must match the type specified in the case configuration settings. enum: - text - toggle type: string value: description: | The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 nullable: true type: string - type: boolean type: array description: example: A case description. type: string duration: description: | The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. example: 120 nullable: true type: integer external_service: $ref: '#/components/schemas/Cases_external_service' id: example: 66b9aa00-94fa-11ea-9f74-e7e108796192 type: string owner: $ref: '#/components/schemas/Cases_owner' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' status: $ref: '#/components/schemas/Cases_case_status' tags: example: - tag-1 items: type: string type: array title: example: Case title 1 type: string totalAlerts: example: 0 type: integer totalComment: example: 0 type: integer updated_at: format: date-time nullable: true type: string updated_by: $ref: '#/components/schemas/Cases_case_response_updated_by_properties' version: example: WzUzMiwxXQ== type: string required: - closed_at - closed_by - comments - connector - created_at - created_by - description - duration - external_service - id - owner - settings - severity - status - tags - title - totalAlerts - totalComment - updated_at - updated_by - version Cases_case_response_pushed_by_properties: nullable: true properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username title: Case response properties for pushed_by type: object Cases_case_response_updated_by_properties: nullable: true properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username title: Case response properties for updated_by type: object Cases_case_severity: default: low description: The severity of the case. enum: - critical - high - low - medium type: string Cases_case_status: description: The status of the case. enum: - closed - in-progress - open type: string Cases_case_tags: description: | The words and phrases that help categorize cases. It can be an empty array. items: maxLength: 256 type: string maxItems: 200 type: array Cases_case_title: description: A title for the case. maxLength: 160 type: string Cases_closure_types: description: Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`). enum: - close-by-pushing - close-by-user example: close-by-user type: string Cases_connector_properties_cases_webhook: description: Defines properties for connectors when type is `.cases-webhook`. type: object properties: fields: example: null nullable: true type: string id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .cases-webhook example: .cases-webhook type: string required: - fields - id - name - type title: Create or upate case request properties for Cases Webhook connector Cases_connector_properties_jira: description: Defines properties for connectors when type is `.jira`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. type: object properties: issueType: description: The type of issue. nullable: true type: string parent: description: The key of the parent issue, when the issue type is sub-task. nullable: true type: string priority: description: The priority of the issue. nullable: true type: string required: - issueType - parent - priority id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .jira example: .jira type: string required: - fields - id - name - type title: Create or update case request properties for a Jira connector Cases_connector_properties_none: description: Defines properties for connectors when type is `.none`. type: object properties: fields: description: An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null. example: null nullable: true type: string id: description: The identifier for the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. example: none type: string name: description: The name of the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. example: none type: string type: description: The type of connector. To create a case without a connector, use `.none`. To update a case to remove the connector, specify `.none`. enum: - .none example: .none type: string required: - fields - id - name - type title: Create or update case request properties for no connector Cases_connector_properties_resilient: description: Defines properties for connectors when type is `.resilient`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. nullable: true type: object properties: issueTypes: description: The type of incident. items: type: string type: array severityCode: description: The severity code of the incident. type: string required: - issueTypes - severityCode id: description: The identifier for the connector. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .resilient example: .resilient type: string required: - fields - id - name - type title: Create case request properties for a IBM Resilient connector Cases_connector_properties_servicenow: description: Defines properties for connectors when type is `.servicenow`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. type: object properties: category: description: The category of the incident. nullable: true type: string impact: description: The effect an incident had on business. nullable: true type: string severity: description: The severity of the incident. nullable: true type: string subcategory: description: The subcategory of the incident. nullable: true type: string urgency: description: The extent to which the incident resolution can be delayed. nullable: true type: string required: - category - impact - severity - subcategory - urgency id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .servicenow example: .servicenow type: string required: - fields - id - name - type title: Create case request properties for a ServiceNow ITSM connector Cases_connector_properties_servicenow_sir: description: Defines properties for connectors when type is `.servicenow-sir`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. type: object properties: category: description: The category of the incident. nullable: true type: string destIp: description: Indicates whether cases will send a comma-separated list of destination IPs. nullable: true type: boolean malwareHash: description: Indicates whether cases will send a comma-separated list of malware hashes. nullable: true type: boolean malwareUrl: description: Indicates whether cases will send a comma-separated list of malware URLs. nullable: true type: boolean priority: description: The priority of the issue. nullable: true type: string sourceIp: description: Indicates whether cases will send a comma-separated list of source IPs. nullable: true type: boolean subcategory: description: The subcategory of the incident. nullable: true type: string required: - category - destIp - malwareHash - malwareUrl - priority - sourceIp - subcategory id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .servicenow-sir example: .servicenow-sir type: string required: - fields - id - name - type title: Create case request properties for a ServiceNow SecOps connector Cases_connector_properties_swimlane: description: Defines properties for connectors when type is `.swimlane`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. type: object properties: caseId: description: The case identifier for Swimlane connectors. nullable: true type: string required: - caseId id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .swimlane example: .swimlane type: string required: - fields - id - name - type title: Create case request properties for a Swimlane connector Cases_connector_types: description: The type of connector. enum: - .cases-webhook - .jira - .none - .resilient - .servicenow - .servicenow-sir - .swimlane example: .none type: string Cases_create_case_request: description: The create case API request body varies depending on the type of connector. properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: $ref: '#/components/schemas/Cases_case_category' connector: oneOf: - $ref: '#/components/schemas/Cases_connector_properties_none' - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - $ref: '#/components/schemas/Cases_connector_properties_jira' - $ref: '#/components/schemas/Cases_connector_properties_resilient' - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - $ref: '#/components/schemas/Cases_connector_properties_swimlane' customFields: description: | Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. items: type: object properties: key: description: | The unique identifier for the custom field. The key value must exist in the case configuration settings. type: string type: description: | The custom field type. It must match the type specified in the case configuration settings. enum: - text - toggle type: string value: description: | The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 nullable: true type: string - type: boolean required: - key - type - value maxItems: 10 minItems: 0 type: array description: $ref: '#/components/schemas/Cases_case_description' owner: $ref: '#/components/schemas/Cases_owner' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' tags: $ref: '#/components/schemas/Cases_case_tags' title: $ref: '#/components/schemas/Cases_case_title' required: - connector - description - owner - settings - tags - title title: Create case request type: object Cases_external_service: nullable: true type: object properties: connector_id: type: string connector_name: type: string external_id: type: string external_title: type: string external_url: type: string pushed_at: format: date-time type: string pushed_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string Cases_owner: description: | The application that owns the cases: Stack Management, Observability, or Elastic Security. enum: - cases - observability - securitySolution example: cases type: string Cases_owners: items: $ref: '#/components/schemas/Cases_owner' type: array Cases_payload_alert_comment: type: object properties: comment: type: object properties: alertId: oneOf: - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d type: string - items: type: string type: array index: oneOf: - example: .alerts-observability.logs.alerts-default type: string - items: type: string type: array owner: $ref: '#/components/schemas/Cases_owner' rule: type: object properties: id: description: The rule identifier. example: 94d80550-aaf4-11ec-985f-97e55adae8b9 type: string name: description: The rule name. example: security_rule type: string type: enum: - alert type: string Cases_payload_assignees: type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' Cases_payload_connector: type: object properties: connector: type: object properties: fields: description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. example: null nullable: true type: object properties: caseId: description: The case identifier for Swimlane connectors. type: string category: description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. type: string destIp: description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. nullable: true type: boolean impact: description: The effect an incident had on business for ServiceNow ITSM connectors. type: string issueType: description: The type of issue for Jira connectors. type: string issueTypes: description: The type of incident for IBM Resilient connectors. items: type: string type: array malwareHash: description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. nullable: true type: boolean malwareUrl: description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. nullable: true type: boolean parent: description: The key of the parent issue, when the issue type is sub-task for Jira connectors. type: string priority: description: The priority of the issue for Jira and ServiceNow SecOps connectors. type: string severity: description: The severity of the incident for ServiceNow ITSM connectors. type: string severityCode: description: The severity code of the incident for IBM Resilient connectors. type: string sourceIp: description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. nullable: true type: boolean subcategory: description: The subcategory of the incident for ServiceNow ITSM connectors. type: string urgency: description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string id: description: The identifier for the connector. To create a case without a connector, use `none`. example: none type: string name: description: The name of the connector. To create a case without a connector, use `none`. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' Cases_payload_create_case: type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' connector: type: object properties: fields: description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. example: null nullable: true type: object properties: caseId: description: The case identifier for Swimlane connectors. type: string category: description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. type: string destIp: description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. nullable: true type: boolean impact: description: The effect an incident had on business for ServiceNow ITSM connectors. type: string issueType: description: The type of issue for Jira connectors. type: string issueTypes: description: The type of incident for IBM Resilient connectors. items: type: string type: array malwareHash: description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. nullable: true type: boolean malwareUrl: description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. nullable: true type: boolean parent: description: The key of the parent issue, when the issue type is sub-task for Jira connectors. type: string priority: description: The priority of the issue for Jira and ServiceNow SecOps connectors. type: string severity: description: The severity of the incident for ServiceNow ITSM connectors. type: string severityCode: description: The severity code of the incident for IBM Resilient connectors. type: string sourceIp: description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. nullable: true type: boolean subcategory: description: The subcategory of the incident for ServiceNow ITSM connectors. type: string urgency: description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string id: description: The identifier for the connector. To create a case without a connector, use `none`. example: none type: string name: description: The name of the connector. To create a case without a connector, use `none`. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' description: type: string owner: $ref: '#/components/schemas/Cases_owner' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' status: $ref: '#/components/schemas/Cases_case_status' tags: items: example: - tag-1 type: string type: array title: type: string Cases_payload_delete: description: If the `action` is `delete` and the `type` is `delete_case`, the payload is nullable. nullable: true type: object Cases_payload_description: type: object properties: description: type: string Cases_payload_pushed: type: object properties: externalService: $ref: '#/components/schemas/Cases_external_service' Cases_payload_settings: type: object properties: settings: $ref: '#/components/schemas/Cases_settings' Cases_payload_severity: type: object properties: severity: $ref: '#/components/schemas/Cases_case_severity' Cases_payload_status: type: object properties: status: $ref: '#/components/schemas/Cases_case_status' Cases_payload_tags: type: object properties: tags: example: - tag-1 items: type: string type: array Cases_payload_title: type: object properties: title: type: string Cases_payload_user_comment: type: object properties: comment: type: object properties: comment: type: string owner: $ref: '#/components/schemas/Cases_owner' type: enum: - user type: string Cases_rule: description: | The rule that is associated with the alerts. It is required only when `type` is `alert`. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. title: Alerting rule type: object properties: id: description: The rule identifier. example: 94d80550-aaf4-11ec-985f-97e55adae8b9 type: string name: description: The rule name. example: security_rule type: string x-state: Technical preview Cases_searchFieldsType: description: The fields to perform the `simple_query_string` parsed query against. enum: - description - title type: string Cases_searchFieldsTypeArray: items: $ref: '#/components/schemas/Cases_searchFieldsType' type: array Cases_set_case_configuration_request: description: External connection details, such as the closure type and default connector for cases. properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: description: An object that contains the connector configuration. type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' required: - fields - id - name - type customFields: description: Custom fields case configuration. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean required: - key - label - required - type maxItems: 10 minItems: 0 type: array owner: $ref: '#/components/schemas/Cases_owner' templates: $ref: '#/components/schemas/Cases_templates' required: - closure_type - connector - owner title: Set case configuration request type: object Cases_settings: description: An object that contains the case settings. type: object properties: syncAlerts: description: Turns alert syncing on or off. example: true type: boolean required: - syncAlerts Cases_string: type: string Cases_string_array: items: $ref: '#/components/schemas/Cases_string' maxItems: 100 type: array Cases_template_tags: description: | The words and phrases that help categorize templates. It can be an empty array. items: maxLength: 256 type: string maxItems: 200 type: array Cases_templates: items: type: object properties: caseFields: type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: $ref: '#/components/schemas/Cases_case_category' connector: type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' customFields: description: Custom field values in the template. items: type: object properties: key: description: The unique key for the custom field. type: string type: description: The type of the custom field. enum: - text - toggle type: string value: description: | The default value for the custom field when a case uses the template. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean type: array x-state: Technical preview description: $ref: '#/components/schemas/Cases_case_description' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' tags: $ref: '#/components/schemas/Cases_case_tags' title: $ref: '#/components/schemas/Cases_case_title' description: description: A description for the template. type: string key: description: | A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template. type: string name: description: The name of the template. type: string tags: $ref: '#/components/schemas/Cases_template_tags' type: array x-state: Technical preview Cases_update_alert_comment_request_properties: description: Defines properties for case comment requests when type is alert. type: object properties: alertId: $ref: '#/components/schemas/Cases_alert_identifiers' id: description: | The identifier for the comment. To retrieve comment IDs, use the get comments API. example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string index: $ref: '#/components/schemas/Cases_alert_indices' owner: $ref: '#/components/schemas/Cases_owner' rule: $ref: '#/components/schemas/Cases_rule' type: description: The type of comment. enum: - alert example: alert type: string version: description: | The current comment version. To retrieve version values, use the get comments API. example: Wzk1LDFd type: string required: - alertId - id - index - owner - rule - type - version title: Update case comment request properties for alerts Cases_update_case_comment_request: description: The update case comment API request body varies depending on whether you are updating an alert or a comment. discriminator: mapping: alert: '#/components/schemas/Cases_update_alert_comment_request_properties' user: '#/components/schemas/Cases_update_user_comment_request_properties' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' title: Update case comment request Cases_update_case_configuration_request: description: | You can update settings such as the closure type, custom fields, templates, and the default connector for cases. properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: description: An object that contains the connector configuration. type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' required: - fields - id - name - type customFields: description: Custom fields case configuration. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean required: - key - label - required - type type: array templates: $ref: '#/components/schemas/Cases_templates' version: description: | The version of the connector. To retrieve the version value, use the get configuration API. example: WzIwMiwxXQ== type: string required: - version title: Update case configuration request type: object Cases_update_case_request: description: The update case API request body varies depending on the type of connector. properties: cases: description: An array containing one or more case objects. items: type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: $ref: '#/components/schemas/Cases_case_category' connector: oneOf: - $ref: '#/components/schemas/Cases_connector_properties_none' - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - $ref: '#/components/schemas/Cases_connector_properties_jira' - $ref: '#/components/schemas/Cases_connector_properties_resilient' - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - $ref: '#/components/schemas/Cases_connector_properties_swimlane' customFields: description: | Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. items: type: object properties: key: description: | The unique identifier for the custom field. The key value must exist in the case configuration settings. type: string type: description: | The custom field type. It must match the type specified in the case configuration settings. enum: - text - toggle type: string value: description: | The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 nullable: true type: string - type: boolean required: - key - type - value maxItems: 10 minItems: 0 type: array description: $ref: '#/components/schemas/Cases_case_description' id: description: The identifier for the case. maxLength: 30000 type: string settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' status: $ref: '#/components/schemas/Cases_case_status' tags: $ref: '#/components/schemas/Cases_case_tags' title: $ref: '#/components/schemas/Cases_case_title' version: description: The current version of the case. To determine this value, use the get case or find cases APIs. type: string required: - id - version maxItems: 100 minItems: 1 type: array required: - cases title: Update case request type: object Cases_update_user_comment_request_properties: description: Defines properties for case comment requests when type is user. properties: comment: description: The new comment. It is required only when `type` is `user`. example: A new comment. maxLength: 30000 type: string id: description: | The identifier for the comment. To retrieve comment IDs, use the get comments API. example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string owner: $ref: '#/components/schemas/Cases_owner' type: description: The type of comment. enum: - user example: user type: string version: description: | The current comment version. To retrieve version values, use the get comments API. example: Wzk1LDFd type: string required: - comment - id - owner - type - version title: Update case comment request properties for user comments type: object Cases_user_actions_find_response_properties: type: object properties: action: $ref: '#/components/schemas/Cases_actions' comment_id: example: 578608d0-03b1-11ed-920c-974bfa104448 nullable: true type: string created_at: example: '2022-05-13T09:16:17.416Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username id: example: 22fd3e30-03b1-11ed-920c-974bfa104448 type: string owner: $ref: '#/components/schemas/Cases_owner' payload: oneOf: - $ref: '#/components/schemas/Cases_payload_alert_comment' - $ref: '#/components/schemas/Cases_payload_assignees' - $ref: '#/components/schemas/Cases_payload_connector' - $ref: '#/components/schemas/Cases_payload_create_case' - $ref: '#/components/schemas/Cases_payload_delete' - $ref: '#/components/schemas/Cases_payload_description' - $ref: '#/components/schemas/Cases_payload_pushed' - $ref: '#/components/schemas/Cases_payload_settings' - $ref: '#/components/schemas/Cases_payload_severity' - $ref: '#/components/schemas/Cases_payload_status' - $ref: '#/components/schemas/Cases_payload_tags' - $ref: '#/components/schemas/Cases_payload_title' - $ref: '#/components/schemas/Cases_payload_user_comment' type: description: The type of action. enum: - assignees - create_case - comment - connector - description - pushed - tags - title - status - settings - severity example: create_case type: string version: example: WzM1ODg4LDFd type: string required: - action - comment_id - created_at - created_by - id - owner - payload - type - version Cases_user_comment_response_properties: title: Case response properties for user comments type: object properties: comment: example: A new comment. type: string created_at: example: '2022-05-13T09:16:17.416Z' format: date-time type: string created_by: $ref: '#/components/schemas/Cases_case_response_created_by_properties' id: example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string owner: $ref: '#/components/schemas/Cases_owner' pushed_at: example: null format: date-time nullable: true type: string pushed_by: $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' type: enum: - user example: user type: string updated_at: example: null format: date-time nullable: true type: string updated_by: $ref: '#/components/schemas/Cases_case_response_updated_by_properties' version: example: WzIwNDMxLDFd type: string required: - type Data_views_400_response: title: Bad request type: object properties: error: example: Bad Request type: string message: type: string statusCode: example: 400 type: number required: - statusCode - error - message Data_views_404_response: type: object properties: error: enum: - Not Found example: Not Found type: string message: example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found type: string statusCode: enum: - 404 example: 404 type: integer Data_views_allownoindex: description: Allows the data view saved object to exist before the data is available. type: boolean Data_views_create_data_view_request_object: title: Create data view request type: object properties: data_view: description: The data view object. type: object properties: allowNoIndex: $ref: '#/components/schemas/Data_views_allownoindex' fieldAttrs: additionalProperties: $ref: '#/components/schemas/Data_views_fieldattrs' type: object fieldFormats: $ref: '#/components/schemas/Data_views_fieldformats' fields: type: object id: type: string name: description: The data view name. type: string namespaces: $ref: '#/components/schemas/Data_views_namespaces' runtimeFieldMap: additionalProperties: $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object sourceFilters: $ref: '#/components/schemas/Data_views_sourcefilters' timeFieldName: $ref: '#/components/schemas/Data_views_timefieldname' title: $ref: '#/components/schemas/Data_views_title' type: $ref: '#/components/schemas/Data_views_type' typeMeta: $ref: '#/components/schemas/Data_views_typemeta' version: type: string required: - title override: default: false description: Override an existing data view if a data view with the provided title already exists. type: boolean required: - data_view Data_views_data_view_response_object: title: Data view response properties type: object properties: data_view: type: object properties: allowNoIndex: $ref: '#/components/schemas/Data_views_allownoindex' fieldAttrs: additionalProperties: $ref: '#/components/schemas/Data_views_fieldattrs' type: object fieldFormats: $ref: '#/components/schemas/Data_views_fieldformats' fields: type: object id: example: ff959d40-b880-11e8-a6d9-e546fe2bba5f type: string name: description: The data view name. type: string namespaces: $ref: '#/components/schemas/Data_views_namespaces' runtimeFieldMap: additionalProperties: $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object sourceFilters: $ref: '#/components/schemas/Data_views_sourcefilters' timeFieldName: $ref: '#/components/schemas/Data_views_timefieldname' title: $ref: '#/components/schemas/Data_views_title' typeMeta: $ref: '#/components/schemas/Data_views_typemeta_response' version: example: WzQ2LDJd type: string Data_views_fieldattrs: description: A map of field attributes by field name. type: object properties: count: description: Popularity count for the field. type: integer customDescription: description: Custom description for the field. maxLength: 300 type: string customLabel: description: Custom label for the field. type: string Data_views_fieldformats: description: A map of field formats by field name. type: object Data_views_namespaces: description: An array of space identifiers for sharing the data view between multiple spaces. items: default: default type: string type: array Data_views_runtimefieldmap: description: A map of runtime field definitions by field name. type: object properties: script: type: object properties: source: description: Script for the runtime field. type: string type: description: Mapping type of the runtime field. type: string required: - script - type Data_views_sourcefilters: description: The array of field names you want to filter out in Discover. items: type: object properties: value: type: string required: - value type: array Data_views_swap_data_view_request_object: title: Data view reference swap request type: object properties: delete: description: Deletes referenced saved object if all references are removed. type: boolean forId: description: Limit the affected saved objects to one or more by identifier. oneOf: - type: string - items: type: string type: array forType: description: Limit the affected saved objects by type. type: string fromId: description: The saved object reference to change. type: string fromType: description: | Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. type: string toId: description: New saved object reference value to replace the old value. type: string required: - fromId - toId Data_views_timefieldname: description: The timestamp field name, which you use for time-based data views. type: string Data_views_title: description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). type: string Data_views_type: description: When set to `rollup`, identifies the rollup data views. type: string Data_views_typemeta: description: When you use rollup indices, contains the field list for the rollup data view API endpoints. type: object properties: aggs: description: A map of rollup restrictions by aggregation type and field name. type: object params: description: Properties for retrieving rollup fields. type: object required: - aggs - params Data_views_typemeta_response: description: When you use rollup indices, contains the field list for the rollup data view API endpoints. nullable: true type: object properties: aggs: description: A map of rollup restrictions by aggregation type and field name. type: object params: description: Properties for retrieving rollup fields. type: object Data_views_update_data_view_request_object: title: Update data view request type: object properties: data_view: description: | The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. type: object properties: allowNoIndex: $ref: '#/components/schemas/Data_views_allownoindex' fieldFormats: $ref: '#/components/schemas/Data_views_fieldformats' fields: type: object name: type: string runtimeFieldMap: additionalProperties: $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object sourceFilters: $ref: '#/components/schemas/Data_views_sourcefilters' timeFieldName: $ref: '#/components/schemas/Data_views_timefieldname' title: $ref: '#/components/schemas/Data_views_title' type: $ref: '#/components/schemas/Data_views_type' typeMeta: $ref: '#/components/schemas/Data_views_typemeta' refresh_fields: default: false description: Reloads the data view fields after the data view is updated. type: boolean required: - data_view Kibana_HTTP_APIs_core_status_redactedResponse: additionalProperties: false description: A minimal representation of Kibana's operational status. type: object properties: status: additionalProperties: false type: object properties: overall: additionalProperties: false type: object properties: level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string required: - level required: - overall required: - status Kibana_HTTP_APIs_core_status_response: additionalProperties: false description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. type: object properties: metrics: additionalProperties: false description: Metric groups collected by Kibana. type: object properties: collection_interval_in_millis: description: The interval at which metrics should be collected. type: number elasticsearch_client: additionalProperties: false description: Current network metrics of Kibana's Elasticsearch client. type: object properties: totalActiveSockets: description: Count of network sockets currently in use. type: number totalIdleSockets: description: Count of network sockets currently idle. type: number totalQueuedRequests: description: Count of requests not yet assigned to sockets. type: number required: - totalActiveSockets - totalIdleSockets - totalQueuedRequests last_updated: description: The time metrics were collected. type: string required: - elasticsearch_client - last_updated - collection_interval_in_millis name: description: Kibana instance name. type: string status: additionalProperties: false type: object properties: core: additionalProperties: false description: Statuses of core Kibana services. type: object properties: elasticsearch: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta savedObjects: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta required: - elasticsearch - savedObjects overall: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta plugins: additionalProperties: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta description: A dynamic mapping of plugin ID to plugin status. type: object required: - overall - core - plugins uuid: description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. type: string version: additionalProperties: false type: object properties: build_date: description: The date and time of this build. type: string build_flavor: description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. enum: - serverless - traditional type: string build_hash: description: A unique hash value representing the git commit of this Kibana build. type: string build_number: description: A monotonically increasing number, each subsequent build will have a higher number. type: number build_snapshot: description: Whether this build is a snapshot build. type: boolean number: description: A semantic version number. type: string required: - number - build_hash - build_number - build_snapshot - build_flavor - build_date required: - name - uuid - version - status - metrics Machine_learning_APIs_mlSync200Response: properties: datafeedsAdded: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. type: object datafeedsRemoved: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. type: object savedObjectsCreated: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' savedObjectsDeleted: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' title: Successful sync API response type: object Machine_learning_APIs_mlSync4xxResponse: properties: error: example: Unauthorized type: string message: type: string statusCode: example: 401 type: integer title: Unsuccessful sync API response type: object Machine_learning_APIs_mlSyncResponseAnomalyDetectors: description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for anomaly detection jobs type: object Machine_learning_APIs_mlSyncResponseDatafeeds: description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for datafeeds type: object Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for data frame analytics jobs type: object Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' description: If saved objects are missing for anomaly detection jobs, they are created. type: object data-frame-analytics: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' description: If saved objects are missing for data frame analytics jobs, they are created. type: object trained-model: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. type: object data-frame-analytics: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. type: object trained-model: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' description: If there are saved objects exist for nonexistent trained models, they are deleted. type: object title: Sync API response for deleted saved objects type: object Machine_learning_APIs_mlSyncResponseSuccess: description: The success or failure of the synchronization. type: boolean Machine_learning_APIs_mlSyncResponseTrainedModels: description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for trained models type: object Saved_objects_400_response: title: Bad request type: object properties: error: enum: - Bad Request type: string message: type: string statusCode: enum: - 400 type: integer required: - error - message - statusCode Saved_objects_attributes: description: | The data that you want to create. WARNING: When you create saved objects, attributes are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. type: object Saved_objects_initial_namespaces: description: | Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with `namespaceType: 'multiple'`), this option can be used to specify one or more spaces, including the "All spaces" identifier ('*'). For isolated object types (registered with `namespaceType: 'single'` or `namespaceType: 'multiple-isolated'`), this option can only be used to specify a single space, and the "All spaces" identifier ('*') is not allowed. For global object types (`registered with `namespaceType: agnostic`), this option cannot be used. type: array Saved_objects_references: description: | Objects with `name`, `id`, and `type` properties that describe the other saved objects that this object references. Use `name` in attributes to refer to the other saved object, but never the `id`, which can update automatically during migrations or import and export. type: array Security_AI_Assistant_API_AnonymizationFieldCreateProps: type: object properties: allowed: description: Whether this field is allowed to be sent to the model. example: true type: boolean anonymized: description: Whether this field should be anonymized. example: false type: boolean field: description: Name of the anonymization field to create. example: host.name type: string required: - field Security_AI_Assistant_API_AnonymizationFieldDetailsInError: type: object properties: id: description: The ID of the anonymization field. example: field12 type: string name: description: Name of the anonymization field. example: host.name type: string required: - id Security_AI_Assistant_API_AnonymizationFieldResponse: type: object properties: allowed: description: Whether this field is allowed to be sent to the model. example: true type: boolean anonymized: description: Whether this field should be anonymized. example: false type: boolean createdAt: description: Timestamp of when the anonymization field was created. example: '2023-10-31T12:00:00Z' type: string createdBy: description: Username of the person who created the anonymization field. example: user1 type: string field: description: Name of the anonymization field. example: url.domain type: string id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' description: The ID of the anonymization field. namespace: description: Kibana space in which this anonymization field exists. example: default type: string timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' description: Timestamp when the anonymization field was initially created. updatedAt: description: Timestamp of the last update. example: '2023-10-31T12:00:00Z' type: string updatedBy: description: Username of the person who last updated the field. example: user1 type: string required: - id - field Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: description: Reason why the anonymization field was not modified. enum: - ANONYMIZATION_FIELD_NOT_MODIFIED type: string Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: type: object properties: id: description: The ID of the anonymization field that was not modified. example: field4 type: string name: description: Name of the anonymization field that was not modified. example: user.name type: string skip_reason: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' description: Reason why the anonymization field was not modified. required: - id - skip_reason Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: type: object properties: anonymization_fields_count: description: Total number of anonymization fields processed. example: 5 type: integer attributes: type: object properties: errors: description: List of errors that occurred during the bulk operation. items: $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' type: array results: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary message: description: Message providing information about the bulk action result. example: Bulk action completed successfully type: string status_code: description: HTTP status code returned. example: 200 type: integer success: description: Indicates if the bulk action was successful. example: true type: boolean required: - attributes Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: type: object properties: created: description: List of anonymization fields successfully created. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array deleted: items: description: Array of IDs of anonymization fields that were deleted. example: field3 type: string type: array skipped: description: List of anonymization fields that were skipped during the operation. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' type: array updated: description: List of anonymization fields successfully updated. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array required: - updated - created - deleted - skipped Security_AI_Assistant_API_AnonymizationFieldUpdateProps: type: object properties: allowed: description: Whether this field is allowed to be sent to the model. example: true type: boolean anonymized: description: Whether this field should be anonymized. example: false type: boolean id: description: The ID of the anonymization field to update. example: field8 type: string required: - id Security_AI_Assistant_API_ApiConfig: type: object properties: actionTypeId: description: Action type ID example: actionType456 type: string connectorId: description: Connector ID example: connector123 type: string defaultSystemPromptId: description: Default system prompt ID example: systemPrompt001 type: string model: description: Model example: gpt-4 type: string provider: $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' description: Provider example: OpenAI required: - connectorId - actionTypeId Security_AI_Assistant_API_BaseContentReference: description: The basis of a content reference type: object properties: id: description: Id of the content reference example: content123 type: string type: description: Type of the content reference example: SecurityAlert type: string required: - id - type Security_AI_Assistant_API_BulkCrudActionSummary: type: object properties: failed: description: The number of failed actions. example: 0 type: integer skipped: description: The number of skipped actions. example: 1 type: integer succeeded: description: The number of successfully performed actions. example: 10 type: integer total: description: The total number of actions attempted. example: 12 type: integer required: - failed - skipped - succeeded - total Security_AI_Assistant_API_ChatCompleteProps: description: The request payload for creating a chat completion. example: connectorId: conn-001 conversationId: abc123 isStream: true langSmithApiKey: sk-abc123 langSmithProject: security_ai_project messages: - content: How do I detect ransomware on my endpoints? data: device_id: device-567 fields_to_anonymize: - device.name - file.path role: user model: gpt-4 persist: true promptId: prompt_456 responseLanguage: en type: object properties: connectorId: description: Required connector identifier to route the request. example: conn-001 type: string conversationId: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' description: Existing conversation ID to continue. isStream: description: If true, the response will be streamed in chunks. example: true type: boolean langSmithApiKey: description: API key for LangSmith integration. example: sk-abc123 type: string langSmithProject: description: LangSmith project name for tracing. example: security_ai_project type: string messages: description: List of chat messages exchanged so far. items: $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' type: array model: description: Model ID or name to use for the response. example: gpt-4 type: string persist: description: Whether to persist the chat and response to storage. example: true type: boolean promptId: description: Prompt template identifier. example: prompt_001 type: string responseLanguage: description: ISO language code for the assistant's response. example: en type: string required: - messages - persist - connectorId Security_AI_Assistant_API_ChatMessage: description: A message exchanged within the AI chat conversation. type: object properties: content: description: The textual content of the message. example: What security incidents have been reported today? type: string data: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' description: Metadata to attach to the context of the message. fields_to_anonymize: description: List of field names within the data object that should be anonymized. example: - user.name - source.ip items: type: string type: array role: $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' description: The sender role of the message. required: - role Security_AI_Assistant_API_ChatMessageRole: description: The role associated with the message in the chat. enum: - system - user - assistant example: user type: string Security_AI_Assistant_API_ContentReferences: additionalProperties: oneOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_HrefContentReference' additionalProperties: false description: A union of all content reference types type: object Security_AI_Assistant_API_ConversationCategory: description: The conversation category. enum: - assistant - insights example: assistant type: string Security_AI_Assistant_API_ConversationConfidence: description: The conversation confidence. enum: - low - medium - high example: high type: string Security_AI_Assistant_API_ConversationCreateProps: type: object properties: apiConfig: $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' description: LLM API configuration. category: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' description: The conversation category. example: assistant excludeFromLastConversationStorage: description: Exclude from last conversation storage. type: boolean id: description: The conversation id. example: conversation123 type: string messages: description: The conversation messages. items: $ref: '#/components/schemas/Security_AI_Assistant_API_Message' type: array replacements: $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' title: description: The conversation title. example: Security AI Assistant Setup type: string required: - title Security_AI_Assistant_API_ConversationResponse: type: object properties: apiConfig: $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' description: LLM API configuration. category: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' description: The conversation category. example: assistant createdAt: description: The time conversation was created. example: '2025-04-30T14:00:00Z' type: string excludeFromLastConversationStorage: description: Exclude from last conversation storage. type: boolean id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' messages: description: The conversation messages. items: $ref: '#/components/schemas/Security_AI_Assistant_API_Message' type: array namespace: description: Kibana space example: default type: string replacements: $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' title: description: The conversation title. example: Security AI Assistant Setup type: string updatedAt: description: The last time conversation was updated. example: '2025-04-30T16:30:00Z' type: string users: items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - title - createdAt - users - namespace - category Security_AI_Assistant_API_ConversationSummary: type: object properties: confidence: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationConfidence' description: How confident you are about this being a correct and useful learning. example: high content: description: Summary text of the conversation over time. example: This conversation covered how to configure the Security AI Assistant. type: string public: description: Define if summary is marked as publicly available. example: true type: boolean timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' description: The timestamp summary was updated. example: '2025-04-30T16:00:00Z' Security_AI_Assistant_API_ConversationUpdateProps: type: object properties: apiConfig: $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' description: LLM API configuration. category: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' description: The conversation category. example: assistant excludeFromLastConversationStorage: description: Exclude from last conversation storage. type: boolean id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' messages: description: The conversation messages. items: $ref: '#/components/schemas/Security_AI_Assistant_API_Message' type: array replacements: $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' title: description: The conversation title. example: Updated Security AI Assistant Setup type: string required: - id Security_AI_Assistant_API_DeleteResponseFields: type: object properties: id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' required: - id Security_AI_Assistant_API_DocumentEntry: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false. example: false type: boolean name: description: Name of the Knowledge Base Entry. example: Example Entry type: string namespace: description: Kibana Space, defaults to 'default' space. example: default type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - namespace - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' Security_AI_Assistant_API_DocumentEntryCreateFields: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false. example: false type: boolean name: description: Name of the Knowledge Base Entry. example: Example Entry type: string namespace: description: Kibana Space, defaults to 'default' space. example: default type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryOptionalFields: type: object properties: required: description: Whether this resource should always be included, defaults to false. example: false type: boolean vector: $ref: '#/components/schemas/Security_AI_Assistant_API_Vector' Security_AI_Assistant_API_DocumentEntryRequiredFields: type: object properties: kbResource: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResource' source: description: Source document name or filepath. example: /documents/example.txt type: string text: description: Knowledge Base Entry content. example: This is the content of the document. type: string type: description: Entry type. enum: - document example: document type: string required: - type - kbResource - source - text Security_AI_Assistant_API_DocumentEntryResponseFields: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryUpdateFields: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false. example: false type: boolean id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' name: description: Name of the Knowledge Base Entry. example: Example Entry type: string namespace: description: Kibana Space, defaults to 'default' space. example: default type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' Security_AI_Assistant_API_EsqlContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: label: description: Label of the query example: High Severity Alerts type: string query: description: An ESQL query example: SELECT * FROM alerts WHERE severity = "high" type: string timerange: description: Time range to select in the time picker. type: object properties: from: example: '2025-04-01T00:00:00Z' type: string to: example: '2025-04-30T23:59:59Z' type: string required: - from - to type: enum: - EsqlQuery example: EsqlQuery type: string required: - type - query - label description: References an ESQL query Security_AI_Assistant_API_FindAnonymizationFieldsSortField: enum: - created_at - anonymized - allowed - field - updated_at type: string Security_AI_Assistant_API_FindConversationsSortField: description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`. enum: - created_at - title - updated_at example: created_at type: string Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField: description: Fields available for sorting Knowledge Base Entries. enum: - created_at - is_default - title - updated_at example: title type: string Security_AI_Assistant_API_FindPromptsSortField: description: Field by which to sort the prompts. enum: - created_at - is_default - name - updated_at example: created_at type: string Security_AI_Assistant_API_HrefContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: href: description: URL to the external resource type: string label: description: Label of the query type: string type: enum: - Href type: string required: - type - href description: References an external URL Security_AI_Assistant_API_IndexEntry: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false. example: false type: boolean name: description: Name of the Knowledge Base Entry. example: Example Entry type: string namespace: description: Kibana Space, defaults to 'default' space. example: default type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - namespace - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' Security_AI_Assistant_API_IndexEntryCreateFields: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false. example: false type: boolean name: description: Name of the Knowledge Base Entry. example: Example Entry type: string namespace: description: Kibana Space, defaults to 'default' space. example: default type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryOptionalFields: type: object properties: inputSchema: $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' outputFields: description: Fields to extract from the query result, defaults to all fields if not provided or empty. example: - title - author items: type: string type: array Security_AI_Assistant_API_IndexEntryRequiredFields: type: object properties: description: description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description. example: Query this index for general knowledge base content. type: string field: description: Field to query for Knowledge Base content. example: content type: string index: description: Index or Data Stream to query for Knowledge Base content. example: knowledge_base_index type: string queryDescription: description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema. example: Search for documents containing the specified keywords. type: string type: description: Entry type. enum: - index example: index type: string required: - type - index - field - description - queryDescription Security_AI_Assistant_API_IndexEntryResponseFields: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryUpdateFields: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false. example: false type: boolean id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' name: description: Name of the Knowledge Base Entry. example: Example Entry type: string namespace: description: Kibana Space, defaults to 'default' space. example: default type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' Security_AI_Assistant_API_InputSchema: description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval. items: type: object properties: description: description: Description of the field. example: The title of the document. type: string fieldName: description: Name of the field. example: title type: string fieldType: description: Type of the field. example: string type: string required: - fieldName - fieldType - description type: array Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: description: Reason why a Knowledge Base Entry was skipped during the bulk action. enum: - KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED type: string Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult: type: object properties: id: description: ID of the skipped Knowledge Base Entry. example: '123' type: string name: description: Name of the skipped Knowledge Base Entry. example: Skipped Entry type: string skip_reason: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' required: - id - skip_reason Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse: type: object properties: attributes: type: object properties: errors: description: List of errors encountered during the bulk action. example: - err_code: UPDATE_FAILED knowledgeBaseEntries: - id: '456' name: Error Entry message: Failed to update entry. statusCode: 400 items: $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' type: array results: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' required: - results - summary knowledgeBaseEntriesCount: description: Total number of Knowledge Base Entries processed. example: 8 type: integer message: description: Message describing the result of the bulk action. example: Bulk action completed successfully. type: string statusCode: description: HTTP status code of the response. example: 200 type: integer success: description: Indicates whether the bulk action was successful. example: true type: boolean required: - attributes Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults: type: object properties: created: description: List of Knowledge Base Entries that were successfully created. example: - content: This is the content of the new entry. id: '456' title: New Entry items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array deleted: description: List of IDs of Knowledge Base Entries that were successfully deleted. example: - '789' items: type: string type: array skipped: description: List of Knowledge Base Entries that were skipped during the bulk action. example: - id: '123' name: Skipped Entry skip_reason: KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' type: array updated: description: List of Knowledge Base Entries that were successfully updated. example: - content: Updated content. id: '123' title: Updated Entry items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array required: - updated - created - deleted - skipped Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary: type: object properties: failed: description: Number of Knowledge Base Entries that failed during the bulk action. example: 2 type: integer skipped: description: Number of Knowledge Base Entries that were skipped during the bulk action. example: 1 type: integer succeeded: description: Number of Knowledge Base Entries that were successfully processed during the bulk action. example: 5 type: integer total: description: Total number of Knowledge Base Entries involved in the bulk action. example: 8 type: integer required: - failed - skipped - succeeded - total Security_AI_Assistant_API_KnowledgeBaseEntryContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: knowledgeBaseEntryId: description: Id of the Knowledge Base Entry example: kbentry456 type: string knowledgeBaseEntryName: description: Name of the knowledge base entry example: Network Security Best Practices type: string type: enum: - KnowledgeBaseEntry example: KnowledgeBaseEntry type: string required: - type - knowledgeBaseEntryId - knowledgeBaseEntryName description: References a knowledge base entry Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: anyOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: type: object properties: id: description: ID of the Knowledge Base Entry that encountered an error. example: '456' type: string name: description: Name of the Knowledge Base Entry that encountered an error. example: Error Entry type: string required: - id Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema: additionalProperties: false type: object properties: error: description: Error type or category. example: Not Found type: string message: description: Detailed error message. example: The requested Knowledge Base Entry was not found. type: string statusCode: description: HTTP status code of the error. example: 404 type: number required: - statusCode - error - message Security_AI_Assistant_API_KnowledgeBaseEntryResponse: anyOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntry' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntry' discriminator: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: anyOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' discriminator: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: anyOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: propertyName: type Security_AI_Assistant_API_KnowledgeBaseResource: description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc. enum: - security_labs - user example: security_labs type: string Security_AI_Assistant_API_KnowledgeBaseResponse: description: AI assistant KnowledgeBase. type: object properties: success: description: Identify the success of the method execution. example: true type: boolean Security_AI_Assistant_API_Message: description: AI assistant conversation message. type: object properties: content: description: Message content. example: Hello, how can I assist you today? type: string isError: description: Is error message. example: false type: boolean metadata: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageMetadata' description: Metadata reader: $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' description: Message content. role: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' description: Message role. example: assistant timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' description: The timestamp message was sent or received. example: '2025-04-30T15:30:00Z' traceData: $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' description: Trace data required: - timestamp - content - role Security_AI_Assistant_API_MessageData: additionalProperties: true description: ECS-style metadata attached to the message. example: alert_id: alert-456 user_id: abc123 type: object Security_AI_Assistant_API_MessageMetadata: description: Message metadata type: object properties: contentReferences: $ref: '#/components/schemas/Security_AI_Assistant_API_ContentReferences' description: Data referred to by the message content. Security_AI_Assistant_API_MessageRole: description: Message role. enum: - system - user - assistant example: assistant type: string Security_AI_Assistant_API_NonEmptyString: description: A string that does not contain only whitespace characters. example: I am a string format: nonempty minLength: 1 type: string Security_AI_Assistant_API_NonEmptyTimestamp: description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. example: '2023-10-31T12:00:00Z' format: nonempty minLength: 1 type: string Security_AI_Assistant_API_NormalizedAnonymizationFieldError: type: object properties: anonymization_fields: description: Array of anonymization fields that caused the error. items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' type: array err_code: description: Error code indicating the type of failure. example: UPDATE_FAILED type: string message: description: Error message. example: Failed to update anonymization field. type: string status_code: description: Status code of the response. example: 400 type: integer required: - message - status_code - anonymization_fields Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError: type: object properties: err_code: description: Specific error code for the issue. example: UPDATE_FAILED type: string knowledgeBaseEntries: description: List of Knowledge Base Entries that encountered the error. items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' type: array message: description: Error message describing the issue. example: Failed to update entry. type: string statusCode: description: HTTP status code associated with the error. example: 400 type: integer required: - message - statusCode - knowledgeBaseEntries Security_AI_Assistant_API_NormalizedPromptError: type: object properties: err_code: description: A code representing the error type. type: string message: description: A message describing the error encountered. type: string prompts: description: List of prompts that encountered errors. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' type: array status_code: description: The HTTP status code associated with the error. type: integer required: - message - status_code - prompts Security_AI_Assistant_API_ProductDocumentationContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: title: description: Title of the documentation example: Getting Started with Security AI Assistant type: string type: enum: - ProductDocumentation example: ProductDocumentation type: string url: description: URL to the documentation example: https://docs.example.com/security-ai-assistant type: string required: - type - title - url description: References the product documentation Security_AI_Assistant_API_PromptCreateProps: type: object properties: categories: description: List of categories for the prompt. example: - security - verification items: type: string type: array color: description: The color associated with the prompt. example: blue type: string consumer: description: The consumer associated with the prompt. example: admin type: string content: description: The content of the prompt. example: Please verify the security settings. type: string isDefault: description: Whether this prompt should be the default. example: false type: boolean isNewConversationDefault: description: Whether this prompt should be the default for new conversations. example: true type: boolean name: description: The name of the prompt. example: New Security Prompt type: string promptType: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' description: The type of the prompt. example: system required: - name - content - promptType Security_AI_Assistant_API_PromptDetailsInError: type: object properties: id: description: The ID of the prompt that encountered an error. type: string name: description: The name of the prompt that encountered an error. type: string required: - id Security_AI_Assistant_API_PromptResponse: type: object properties: categories: description: Categories associated with the prompt. items: type: string type: array color: description: The color associated with the prompt. type: string consumer: description: The consumer that the prompt is associated with. type: string content: description: The content of the prompt. type: string createdAt: description: The timestamp of when the prompt was created. type: string createdBy: description: The user who created the prompt. type: string id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' isDefault: description: Whether this prompt is the default. type: boolean isNewConversationDefault: description: Whether this prompt is the default for new conversations. type: boolean name: description: The name of the prompt. type: string namespace: description: Kibana space where the prompt is located. type: string promptType: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' description: The type of the prompt. timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' updatedAt: description: The timestamp of when the prompt was last updated. type: string updatedBy: description: The user who last updated the prompt. type: string users: description: List of users associated with the prompt. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - name - promptType - content Security_AI_Assistant_API_PromptsBulkActionSkipReason: description: Reason why a prompt was skipped during the bulk action. enum: - PROMPT_FIELD_NOT_MODIFIED type: string Security_AI_Assistant_API_PromptsBulkActionSkipResult: type: object properties: id: description: The ID of the prompt that was skipped. type: string name: description: The name of the prompt that was skipped. type: string skip_reason: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' description: The reason for skipping the prompt. required: - id - skip_reason Security_AI_Assistant_API_PromptsBulkCrudActionResponse: type: object properties: attributes: type: object properties: errors: items: $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' type: array results: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary message: description: A message describing the result of the bulk action. example: Bulk action completed successfully. type: string prompts_count: description: The number of prompts processed in the bulk action. example: 6 type: integer status_code: description: The HTTP status code of the response. example: 200 type: integer success: description: Indicates if the bulk action was successful. example: true type: boolean required: - attributes Security_AI_Assistant_API_PromptsBulkCrudActionResults: type: object properties: created: description: List of prompts that were created. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array deleted: description: List of IDs of prompts that were deleted. items: type: string type: array skipped: description: List of prompts that were skipped. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' type: array updated: description: List of prompts that were updated. items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array required: - updated - created - deleted - skipped Security_AI_Assistant_API_PromptType: description: Type of the prompt (either system or quick). enum: - system - quick type: string Security_AI_Assistant_API_PromptUpdateProps: type: object properties: categories: description: The updated categories for the prompt. example: - security - alert items: type: string type: array color: description: The updated color associated with the prompt. example: green type: string consumer: description: The updated consumer for the prompt. example: user123 type: string content: description: The updated content for the prompt. example: Updated content for security prompt. type: string id: description: The ID of the prompt to update. example: prompt123 type: string isDefault: description: Whether this prompt should be the default. example: true type: boolean isNewConversationDefault: description: Whether the prompt should be the default for new conversations. example: false type: boolean required: - id Security_AI_Assistant_API_Provider: description: Provider enum: - OpenAI - Azure OpenAI - Other example: OpenAI type: string Security_AI_Assistant_API_Reader: additionalProperties: true type: object Security_AI_Assistant_API_Replacements: additionalProperties: type: string description: Replacements object used to anonymize/deanonymize messages type: object Security_AI_Assistant_API_ResponseFields: type: object properties: createdAt: description: Time the Knowledge Base Entry was created. example: '2023-01-01T12:00:00Z' type: string createdBy: description: User who created the Knowledge Base Entry. example: admin type: string id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' updatedAt: description: Time the Knowledge Base Entry was last updated. example: '2023-01-02T12:00:00Z' type: string updatedBy: description: User who last updated the Knowledge Base Entry. example: editor type: string required: - id - createdAt - createdBy - updatedAt - updatedBy Security_AI_Assistant_API_SecurityAlertContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: alertId: description: ID of the Alert example: alert789 type: string type: enum: - SecurityAlert example: SecurityAlert type: string required: - type - alertId description: References a security alert Security_AI_Assistant_API_SecurityAlertsPageContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: type: enum: - SecurityAlertsPage example: SecurityAlertsPage type: string required: - type description: References the security alerts page Security_AI_Assistant_API_SortOrder: description: The order in which results are sorted. enum: - asc - desc example: asc type: string Security_AI_Assistant_API_TraceData: description: Trace Data type: object properties: traceId: description: Could be any string, not necessarily a UUID example: d9876543-f0a1-2345-6789-abcdef123456 type: string transactionId: description: Could be any string, not necessarily a UUID example: a1234567-bc89-0def-1234-56789abcdef0 type: string Security_AI_Assistant_API_User: description: Could be any string, not necessarily a UUID. type: object properties: id: description: User id. example: user123 type: string name: description: User name. example: John Doe type: string Security_AI_Assistant_API_Vector: description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings. type: object properties: modelId: description: ID of the model used to create the embeddings. example: bert-base-uncased type: string tokens: additionalProperties: type: number description: Tokens with their corresponding values. example: token1: 0.123 token2: 0.456 type: object required: - modelId - tokens Security_Detections_API_AlertAssignees: type: object properties: add: items: description: A list of users ids to assign. format: nonempty minLength: 1 type: string type: array remove: items: description: A list of users ids to unassign. format: nonempty minLength: 1 type: string type: array required: - add - remove Security_Detections_API_AlertIds: description: A list of alerts `id`s. items: format: nonempty minLength: 1 type: string minItems: 1 type: array Security_Detections_API_AlertsIndex: deprecated: true description: (deprecated) Has no effect. type: string Security_Detections_API_AlertsIndexMigrationError: type: object properties: error: type: object properties: message: type: string status_code: type: string required: - message - status_code index: type: string required: - index - error Security_Detections_API_AlertsIndexMigrationSuccess: type: object properties: index: type: string migration_id: type: string migration_index: type: string required: - index - migration_id - migration_index Security_Detections_API_AlertsIndexNamespace: description: Has no effect. type: string Security_Detections_API_AlertsReindexOptions: type: object properties: requests_per_second: description: The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API. minimum: 1 type: integer size: description: Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API. minimum: 1 type: integer slices: description: The number of subtasks for the migration task. Corresponds to slices on the Reindex API. minimum: 1 type: integer Security_Detections_API_AlertsSort: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - items: $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' type: array Security_Detections_API_AlertsSortCombinations: anyOf: - type: string - additionalProperties: true type: object Security_Detections_API_AlertStatus: description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`. enum: - open - closed - acknowledged - in-progress type: string Security_Detections_API_AlertSuppression: description: Defines alert suppression configuration. type: object properties: duration: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' group_by: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' missing_fields_strategy: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' required: - group_by Security_Detections_API_AlertSuppressionDuration: type: object properties: unit: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' value: minimum: 1 type: integer required: - value - unit Security_Detections_API_AlertSuppressionDurationUnit: description: Time unit enum: - s - m - h type: string Security_Detections_API_AlertSuppressionGroupBy: items: type: string maxItems: 3 minItems: 1 type: array Security_Detections_API_AlertSuppressionMissingFieldsStrategy: description: |- Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket enum: - doNotSuppress - suppress type: string Security_Detections_API_AlertTag: description: Use alert tags to organize related alerts into categories that you can filter and group. format: nonempty minLength: 1 type: string Security_Detections_API_AlertTags: description: List of keywords to organize related alerts into categories that you can filter and group. items: $ref: '#/components/schemas/Security_Detections_API_AlertTag' type: array Security_Detections_API_AlertVersion: type: object properties: count: type: integer version: type: integer required: - version - count Security_Detections_API_AnomalyThreshold: description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. minimum: 0 type: integer Security_Detections_API_BuildingBlockType: description: | Determines if the rule acts as a building block. If yes, the value must be `default`. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to [About building block rules](https://www.elastic.co/guide/en/security/current/building-block-rule.html). type: string Security_Detections_API_BulkActionEditPayload: anyOf: - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression' Security_Detections_API_BulkActionEditPayloadAlertSuppression: anyOf: - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression' Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression: type: object properties: type: enum: - delete_alert_suppression type: string required: - type Security_Detections_API_BulkActionEditPayloadIndexPatterns: description: | Edits index patterns of rulesClient. - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. type: object properties: overwrite_data_views: description: Resets the data view for the rule. type: boolean type: enum: - add_index_patterns - delete_index_patterns - set_index_patterns type: string value: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' required: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: description: | Edits investigation fields of rules. - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. type: object properties: type: enum: - add_investigation_fields - delete_investigation_fields - set_investigation_fields type: string value: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' required: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: description: | Edits rule actions of rules. - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. type: object properties: type: enum: - add_rule_actions - set_rule_actions type: string value: type: object properties: actions: items: $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' type: array throttle: $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' required: - actions required: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: description: | Overwrites schedule of rules. - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" type: object properties: type: enum: - set_schedule type: string value: type: object properties: interval: description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. example: 1h pattern: ^[1-9]\d*[smh]$ type: string lookback: description: | Lookback time for the rules. Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string required: - interval - lookback required: - type - value Security_Detections_API_BulkActionEditPayloadSetAlertSuppression: type: object properties: type: enum: - set_alert_suppression type: string value: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' required: - type - value Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold: type: object properties: type: enum: - set_alert_suppression_for_threshold type: string value: $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' required: - type - value Security_Detections_API_BulkActionEditPayloadTags: description: | Edits tags of rules. - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. type: object properties: type: enum: - add_tags - delete_tags - set_tags type: string value: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' required: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: description: | Edits timeline of rules. - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. type: object properties: type: enum: - set_timeline type: string value: type: object properties: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' required: - timeline_id - timeline_title required: - type - value Security_Detections_API_BulkActionsDryRunErrCode: enum: - IMMUTABLE - PREBUILT_CUSTOMIZATION_LICENSE - MACHINE_LEARNING_AUTH - MACHINE_LEARNING_INDEX_PATTERN - ESQL_INDEX_PATTERN - MANUAL_RULE_RUN_FEATURE - MANUAL_RULE_RUN_DISABLED_RULE - THRESHOLD_RULE_TYPE_IN_SUPPRESSION - UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD - RULE_FILL_GAPS_DISABLED_RULE type: string Security_Detections_API_BulkActionSkipResult: type: object properties: id: type: string name: type: string skip_reason: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' - $ref: '#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason' required: - id - skip_reason Security_Detections_API_BulkDeleteRules: type: object properties: action: enum: - delete type: string gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkDisableRules: type: object properties: action: enum: - disable type: string gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkDuplicateRules: type: object properties: action: enum: - duplicate type: string duplicate: description: Duplicate object that describes applying an update action. type: object properties: include_exceptions: description: Whether to copy exceptions from the original rule type: boolean include_expired_exceptions: description: Whether to copy expired exceptions from the original rule type: boolean required: - include_exceptions - include_expired_exceptions gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkEditActionResponse: type: object properties: attributes: type: object properties: errors: items: $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' type: array results: $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' summary: $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' required: - results - summary message: type: string rules_count: type: integer status_code: type: integer success: type: boolean required: - attributes Security_Detections_API_BulkEditActionResults: type: object properties: created: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array deleted: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array skipped: items: $ref: '#/components/schemas/Security_Detections_API_BulkActionSkipResult' type: array updated: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array required: - updated - created - deleted - skipped Security_Detections_API_BulkEditActionSummary: description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. type: object properties: failed: type: integer skipped: type: integer succeeded: type: integer total: type: integer required: - failed - skipped - succeeded - total Security_Detections_API_BulkEditRules: type: object properties: action: enum: - edit type: string edit: description: Array of objects containing the edit operations items: $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayload' minItems: 1 type: array gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action - edit Security_Detections_API_BulkEditSkipReason: enum: - RULE_NOT_MODIFIED type: string Security_Detections_API_BulkEnableRules: type: object properties: action: enum: - enable type: string gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkExportActionResponse: type: string Security_Detections_API_BulkExportRules: type: object properties: action: enum: - export type: string gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkGapsFillingSkipReason: enum: - NO_GAPS_TO_FILL type: string Security_Detections_API_BulkManualRuleFillGaps: type: object properties: action: enum: - fill_gaps type: string fill_gaps: description: Object that describes applying a manual gap fill action for the specified time range. type: object properties: end_date: description: End date of the manual gap fill type: string start_date: description: Start date of the manual gap fill type: string required: - start_date - end_date gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action - fill_gaps Security_Detections_API_BulkManualRuleRun: type: object properties: action: enum: - run type: string gaps_range_end: description: Gaps range end, valid only when query is provided type: string gaps_range_start: description: Gaps range start, valid only when query is provided type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string run: description: Object that describes applying a manual rule run action. type: object properties: end_date: description: End date of the manual rule run type: string start_date: description: Start date of the manual rule run type: string required: - start_date - end_date required: - action - run Security_Detections_API_ConcurrentSearches: minimum: 1 type: integer Security_Detections_API_DataViewId: type: string Security_Detections_API_DefaultParams: type: object properties: command: enum: - isolate type: string comment: type: string required: - command Security_Detections_API_EcsMapping: additionalProperties: type: object properties: field: type: string value: oneOf: - type: string - items: type: string type: array description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' type: object Security_Detections_API_EndpointResponseAction: type: object properties: action_type_id: enum: - .endpoint type: string params: oneOf: - $ref: '#/components/schemas/Security_Detections_API_DefaultParams' - $ref: '#/components/schemas/Security_Detections_API_ProcessesParams' required: - action_type_id - params Security_Detections_API_EqlOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' event_category_override: $ref: '#/components/schemas/Security_Detections_API_EventCategoryOverride' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' tiebreaker_field: $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' timestamp_field: $ref: '#/components/schemas/Security_Detections_API_TimestampField' Security_Detections_API_EqlQueryLanguage: enum: - eql type: string Security_Detections_API_EqlRequiredFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' description: Query language to use query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - eql type: string required: - type - query - language Security_Detections_API_EqlRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_EqlRuleResponseFields' Security_Detections_API_EqlRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' Security_Detections_API_EqlRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' Security_Detections_API_EqlRulePatchFields: allOf: - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' description: Query language to use query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - eql type: string - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' Security_Detections_API_EqlRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchFields' Security_Detections_API_EqlRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' Security_Detections_API_EqlRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' Security_Detections_API_ErrorSchema: additionalProperties: false type: object properties: error: type: object properties: message: type: string status_code: minimum: 400 type: integer required: - status_code - message id: type: string item_id: minLength: 1 type: string list_id: minLength: 1 type: string rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' required: - error Security_Detections_API_EsqlQueryLanguage: enum: - esql type: string Security_Detections_API_EsqlRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields' Security_Detections_API_EsqlRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' Security_Detections_API_EsqlRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' Security_Detections_API_EsqlRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' Security_Detections_API_EsqlRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' language: $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' type: description: Rule type enum: - esql type: string version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' Security_Detections_API_EsqlRuleRequiredFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - esql type: string required: - type - language - query Security_Detections_API_EsqlRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' Security_Detections_API_EsqlRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' Security_Detections_API_EventCategoryOverride: type: string Security_Detections_API_ExceptionListType: description: The exception type enum: - detection - rule_default - endpoint - endpoint_trusted_apps - endpoint_events - endpoint_host_isolation_exceptions - endpoint_blocklists type: string Security_Detections_API_ExternalRuleSource: description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. type: object properties: is_customized: $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' type: enum: - external type: string required: - type - is_customized Security_Detections_API_FindRulesSortField: enum: - created_at - createdAt - enabled - execution_summary.last_execution.date - execution_summary.last_execution.metrics.execution_gap_duration_s - execution_summary.last_execution.metrics.total_indexing_duration_ms - execution_summary.last_execution.metrics.total_search_duration_ms - execution_summary.last_execution.status - name - risk_score - riskScore - severity - updated_at - updatedAt type: string Security_Detections_API_HistoryWindowStart: description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. format: nonempty minLength: 1 type: string Security_Detections_API_IndexMigrationStatus: type: object properties: index: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' is_outdated: type: boolean migrations: items: $ref: '#/components/schemas/Security_Detections_API_MigrationStatus' type: array signal_versions: items: $ref: '#/components/schemas/Security_Detections_API_AlertVersion' type: array version: type: integer required: - index - version - signal_versions - migrations - is_outdated Security_Detections_API_IndexPatternArray: description: | Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). > info > This field is not supported for ES|QL rules. items: type: string type: array Security_Detections_API_InternalRuleSource: description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. type: object properties: type: enum: - internal type: string required: - type Security_Detections_API_InvestigationFields: description: | Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. type: object properties: field_names: items: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' minItems: 1 type: array required: - field_names Security_Detections_API_InvestigationGuide: description: Notes to help investigate alerts produced by the rule. type: string Security_Detections_API_IsExternalRuleCustomized: description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). type: boolean Security_Detections_API_IsRuleEnabled: description: Determines whether the rule is enabled. Defaults to true. type: boolean Security_Detections_API_IsRuleImmutable: deprecated: true description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. type: boolean Security_Detections_API_ItemsPerSearch: minimum: 1 type: integer Security_Detections_API_KqlQueryLanguage: enum: - kuery - lucene type: string Security_Detections_API_MachineLearningJobId: description: Machine learning job ID(s) the rule monitors for anomaly scores. oneOf: - type: string - items: type: string minItems: 1 type: array Security_Detections_API_MachineLearningRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' Security_Detections_API_MachineLearningRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' Security_Detections_API_MachineLearningRulePatchFields: allOf: - type: object properties: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - machine_learning type: string - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' Security_Detections_API_MachineLearningRuleRequiredFields: type: object properties: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - machine_learning type: string required: - type - machine_learning_job_id - anomaly_threshold Security_Detections_API_MachineLearningRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MaxSignals: default: 100 description: | Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-advanced-params) value). > info > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/guide/en/kibana/current/alert-action-settings-kb.html#alert-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. minimum: 1 type: integer Security_Detections_API_MigrationCleanupResult: type: object properties: destinationIndex: type: string error: type: object properties: message: type: string status_code: type: integer required: - message - status_code id: type: string sourceIndex: type: string status: enum: - success - failure - pending type: string updated: format: date-time type: string version: type: string required: - id - destinationIndex - status - sourceIndex - version - updated Security_Detections_API_MigrationFinalizationResult: type: object properties: completed: type: boolean destinationIndex: type: string error: type: object properties: message: type: string status_code: type: integer required: - message - status_code id: type: string sourceIndex: type: string status: enum: - success - failure - pending type: string updated: format: date-time type: string version: type: string required: - id - completed - destinationIndex - status - sourceIndex - version - updated Security_Detections_API_MigrationStatus: type: object properties: id: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' status: enum: - success - failure - pending type: string updated: format: date-time type: string version: type: integer required: - id - status - version - updated Security_Detections_API_NewTermsFields: description: Fields to monitor for new values. items: type: string maxItems: 3 minItems: 1 type: array Security_Detections_API_NewTermsRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' Security_Detections_API_NewTermsRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NewTermsRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_NewTermsRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' Security_Detections_API_NewTermsRulePatchFields: allOf: - type: object properties: history_window_start: $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' new_terms_fields: $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - new_terms type: string - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields' Security_Detections_API_NewTermsRuleRequiredFields: type: object properties: history_window_start: $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' new_terms_fields: $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - new_terms type: string required: - type - query - new_terms_fields - history_window_start Security_Detections_API_NewTermsRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language Security_Detections_API_NewTermsRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty minLength: 1 type: string Security_Detections_API_NormalizedRuleAction: additionalProperties: false type: object properties: alerts_filter: $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' frequency: $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' group: $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' id: $ref: '#/components/schemas/Security_Detections_API_RuleActionId' params: $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' required: - id - params Security_Detections_API_NormalizedRuleError: type: object properties: err_code: $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' message: type: string rules: items: $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError' type: array status_code: type: integer required: - message - status_code - rules Security_Detections_API_OsqueryParams: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' pack_id: description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' type: string queries: items: $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' type: array query: description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' type: string saved_query_id: description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' type: string timeout: description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' type: number Security_Detections_API_OsqueryQuery: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' id: description: Query ID type: string platform: type: string query: description: Query to run type: string removed: type: boolean snapshot: type: boolean version: description: Query version type: string required: - id - query Security_Detections_API_OsqueryResponseAction: type: object properties: action_type_id: enum: - .osquery type: string params: $ref: '#/components/schemas/Security_Detections_API_OsqueryParams' required: - action_type_id - params Security_Detections_API_PlatformErrorResponse: type: object properties: error: type: string message: type: string statusCode: type: integer required: - statusCode - error - message Security_Detections_API_ProcessesParams: type: object properties: command: description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' enum: - kill-process - suspend-process type: string comment: description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' type: string config: type: object properties: field: description: Field to use instead of process.pid type: string overwrite: default: true description: Whether to overwrite field with process.pid type: boolean required: - field required: - command - config Security_Detections_API_QueryRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields' Security_Detections_API_QueryRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_QueryRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' Security_Detections_API_QueryRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' Security_Detections_API_QueryRulePatchFields: allOf: - type: object properties: type: description: Rule type enum: - query type: string - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields' Security_Detections_API_QueryRuleRequiredFields: type: object properties: type: description: Rule type enum: - query type: string required: - type Security_Detections_API_QueryRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' required: - query - language Security_Detections_API_QueryRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_RelatedIntegration: description: | Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query. NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule. Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties: - `package`: name of the package (required, unique id) - `version`: version of the package (required, semver-compatible) - `integration`: name of the integration of this package (optional, id within the package) There are Fleet packages like `windows` that contain only one integration; in this case, `integration` should be unspecified. There are also packages like `aws` and `azure` that contain several integrations; in this case, `integration` should be specified. example: integration: activitylogs package: azure version: ~1.1.6 type: object properties: integration: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' package: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' version: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - package - version Security_Detections_API_RelatedIntegrationArray: items: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' type: array Security_Detections_API_RequiredField: description: | Describes an Elasticsearch field that is needed for the rule to function. Almost all types of Security rules check source event documents for a match to some kind of query or filter. If a document has certain field with certain values, then it's a match and the rule will generate an alert. Required field is an event field that must be present in the source indices of a given rule. @example const standardEcsField: RequiredField = { name: 'event.action', type: 'keyword', ecs: true, }; @example const nonEcsField: RequiredField = { name: 'winlog.event_data.AttributeLDAPDisplayName', type: 'keyword', ecs: false, }; type: object properties: ecs: description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. type: boolean name: description: Name of an Elasticsearch field format: nonempty minLength: 1 type: string type: description: Type of the Elasticsearch field format: nonempty minLength: 1 type: string required: - name - type - ecs Security_Detections_API_RequiredFieldArray: items: $ref: '#/components/schemas/Security_Detections_API_RequiredField' type: array Security_Detections_API_RequiredFieldInput: description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. type: object properties: name: description: Name of an Elasticsearch field format: nonempty minLength: 1 type: string type: description: Type of the Elasticsearch field format: nonempty minLength: 1 type: string required: - name - type Security_Detections_API_ResponseAction: oneOf: - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction' Security_Detections_API_ResponseFields: type: object properties: created_at: format: date-time type: string created_by: type: string execution_summary: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' immutable: $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' required_fields: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray' revision: $ref: '#/components/schemas/Security_Detections_API_RuleRevision' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_source: $ref: '#/components/schemas/Security_Detections_API_RuleSource' updated_at: format: date-time type: string updated_by: type: string required: - id - rule_id - immutable - rule_source - updated_at - updated_by - created_at - created_by - revision - related_integrations - required_fields Security_Detections_API_RiskScore: description: | A numerical representation of the alert's severity from 0 to 100, where: * `0` - `21` represents low severity * `22` - `47` represents medium severity * `48` - `73` represents high severity * `74` - `100` represents critical severity maximum: 100 minimum: 0 type: integer Security_Detections_API_RiskScoreMapping: description: Overrides generated alerts' risk_score with a value from the source event items: type: object properties: field: description: Source event field used to override the default `risk_score`. type: string operator: enum: - equals type: string risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' value: type: string required: - field - operator - value type: array Security_Detections_API_RuleAction: type: object properties: action_type_id: description: | The action type used for sending notifications, can be: - `.slack` - `.slack_api` - `.email` - `.index` - `.pagerduty` - `.swimlane` - `.webhook` - `.servicenow` - `.servicenow-itom` - `.servicenow-sir` - `.jira` - `.resilient` - `.opsgenie` - `.teams` - `.torq` - `.tines` - `.d3security` type: string alerts_filter: $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' frequency: $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' group: $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' id: $ref: '#/components/schemas/Security_Detections_API_RuleActionId' params: $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' uuid: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - action_type_id - id - params Security_Detections_API_RuleActionAlertsFilter: additionalProperties: true description: | Object containing an action’s conditional filters. - `timeframe` (object, optional): Object containing the time frame for when this action can be run. - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. - start (string, required): Start time in `hh:mm` format. - end (string, required): End time in `hh:mm` format. - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. - `kql` (string, required): A KQL string. - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. type: object Security_Detections_API_RuleActionFrequency: description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). type: object properties: notifyWhen: $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' summary: description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' nullable: true required: - summary - notifyWhen - throttle Security_Detections_API_RuleActionGroup: description: Optionally groups actions by use cases. Use `default` for alert notifications. type: string Security_Detections_API_RuleActionId: description: The connector ID. type: string Security_Detections_API_RuleActionNotifyWhen: description: Defines how often rules run actions. enum: - onActiveAlert - onThrottleInterval - onActionGroupChange type: string Security_Detections_API_RuleActionParams: additionalProperties: true description: | Object containing the allowed connector fields, which varies according to the connector type. For Slack: - `message` (string, required): The notification message. For email: - `to`, `cc`, `bcc` (string): Email addresses to which the notifications are sent. At least one field must have a value. - `subject` (string, optional): Email subject line. - `message` (string, required): Email body text. For Webhook: - `body` (string, required): JSON payload. For PagerDuty: - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. - `source` (string, optional): The affected system. Defaults to the Kibana saved object ID of the action. - `summary` (string, options): Summary of the event. Defaults to `No summary provided`. Maximum length is 1024 characters. - `class` (string, optional): Value indicating the class/type of the event. type: object Security_Detections_API_RuleActionThrottle: description: Defines how often rule actions are taken. oneOf: - enum: - no_actions - rule type: string - description: Time interval in seconds, minutes, hours, or days. example: 1h pattern: ^[1-9]\d*[smhd]$ type: string Security_Detections_API_RuleAuthorArray: description: The rule’s author. items: type: string type: array Security_Detections_API_RuleCreateProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' discriminator: propertyName: type Security_Detections_API_RuleDescription: description: The rule’s description. example: Detects anomalous Windows process creation events. minLength: 1 type: string Security_Detections_API_RuleDetailsInError: type: object properties: id: type: string name: type: string required: - id Security_Detections_API_RuleExceptionList: description: | Array of [exception containers](https://www.elastic.co/guide/en/security/current/exceptions-api-overview.html), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. type: object properties: id: description: ID of the exception container format: nonempty minLength: 1 type: string list_id: description: List ID of the exception container format: nonempty minLength: 1 type: string namespace_type: description: Determines the exceptions validity in rule's Kibana space enum: - agnostic - single type: string type: $ref: '#/components/schemas/Security_Detections_API_ExceptionListType' required: - id - list_id - type - namespace_type Security_Detections_API_RuleExecutionMetrics: type: object properties: execution_gap_duration_s: description: Duration in seconds of execution gap minimum: 0 type: integer frozen_indices_queried_count: description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter. minimum: 0 type: integer gap_range: description: Range of the execution gap type: object properties: gte: description: Start date of the execution gap type: string lte: description: End date of the execution gap type: string required: - gte - lte total_enrichment_duration_ms: description: Total time spent enriching documents during current rule execution cycle minimum: 0 type: integer total_indexing_duration_ms: description: Total time spent indexing documents during current rule execution cycle minimum: 0 type: integer total_search_duration_ms: description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response minimum: 0 type: integer Security_Detections_API_RuleExecutionStatus: description: |- Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. - running - Rule execution started but not reached any intermediate or final status. - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. enum: - going to run - running - partial failure - failed - succeeded type: string Security_Detections_API_RuleExecutionStatusOrder: type: integer Security_Detections_API_RuleExecutionSummary: description: | Summary of the last execution of a rule. > info > This field is under development and its usage or schema may change type: object properties: last_execution: type: object properties: date: description: Date of the last execution format: date-time type: string message: type: string metrics: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' status: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' description: Status of the last execution status_order: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' required: - date - status - status_order - message - metrics required: - last_execution Security_Detections_API_RuleFalsePositiveArray: description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleFilterArray: description: | The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. > info > This field is not supported for ES|QL rules. items: {} type: array Security_Detections_API_RuleInterval: description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). type: string Security_Detections_API_RuleIntervalFrom: description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). format: date-math type: string Security_Detections_API_RuleIntervalTo: type: string Security_Detections_API_RuleLicense: description: The rule's license. type: string Security_Detections_API_RuleMetadata: additionalProperties: true description: | Placeholder for metadata about the rule. > info > This field is overwritten when you save changes to the rule’s settings. type: object Security_Detections_API_RuleName: description: A human-readable name for the rule. example: Anomalous Windows Process Creation minLength: 1 type: string Security_Detections_API_RuleNameOverride: description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. type: string Security_Detections_API_RuleObjectId: $ref: '#/components/schemas/Security_Detections_API_UUID' description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. Security_Detections_API_RulePatchProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' Security_Detections_API_RulePreviewLoggedRequest: type: object properties: description: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' duration: type: integer request: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' request_type: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' Security_Detections_API_RulePreviewLogs: type: object properties: duration: description: Execution duration in milliseconds type: integer errors: items: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: array requests: items: $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' type: array startedAt: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' warnings: items: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: array required: - errors - warnings - duration Security_Detections_API_RulePreviewParams: type: object properties: invocationCount: type: integer timeframeEnd: format: date-time type: string required: - invocationCount - timeframeEnd Security_Detections_API_RuleQuery: description: | [Query](https://www.elastic.co/guide/en/kibana/8.17/search.html) used by the rule to create alerts. - For indicator match rules, only the query’s results are used to determine whether an alert is generated. - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) rules for more information. type: string Security_Detections_API_RuleReferenceArray: description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleResponse: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRule' - $ref: '#/components/schemas/Security_Detections_API_QueryRule' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' discriminator: propertyName: type Security_Detections_API_RuleRevision: description: | The rule's revision number. It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. > info > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. minimum: 0 type: integer Security_Detections_API_RuleSignatureId: description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. type: string Security_Detections_API_RuleSource: description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' Security_Detections_API_RuleTagArray: description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleUpdateProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' discriminator: propertyName: type Security_Detections_API_RuleVersion: description: | The rule's version number. - For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). - For custom rules it is set to `1` when the rule is created. > info > It is not incremented on each update. Compare this to the `revision` field. minimum: 1 type: integer Security_Detections_API_SavedObjectResolveAliasPurpose: enum: - savedObjectConversion - savedObjectImport type: string Security_Detections_API_SavedObjectResolveAliasTargetId: type: string Security_Detections_API_SavedObjectResolveOutcome: enum: - exactMatch - aliasMatch - conflict type: string Security_Detections_API_SavedQueryId: description: Kibana [saved search](https://www.elastic.co/guide/en/kibana/current/save-open-search.html) used by the rule to create alerts. type: string Security_Detections_API_SavedQueryRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' Security_Detections_API_SavedQueryRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SavedQueryRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_SavedQueryRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' Security_Detections_API_SavedQueryRulePatchFields: allOf: - type: object properties: saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' type: description: Rule type enum: - saved_query type: string - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' Security_Detections_API_SavedQueryRuleRequiredFields: type: object properties: saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' type: description: Rule type enum: - saved_query type: string required: - type - saved_id Security_Detections_API_SavedQueryRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language Security_Detections_API_SavedQueryRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SetAlertsStatusByIds: type: object properties: signal_ids: description: List of alert `id`s. items: format: nonempty minLength: 1 type: string minItems: 1 type: array status: $ref: '#/components/schemas/Security_Detections_API_AlertStatus' required: - signal_ids - status Security_Detections_API_SetAlertsStatusByQuery: type: object properties: conflicts: default: abort enum: - abort - proceed type: string query: additionalProperties: true type: object status: $ref: '#/components/schemas/Security_Detections_API_AlertStatus' required: - query - status Security_Detections_API_SetAlertTags: description: Object with list of tags to add and remove. type: object properties: tags_to_add: $ref: '#/components/schemas/Security_Detections_API_AlertTags' tags_to_remove: $ref: '#/components/schemas/Security_Detections_API_AlertTags' required: - tags_to_add - tags_to_remove Security_Detections_API_SetupGuide: description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. type: string Security_Detections_API_Severity: description: | Severity level of alerts produced by the rule, which must be one of the following: * `low`: Alerts that are of interest but generally not considered to be security incidents * `medium`: Alerts that require investigation * `high`: Alerts that require immediate investigation * `critical`: Alerts that indicate it is highly likely a security incident has occurred enum: - low - medium - high - critical type: string Security_Detections_API_SeverityMapping: description: Overrides generated alerts' severity with values from the source event items: type: object properties: field: description: Source event field used to override the default `severity`. type: string operator: enum: - equals type: string severity: $ref: '#/components/schemas/Security_Detections_API_Severity' value: type: string required: - field - operator - severity - value type: array Security_Detections_API_SiemErrorResponse: type: object properties: message: type: string status_code: type: integer required: - status_code - message Security_Detections_API_SkippedAlertsIndexMigration: type: object properties: index: type: string required: - index Security_Detections_API_SortOrder: enum: - asc - desc type: string Security_Detections_API_Threat: description: | > info > Currently, only threats described using the MITRE ATT&CK™ framework are supported. type: object properties: framework: description: Relevant attack framework type: string tactic: $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' technique: description: Array containing information on the attack techniques (optional) items: $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' type: array required: - framework - tactic Security_Detections_API_ThreatArray: items: $ref: '#/components/schemas/Security_Detections_API_Threat' type: array Security_Detections_API_ThreatFilters: items: description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values type: array Security_Detections_API_ThreatIndex: description: Elasticsearch indices used to check which field values generate alerts. items: type: string type: array Security_Detections_API_ThreatIndicatorPath: description: Defines the path to the threat indicator in the indicator documents (optional) type: string Security_Detections_API_ThreatMapping: description: | Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields: - field: field from the event indices on which the rule runs - type: must be mapping - value: field from the Elasticsearch threat index You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic. items: type: object properties: entries: items: type: object properties: field: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: enum: - mapping type: string value: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - field - type - value type: array required: - entries minItems: 1 type: array Security_Detections_API_ThreatMatchRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' Security_Detections_API_ThreatMatchRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_ThreatMatchRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' concurrent_searches: $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' items_per_search: $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch' saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' threat_filters: $ref: '#/components/schemas/Security_Detections_API_ThreatFilters' threat_indicator_path: $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath' threat_language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_ThreatMatchRulePatchFields: allOf: - type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' threat_index: $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' threat_mapping: $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' threat_query: $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' type: description: Rule type enum: - threat_match type: string - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' Security_Detections_API_ThreatMatchRuleRequiredFields: type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' threat_index: $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' threat_mapping: $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' threat_query: $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' type: description: Rule type enum: - threat_match type: string required: - type - query - threat_query - threat_mapping - threat_index Security_Detections_API_ThreatMatchRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language Security_Detections_API_ThreatMatchRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatQuery: description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. type: string Security_Detections_API_ThreatSubtechnique: type: object properties: id: description: Subtechnique ID type: string name: description: Subtechnique name type: string reference: description: Subtechnique reference type: string required: - id - name - reference Security_Detections_API_ThreatTactic: description: | Object containing information on the attack type type: object properties: id: description: Tactic ID type: string name: description: Tactic name type: string reference: description: Tactic reference type: string required: - id - name - reference Security_Detections_API_ThreatTechnique: type: object properties: id: description: Technique ID type: string name: description: Technique name type: string reference: description: Technique reference type: string subtechnique: description: | Array containing more specific information on the attack technique. items: $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique' type: array required: - id - name - reference Security_Detections_API_Threshold: type: object properties: cardinality: $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality' field: $ref: '#/components/schemas/Security_Detections_API_ThresholdField' value: $ref: '#/components/schemas/Security_Detections_API_ThresholdValue' required: - field - value Security_Detections_API_ThresholdAlertSuppression: description: Defines alert suppression configuration. type: object properties: duration: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' required: - duration Security_Detections_API_ThresholdCardinality: description: The field on which the cardinality is applied. items: type: object properties: field: description: The field on which to calculate and compare the cardinality. type: string value: description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. minimum: 0 type: integer required: - field - value type: array Security_Detections_API_ThresholdField: description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. oneOf: - type: string - items: type: string type: array Security_Detections_API_ThresholdRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' Security_Detections_API_ThresholdRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_ThresholdRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' Security_Detections_API_ThresholdRulePatchFields: allOf: - type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' threshold: $ref: '#/components/schemas/Security_Detections_API_Threshold' type: description: Rule type enum: - threshold type: string - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' Security_Detections_API_ThresholdRuleRequiredFields: type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' threshold: $ref: '#/components/schemas/Security_Detections_API_Threshold' type: description: Rule type enum: - threshold type: string required: - type - query - threshold Security_Detections_API_ThresholdRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language Security_Detections_API_ThresholdRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdValue: description: The threshold value from which an alert is generated. minimum: 1 type: integer Security_Detections_API_ThrottleForBulkActions: description: | Defines the maximum interval in which a rule’s actions are executed. > info > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. enum: - rule - 1h - 1d - 7d type: string Security_Detections_API_TiebreakerField: description: Sets a secondary field for sorting events type: string Security_Detections_API_TimelineTemplateId: description: Timeline template ID type: string Security_Detections_API_TimelineTemplateTitle: description: Timeline template title type: string Security_Detections_API_TimestampField: description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. type: string Security_Detections_API_TimestampOverride: description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. type: string Security_Detections_API_TimestampOverrideFallbackDisabled: description: Disables the fallback to the event's @timestamp field type: boolean Security_Detections_API_UUID: description: A universally unique identifier format: uuid type: string Security_Detections_API_WarningSchema: type: object properties: actionPath: type: string buttonLabel: type: string message: type: string type: type: string required: - type - message - actionPath Security_Endpoint_Exceptions_API_EndpointList: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList' - additionalProperties: false type: object Security_Endpoint_Exceptions_API_EndpointListItem: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' Security_Endpoint_Exceptions_API_ExceptionList: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: description: Autogenerated value - user that created object. type: string description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' immutable: type: boolean list_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. type: string version: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' required: - id - list_id - type - name - description - immutable - namespace_type - version - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Endpoint_Exceptions_API_ExceptionListDescription: description: Describes the exception list. example: This list tracks allowlisted values. type: string Security_Endpoint_Exceptions_API_ExceptionListHumanId: description: Exception list's human readable string identifier, e.g. `trusted-linux-processes`. example: simple_list format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListId: description: Exception list's identifier. example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListItem: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: description: Autogenerated value - user that created object. type: string description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' expire_time: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' item_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. type: string required: - id - item_id - list_id - type - name - description - entries - namespace_type - comments - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Endpoint_Exceptions_API_ExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - id - comment - created_at - created_by Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: description: | Array of comment fields: - comment (string): Comments about the exception item. items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' type: array Security_Endpoint_Exceptions_API_ExceptionListItemDescription: description: Describes the exception list. type: string Security_Endpoint_Exceptions_API_ExceptionListItemEntry: anyOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' type: array Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists type: string required: - type - field - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryList: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' list: type: object properties: id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId' type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType' required: - id - type operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list type: string required: - type - field - list - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match type: string value: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - type - field - value - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any type: string value: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' minItems: 1 type: array required: - type - field - value - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard type: string value: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - type - field - value - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested: type: object properties: entries: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' type: enum: - nested type: string required: - type - field - entries Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: description: Human readable string identifier, e.g. `trusted-linux-processes` example: simple_list_item format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListItemId: description: Exception's identifier. example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListItemMeta: additionalProperties: true type: object Security_Endpoint_Exceptions_API_ExceptionListItemName: description: Exception list name. format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListItemTags: items: description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string type: array Security_Endpoint_Exceptions_API_ExceptionListItemType: enum: - simple type: string Security_Endpoint_Exceptions_API_ExceptionListMeta: additionalProperties: true description: Placeholder for metadata about the list container. type: object Security_Endpoint_Exceptions_API_ExceptionListName: description: The name of the exception list. example: My exception list type: string Security_Endpoint_Exceptions_API_ExceptionListOsType: description: Use this field to specify the operating system. enum: - linux - macos - windows type: string Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: description: Use this field to specify the operating system. Only enter one value. items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListTags: description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Endpoint_Exceptions_API_ExceptionListType: description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default - endpoint - endpoint_trusted_apps - endpoint_events - endpoint_host_isolation_exceptions - endpoint_blocklists type: string Security_Endpoint_Exceptions_API_ExceptionListVersion: description: The document version, automatically increasd on updates. minimum: 1 type: integer Security_Endpoint_Exceptions_API_ExceptionNamespaceType: description: | Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - `single`: Only available in the Kibana space in which it is created. - `agnostic`: Available in all Kibana spaces. enum: - agnostic - single type: string Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' Security_Endpoint_Exceptions_API_ListId: description: Value list's identifier. example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ListType: description: | Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - `ip`: IP addresses - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean - byte - date - date_nanos - date_range - double - double_range - float - float_range - geo_point - geo_shape - half_float - integer - integer_range - ip - ip_range - keyword - long - long_range - shape - short - text type: string Security_Endpoint_Exceptions_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_PlatformErrorResponse: type: object properties: error: type: string message: type: string statusCode: type: integer required: - statusCode - error - message Security_Endpoint_Exceptions_API_SiemErrorResponse: type: object properties: message: type: string status_code: type: integer required: - status_code - message Security_Endpoint_Management_API_ActionStateSuccessResponse: type: object properties: body: type: object properties: data: type: object properties: canEncrypt: type: boolean required: - data required: - body Security_Endpoint_Management_API_ActionStatusSuccessResponse: type: object properties: body: type: object properties: data: type: object properties: agent_id: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' pending_actions: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' required: - agent_id - pending_actions required: - data required: - body Security_Endpoint_Management_API_AgentId: description: Agent ID type: string Security_Endpoint_Management_API_AgentIds: description: A list of agent IDs. Max of 50. example: - agent-id-1 - agent-id-2 minLength: 1 oneOf: - items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array - minLength: 1 type: string Security_Endpoint_Management_API_AgentTypes: description: List of agent types to retrieve. Defaults to `endpoint`. enum: - endpoint - sentinel_one - crowdstrike - microsoft_defender_endpoint example: endpoint type: string Security_Endpoint_Management_API_AlertIds: description: A list of alerts `id`s. items: format: nonempty minLength: 1 type: string minItems: 1 type: array Security_Endpoint_Management_API_CaseIds: description: Case IDs to be updated (cannot contain empty strings) example: - case-id-1 - case-id-2 items: minLength: 1 type: string minItems: 1 type: array Security_Endpoint_Management_API_CloudFileScriptParameters: type: object properties: cloudFile: description: Script name in cloud storage. minLength: 1 type: string commandLine: description: Command line arguments. minLength: 1 type: string timeout: description: Timeout in seconds. minimum: 1 type: integer required: - cloudFile Security_Endpoint_Management_API_Command: description: The command to be executed (cannot be an empty string) enum: - isolate - unisolate - kill-process - suspend-process - running-processes - get-file - execute - upload - scan minLength: 1 type: string Security_Endpoint_Management_API_Commands: description: A list of response action command names. example: - isolate - unisolate items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' type: array Security_Endpoint_Management_API_Comment: description: Optional comment example: This is a comment type: string Security_Endpoint_Management_API_EndDate: description: An end date in ISO format or Date Math format. example: '2023-10-31T23:59:59.999Z' type: string Security_Endpoint_Management_API_EndpointIds: description: List of endpoint IDs (cannot contain empty strings) example: - endpoint-id-1 - endpoint-id-2 items: minLength: 1 type: string minItems: 1 type: array Security_Endpoint_Management_API_EndpointMetadataResponse: example: host_status: healthy last_checkin: '2023-07-04T15:48:57.360Z' metadata: '@timestamp': '2023-07-04T15:48:57.3609346Z' agent: build: original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 data_stream: dataset: endpoint.metadata namespace: default type: metrics ecs: version: 1.11.0 elastic: agent: id: abb8a826-6812-448c-a571-6d8269b51449 Endpoint: capabilities: - isolation configuration: isolation: false policy: applied: endpoint_policy_version: '2' id: d5371dcd-93b7-4627-af88-4084f7d6aa3e name: test status: success version: '3' state: isolation: false status: enrolled event: action: endpoint_metadata agent_id_status: verified category: - host created: '2023-07-04T15:48:57.3609346Z' dataset: endpoint.metadata id: MNtRc++KoKHXXwlj+++++OhZ ingested: '2023-07-04T15:48:58Z' kind: metric module: endpoint sequence: 43757 type: - info host: architecture: x86_64 hostname: WinDev2104Eval id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 ip: - 10.0.2.15 - fe80::21a6:63d3:d70e:e3ad - 127.0.0.1 - '::1' mac: - 08:00:27:b1:1d:5a name: WinDev2104Eval os: Ext: variant: Windows 10 Enterprise Evaluation family: windows full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) kernel: 20H2 (10.0.19042.906) name: Windows platform: windows type: windows version: 20H2 (10.0.19042.906) message: Endpoint metadata policy_info: agent: applied: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 3 configured: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 3 endpoint: id: d5371dcd-93b7-4627-af88-4084f7d6aa3e revision: 2 type: object properties: {} Security_Endpoint_Management_API_ExecuteRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: type: object properties: command: $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' timeout: $ref: '#/components/schemas/Security_Endpoint_Management_API_Timeout' required: - command required: - parameters example: comment: Get list of all files endpoint_ids: - b3d6de74-36b0-4fa8-be46-c375bf1771bf parameters: command: ls -al timeout: 600 Security_Endpoint_Management_API_ExecuteRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: execute comment: Get list of all files createdBy: myuser hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r id: 9f934028-2300-4927-b531-b26376793dc4 isCompleted: false isExpired: false outputs: {} parameters: command: ls -al timeout: 600 startedAt: '2023-07-28T18:43:27.362Z' status: pending wasSuccessful: false type: object properties: {} Security_Endpoint_Management_API_GetEndpointActionListResponse: example: data: - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: running-processes completedAt: '2022-08-08T09:50:47.672Z' createdBy: elastic id: b3d6de74-36b0-4fa8-be46-c375bf1771bf isCompleted: true isExpired: false startedAt: '2022-08-08T15:24:57.402Z' wasSuccessful: true - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: isolate completedAt: '2022-08-08T10:41:57.352Z' createdBy: elastic id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 isCompleted: true isExpired: false startedAt: '2022-08-08T15:23:37.359Z' wasSuccessful: true - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: kill-process comment: bad process - taking up too much cpu completedAt: '2022-08-08T09:44:50.952Z' createdBy: elastic id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa isCompleted: true isExpired: false startedAt: '2022-08-08T14:38:44.125Z' wasSuccessful: true - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: unisolate comment: Not a threat to the network completedAt: '2022-08-08T09:40:47.398Z' createdBy: elastic id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a isCompleted: true isExpired: false startedAt: '2022-08-08T14:38:15.391Z' wasSuccessful: true elasticAgentIds: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 endDate: now page: 1 pageSize: 10 startDate: now-24h/h total: 4 type: object properties: {} Security_Endpoint_Management_API_GetEndpointActionResponse: example: data: agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: running-processes completedAt: '2022-08-08T09:50:47.672Z' createdBy: elastic id: b3d6de74-36b0-4fa8-be46-c375bf1771bf isCompleted: true isExpired: false outputs: afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0: content: entries: - command: /opt/cmd1 entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt pid: '822' user: Dexter - command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3 entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt pid: '984' user: Jada type: json startedAt: '2022-08-08T15:24:57.402Z' wasSuccessful: true type: object properties: {} Security_Endpoint_Management_API_GetFileRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: type: object properties: path: type: string required: - path required: - parameters example: comment: Get my file endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: path: /usr/my-file.txt Security_Endpoint_Management_API_GetFileRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: get-file createdBy: myuser hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 isCompleted: false isExpired: false outputs: {} parameters: path: /usr/my-file.txt startedAt: '2023-07-28T19:00:03.911Z' status: pending wasSuccessful: false type: object properties: {} Security_Endpoint_Management_API_GetProcessesRouteRequestBody: example: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids Security_Endpoint_Management_API_GetProcessesRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentType: endpoint command: running-processes comment: '' completedAt: '2022-07-29T19:09:44.961Z' createdBy: myuser errors: [] id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: true isExpired: false outputs: ed518850-681a-4d60-bb98-e22640cae2a8: content: key: value type: json parameters: {} startedAt: '2022-07-29T19:08:49.126Z' wasSuccessful: true type: object properties: {} Security_Endpoint_Management_API_HostPathScriptParameters: type: object properties: commandLine: description: Command line arguments. minLength: 1 type: string hostPath: description: Absolute or relative path of script on host machine. minLength: 1 type: string timeout: description: Timeout in seconds. minimum: 1 type: integer required: - hostPath Security_Endpoint_Management_API_HostStatuses: description: A set of agent health statuses to filter by. example: - healthy - updating items: enum: - healthy - offline - updating - inactive - unenrolled type: string type: array Security_Endpoint_Management_API_IsolateRouteResponse: example: action: 233db9ea-6733-4849-9226-5a7039c7161d data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentType: endpoint command: suspend-process comment: suspend the process completedAt: '2022-07-29T19:09:44.961Z' createdBy: myuser errors: [] id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: true isExpired: false outputs: ed518850-681a-4d60-bb98-e22640cae2a8: content: key: value type: json parameters: entity_id: abc123 startedAt: '2022-07-29T19:08:49.126Z' wasSuccessful: true type: object properties: {} Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: oneOf: - type: object properties: pid: description: The process ID (PID) of the process to terminate. example: 123 minimum: 1 type: integer - type: object properties: entity_id: description: The entity ID of the process to terminate. example: abc123 minLength: 1 type: string - type: object properties: process_name: description: The name of the process to terminate. Valid for SentinelOne agent type only. example: Elastic minLength: 1 type: string required: - parameters example: comment: terminate the process endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: entity_id: abc123 Security_Endpoint_Management_API_KillProcessRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentType: endpoint command: kill-process comment: terminate the process completedAt: '2022-07-29T19:09:44.961Z' createdBy: myuser errors: [] id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: true isExpired: false outputs: ed518850-681a-4d60-bb98-e22640cae2a8: content: key: value type: json parameters: entity_id: abc123 startedAt: '2022-07-29T19:08:49.126Z' wasSuccessful: true type: object properties: {} Security_Endpoint_Management_API_Kuery: description: A KQL string. example: 'united.endpoint.host.os.name : ''Windows''' type: string Security_Endpoint_Management_API_MetadataListResponse: example: data: - host_status: healthy last_checkin: '2023-07-04T15:47:57.432Z' metadata: '@timestamp': '2023-07-04T15:47:57.432173535Z' agent: build: original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: 285297c6-3bff-4b83-9a07-f3e749801123 type: endpoint version: 7.16.0 data_stream: dataset: endpoint.metadata namespace: default type: metrics ecs: version: 1.11.0 elastic: agent: id: 285297c6-3bff-4b83-9a07-f3e749801123 Endpoint: capabilities: - isolation configuration: isolation: false policy: applied: endpoint_policy_version: '2' id: d5371dcd-93b7-4627-af88-4084f7d6aa3e name: test status: success version: '3' state: isolation: false status: enrolled event: action: endpoint_metadata agent_id_status: verified category: - host created: '2023-07-04T15:47:57.432173535Z' dataset: endpoint.metadata id: MNtSXK/SkhEBnmgt++++++7S ingested: '2023-07-04T15:47:58Z' kind: metric module: endpoint sequence: 400 type: - info host: architecture: x86_64 hostname: david-Xubuntu id: 0cfead88e2024bd8a27476352b5ab264 ip: - 127.0.0.1 - '::1' - 10.0.2.15 - fe80::2ac7:8e15:b957:2fa1 mac: - 08:00:27:e6:78:8b name: david-Xubuntu os: Ext: variant: Ubuntu family: ubuntu full: Ubuntu 20.04.2 kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021' name: Linux platform: ubuntu type: linux version: 20.04.2 message: Endpoint metadata policy_info: agent: applied: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 0 configured: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 3 endpoint: id: d5371dcd-93b7-4627-af88-4084f7d6aa3e revision: 2 - host_status: healthy last_checkin: '2023-07-04T15:44:31.491Z' metadata: '@timestamp': '2023-07-04T15:44:31.4917849Z' agent: build: original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 data_stream: dataset: endpoint.metadata namespace: default type: metrics ecs: version: 1.11.0 elastic: agent: id: abb8a826-6812-448c-a571-6d8269b51449 Endpoint: capabilities: - isolation configuration: isolation: false policy: applied: endpoint_policy_version: '2' id: d5371dcd-93b7-4627-af88-4084f7d6aa3e name: test status: success version: '3' state: isolation: false status: enrolled event: action: endpoint_metadata agent_id_status: verified category: - host created: '2023-07-04T15:44:31.4917849Z' dataset: endpoint.metadata id: MNtRc++KoKHXXwlj+++++/N9 ingested: '2023-07-04T15:44:33Z' kind: metric module: endpoint sequence: 5159 type: - info host: architecture: x86_64 hostname: WinDev2104Eval id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 ip: - 10.0.2.15 - fe80::21a6:63d3:d70e:e3ad - 127.0.0.1 - '::1' mac: - 08:00:27:b1:1d:5a name: WinDev2104Eval os: Ext: variant: Windows 10 Enterprise Evaluation family: windows full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) kernel: 20H2 (10.0.19042.906) name: Windows platform: windows type: windows version: 20H2 (10.0.19042.906) message: Endpoint metadata policy_info: agent: applied: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 0 configured: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 3 endpoint: id: d5371dcd-93b7-4627-af88-4084f7d6aa3e revision: 2 page: 0 pageSize: 10 sortDirection: desc sortField: enrolled_at total: 2 type: object properties: {} Security_Endpoint_Management_API_Page: default: 1 description: Page number example: 1 minimum: 1 type: integer Security_Endpoint_Management_API_PageSize: default: 10 description: Number of items per page example: 10 maximum: 100 minimum: 1 type: integer Security_Endpoint_Management_API_Parameters: description: Optional parameters object type: object Security_Endpoint_Management_API_PendingActionDataType: type: integer Security_Endpoint_Management_API_PendingActionsSchema: oneOf: - type: object properties: execute: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' get-file: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' isolate: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' kill-process: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' running-processes: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' scan: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' suspend-process: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' unisolate: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' upload: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - additionalProperties: true type: object Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: type: object properties: note: type: string Security_Endpoint_Management_API_RawScriptParameters: type: object properties: commandLine: description: Command line arguments. minLength: 1 type: string raw: description: Raw script content. minLength: 1 type: string timeout: description: Timeout in seconds. minimum: 1 type: integer required: - raw Security_Endpoint_Management_API_RunScriptRouteRequestBody: type: object properties: parameters: description: Exactly one of 'Raw', 'HostPath', or 'CloudFile' must be provided. CommandLine and Timeout are optional for all. oneOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' required: - parameters Security_Endpoint_Management_API_ScanRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: type: object properties: path: description: The folder or file’s full path (including the file name). example: /usr/my-file.txt type: string required: - path required: - parameters example: comment: Scan the file for malware endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: path: /usr/my-file.txt Security_Endpoint_Management_API_ScanRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: scan createdBy: myuser hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 isCompleted: false isExpired: false outputs: {} parameters: path: /usr/my-file.txt startedAt: '2023-07-28T19:00:03.911Z' status: pending wasSuccessful: false type: object properties: {} Security_Endpoint_Management_API_SortDirection: description: Determines the sort order. enum: - asc - desc example: desc type: string Security_Endpoint_Management_API_SortField: description: Determines which field is used to sort the results. enum: - enrolled_at - metadata.host.hostname - host_status - metadata.Endpoint.policy.applied.name - metadata.Endpoint.policy.applied.status - metadata.host.os.name - metadata.host.ip - metadata.agent.version - last_checkin example: enrolled_at type: string Security_Endpoint_Management_API_StartDate: description: A start date in ISO 8601 format or Date Math format. example: '2023-10-31T00:00:00.000Z' type: string Security_Endpoint_Management_API_SuccessResponse: type: object properties: {} Security_Endpoint_Management_API_SuspendProcessRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: oneOf: - type: object properties: pid: description: The process ID (PID) of the process to suspend. example: 123 minimum: 1 type: integer - type: object properties: entity_id: description: The entity ID of the process to suspend. example: abc123 minLength: 1 type: string required: - parameters example: comment: suspend the process endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: entity_id: abc123 Security_Endpoint_Management_API_SuspendProcessRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentType: endpoint command: suspend-process comment: suspend the process completedAt: '2022-07-29T19:09:44.961Z' createdBy: myuser errors: [] id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: true isExpired: false outputs: ed518850-681a-4d60-bb98-e22640cae2a8: content: key: value type: json parameters: entity_id: abc123 startedAt: '2022-07-29T19:08:49.126Z' wasSuccessful: true type: object properties: {} Security_Endpoint_Management_API_Timeout: description: The maximum timeout value in milliseconds (optional) minimum: 1 type: integer Security_Endpoint_Management_API_Type: description: Type of response action enum: - automated - manual type: string Security_Endpoint_Management_API_Types: description: List of types of response actions example: - automated - manual items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' maxLength: 2 minLength: 1 type: array Security_Endpoint_Management_API_UnisolateRouteResponse: example: action: 233db9ea-6733-4849-9226-5a7039c7161d data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentType: endpoint command: suspend-process comment: suspend the process completedAt: '2022-07-29T19:09:44.961Z' createdBy: myuser errors: [] id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: true isExpired: false outputs: ed518850-681a-4d60-bb98-e22640cae2a8: content: key: value type: json parameters: entity_id: abc123 startedAt: '2022-07-29T19:08:49.126Z' wasSuccessful: true type: object properties: {} Security_Endpoint_Management_API_UploadRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: file: description: The binary content of the file. example: RWxhc3RpYw== format: binary type: string parameters: type: object properties: overwrite: default: false description: Overwrite the file on the host if it already exists. example: false type: boolean required: - parameters - file example: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 file: RWxhc3RpYw== parameters: {} Security_Endpoint_Management_API_UploadRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: upload createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: Host-5i6cuc8kdv id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 isCompleted: false isExpired: false outputs: {} parameters: file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 file_name: fix-malware.sh file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a file_size: 69 startedAt: '2023-07-03T15:07:22.837Z' status: pending wasSuccessful: false type: object properties: {} Security_Endpoint_Management_API_UserIds: description: A list of user IDs. example: - user-id-1 - user-id-2 oneOf: - items: minLength: 1 type: string minItems: 1 type: array - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: description: A list of action IDs that should include the complete output of the action. example: - action-id-1 - action-id-2 oneOf: - items: minLength: 1 type: string minItems: 1 type: array - minLength: 1 type: string Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: type: object properties: index: type: integer message: type: string required: - message - index Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats: type: object properties: failed: type: integer successful: type: integer total: type: integer required: - successful - failed - total Security_Entity_Analytics_API_AssetCriticalityLevel: description: The criticality level of the asset. enum: - low_impact - medium_impact - high_impact - extreme_impact type: string Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: description: The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload. enum: - low_impact - medium_impact - high_impact - extreme_impact - unassigned type: string Security_Entity_Analytics_API_AssetCriticalityRecord: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' - type: object properties: '@timestamp': description: The time the record was created or updated. example: '2017-07-21T17:32:28Z' format: date-time type: string required: - '@timestamp' example: '@timestamp': '2024-08-02T11:15:34.290Z' asset: criticality: high_impact criticality_level: high_impact host: asset: criticality: high_impact name: my_host id_field: host.name id_value: my_host Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - asset entity: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality id: type: string required: - id host: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: type: string required: - name service: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: type: string required: - name user: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: type: string required: - name required: - asset Security_Entity_Analytics_API_AssetCriticalityRecordIdParts: type: object properties: id_field: $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' description: The field representing the ID. example: host.name id_value: description: The ID value of the asset. type: string required: - id_value - id_field Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse: type: object properties: cleanup_successful: example: false type: boolean errors: items: type: object properties: error: type: string seq: type: integer required: - seq - error type: array required: - cleanup_successful - errors Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse: type: object properties: errors: items: type: object properties: error: type: string seq: type: integer required: - seq - error type: array risk_engine_saved_object_configured: example: false type: boolean required: - risk_engine_saved_object_configured - errors Security_Entity_Analytics_API_CreateAssetCriticalityRecord: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - type: object properties: criticality_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality_level Security_Entity_Analytics_API_EngineComponentResource: enum: - entity_engine - entity_definition - index - component_template - index_template - ingest_pipeline - enrich_policy - task - transform type: string Security_Entity_Analytics_API_EngineComponentStatus: type: object properties: errors: items: type: object properties: message: type: string title: type: string type: array health: enum: - green - yellow - red - unknown type: string id: type: string installed: type: boolean metadata: $ref: '#/components/schemas/Security_Entity_Analytics_API_Metadata' resource: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' required: - id - installed - resource Security_Entity_Analytics_API_EngineDataviewUpdateResult: type: object properties: changes: type: object properties: indexPatterns: items: type: string type: array type: type: string required: - type Security_Entity_Analytics_API_EngineDescriptor: type: object properties: delay: default: 1m pattern: '[smdh]$' type: string docsPerSecond: type: integer error: type: object properties: action: enum: - init type: string message: type: string required: - message - action fieldHistoryLength: type: integer filter: type: string frequency: default: 1m pattern: '[smdh]$' type: string indexPattern: $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' lookbackPeriod: default: 24h pattern: '[smdh]$' type: string status: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' timeout: default: 180s pattern: '[smdh]$' type: string timestampField: type: string type: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' required: - type - indexPattern - status - fieldHistoryLength Security_Entity_Analytics_API_EngineMetadata: type: object properties: Type: type: string required: - Type Security_Entity_Analytics_API_EngineStatus: enum: - installing - started - stopped - updating - error type: string Security_Entity_Analytics_API_Entity: oneOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_ServiceEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_GenericEntity' Security_Entity_Analytics_API_EntityRiskLevels: enum: - Unknown - Low - Moderate - High - Critical type: string Security_Entity_Analytics_API_EntityRiskScoreRecord: type: object properties: '@timestamp': description: The time at which the risk score was calculated. example: '2017-07-21T17:32:28Z' format: date-time type: string calculated_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' description: Lexical description of the entity's risk. example: Critical calculated_score: description: The raw numeric value of the given entity's risk score. format: double type: number calculated_score_norm: description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. format: double maximum: 100 minimum: 0 type: number category_1_count: description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). format: integer type: number category_1_score: description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. format: double type: number category_2_count: format: integer type: number category_2_score: format: double type: number criticality_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' criticality_modifier: format: double type: number id_field: description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. example: host.name type: string id_value: description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. example: example.host type: string inputs: description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' type: array notes: items: type: string type: array required: - '@timestamp' - id_field - id_value - calculated_level - calculated_score - calculated_score_norm - category_1_score - category_1_count - inputs - notes Security_Entity_Analytics_API_EntityType: enum: - user - host - service - generic type: string Security_Entity_Analytics_API_GenericEntity: type: object properties: '@timestamp': format: date-time type: string asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality entity: type: object properties: category: type: string EngineMetadata: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata' id: type: string name: type: string source: type: string type: type: string required: - id - name - type required: - entity Security_Entity_Analytics_API_HostEntity: type: object properties: '@timestamp': format: date-time type: string asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality entity: type: object properties: EngineMetadata: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata' name: type: string source: type: string type: type: string required: - name - source - type event: type: object properties: ingested: format: date-time type: string host: type: object properties: architecture: items: type: string type: array domain: items: type: string type: array hostname: items: type: string type: array id: items: type: string type: array ip: items: type: string type: array mac: items: type: string type: array name: type: string risk: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' type: items: type: string type: array required: - name required: - host - entity Security_Entity_Analytics_API_IdField: enum: - host.name - user.name - service.name - entity.id type: string Security_Entity_Analytics_API_IndexPattern: type: string Security_Entity_Analytics_API_InspectQuery: type: object properties: dsl: items: type: string type: array response: items: type: string type: array required: - dsl - response Security_Entity_Analytics_API_Interval: description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, example: 1h pattern: ^[1-9]\d*[smh]$ type: string Security_Entity_Analytics_API_Metadata: $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' Security_Entity_Analytics_API_MonitoredUserDoc: type: object properties: '@timestamp': format: date-time type: string entity_analytics_monitoring: type: object properties: labels: items: type: object properties: field: type: string source: type: string value: type: string type: array event: type: object properties: ingested: format: date-time type: string id: type: string labels: type: object properties: source_indices: items: type: string type: array source_integrations: items: type: string type: array sources: items: enum: - csv - index_sync - api type: array user: type: object properties: is_privileged: description: Indicates if the user is privileged. type: boolean name: type: string Security_Entity_Analytics_API_MonitoringEngineDescriptor: type: object properties: status: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' required: - type - status Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem: type: object properties: index: nullable: true type: integer message: type: string username: nullable: true type: string required: - message - index - username Security_Entity_Analytics_API_PrivmonUserCsvUploadStats: type: object properties: failed: type: integer successful: type: integer total: type: integer required: - successful - failed - total Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: type: object properties: full_error: type: string message: type: string required: - message - full_error Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: type: object properties: success: type: boolean Security_Entity_Analytics_API_RiskScoreInput: description: A generic representation of a document contributing to a Risk Score. type: object properties: category: description: The risk category of the risk input document. example: category_1 type: string contribution_score: format: double type: number description: description: A human-readable description of the risk input document. example: 'Generated from Detection Engine Rule: Malware Prevention Alert' type: string id: description: The unique identifier (`_id`) of the original source document example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c type: string index: description: The unique index (`_index`) of the original source document example: .internal.alerts-security.alerts-default-000001 type: string risk_score: description: The weighted risk score of the risk input document. format: double maximum: 100 minimum: 0 type: number timestamp: description: The @timestamp of the risk input document. example: '2017-07-21T17:32:28Z' type: string required: - id - index - description - category Security_Entity_Analytics_API_ServiceEntity: type: object properties: '@timestamp': format: date-time type: string asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality entity: type: object properties: EngineMetadata: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata' name: type: string source: type: string type: type: string required: - name - source - type event: type: object properties: ingested: format: date-time type: string service: type: object properties: name: type: string risk: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' required: - name required: - service - entity Security_Entity_Analytics_API_StoreStatus: enum: - not_installed - installing - running - stopped - error type: string Security_Entity_Analytics_API_TaskManagerUnavailableResponse: description: Task manager is unavailable type: object properties: message: type: string status_code: minimum: 400 type: integer required: - status_code - message Security_Entity_Analytics_API_TransformStatsMetadata: type: object properties: delete_time_in_ms: type: integer documents_deleted: type: integer documents_indexed: type: integer documents_processed: type: integer exponential_avg_checkpoint_duration_ms: type: integer exponential_avg_documents_indexed: type: integer exponential_avg_documents_processed: type: integer index_failures: type: integer index_time_in_ms: type: integer index_total: type: integer pages_processed: type: integer processing_time_in_ms: type: integer processing_total: type: integer search_failures: type: integer search_time_in_ms: type: integer search_total: type: integer trigger_count: type: integer required: - pages_processed - documents_processed - documents_indexed - trigger_count - index_time_in_ms - index_total - index_failures - search_time_in_ms - search_total - search_failures - processing_time_in_ms - processing_total - exponential_avg_checkpoint_duration_ms - exponential_avg_documents_indexed - exponential_avg_documents_processed Security_Entity_Analytics_API_UserEntity: type: object properties: '@timestamp': format: date-time type: string asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality entity: type: object properties: EngineMetadata: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata' name: type: string source: type: string type: type: string required: - name - source - type event: type: object properties: ingested: format: date-time type: string user: type: object properties: domain: items: type: string type: array email: items: type: string type: array full_name: items: type: string type: array hash: items: type: string type: array id: items: type: string type: array name: type: string risk: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' roles: items: type: string type: array required: - name required: - user - entity Security_Entity_Analytics_API_UserName: type: object properties: user: type: object properties: name: description: The name of the user. type: string Security_Exceptions_API_CreateExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - comment Security_Exceptions_API_CreateExceptionListItemCommentArray: items: $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' type: array Security_Exceptions_API_CreateRuleExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - comment Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: items: $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' type: array Security_Exceptions_API_CreateRuleExceptionListItemProps: type: object properties: comments: $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: format: date-time type: string item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' default: [] type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries Security_Exceptions_API_ExceptionList: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: description: Autogenerated value - user that created object. type: string description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' immutable: type: boolean list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. type: string version: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' required: - id - list_id - type - name - description - immutable - namespace_type - version - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Exceptions_API_ExceptionListDescription: description: Describes the exception list. example: This list tracks allowlisted values. type: string Security_Exceptions_API_ExceptionListHumanId: description: Exception list's human readable string identifier, e.g. `trusted-linux-processes`. example: simple_list format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListId: description: Exception list's identifier. example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListItem: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: description: Autogenerated value - user that created object. type: string description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. type: string required: - id - item_id - list_id - type - name - description - entries - namespace_type - comments - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Exceptions_API_ExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' id: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - id - comment - created_at - created_by Security_Exceptions_API_ExceptionListItemCommentArray: description: | Array of comment fields: - comment (string): Comments about the exception item. items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' type: array Security_Exceptions_API_ExceptionListItemDescription: description: Describes the exception list. type: string Security_Exceptions_API_ExceptionListItemEntry: anyOf: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Exceptions_API_ExceptionListItemEntryArray: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' type: array Security_Exceptions_API_ExceptionListItemEntryExists: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists type: string required: - type - field - operator Security_Exceptions_API_ExceptionListItemEntryList: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' list: type: object properties: id: $ref: '#/components/schemas/Security_Exceptions_API_ListId' type: $ref: '#/components/schemas/Security_Exceptions_API_ListType' required: - id - type operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list type: string required: - type - field - list - operator Security_Exceptions_API_ExceptionListItemEntryMatch: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match type: string value: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - type - field - value - operator Security_Exceptions_API_ExceptionListItemEntryMatchAny: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any type: string value: items: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' minItems: 1 type: array required: - type - field - value - operator Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard type: string value: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - type - field - value - operator Security_Exceptions_API_ExceptionListItemEntryNested: type: object properties: entries: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' type: enum: - nested type: string required: - type - field - entries Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' Security_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Exceptions_API_ExceptionListItemExpireTime: description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Exceptions_API_ExceptionListItemHumanId: description: Human readable string identifier, e.g. `trusted-linux-processes` example: simple_list_item format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListItemId: description: Exception's identifier. example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListItemMeta: additionalProperties: true type: object Security_Exceptions_API_ExceptionListItemName: description: Exception list name. format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListItemOsTypeArray: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' type: array Security_Exceptions_API_ExceptionListItemTags: items: description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string type: array Security_Exceptions_API_ExceptionListItemType: enum: - simple type: string Security_Exceptions_API_ExceptionListMeta: additionalProperties: true description: Placeholder for metadata about the list container. type: object Security_Exceptions_API_ExceptionListName: description: The name of the exception list. example: My exception list type: string Security_Exceptions_API_ExceptionListOsType: description: Use this field to specify the operating system. enum: - linux - macos - windows type: string Security_Exceptions_API_ExceptionListOsTypeArray: description: Use this field to specify the operating system. Only enter one value. items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' type: array Security_Exceptions_API_ExceptionListsImportBulkError: type: object properties: error: type: object properties: message: type: string status_code: type: integer required: - status_code - message id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' required: - error Security_Exceptions_API_ExceptionListsImportBulkErrorArray: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' type: array Security_Exceptions_API_ExceptionListTags: description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Exceptions_API_ExceptionListType: description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default - endpoint - endpoint_trusted_apps - endpoint_events - endpoint_host_isolation_exceptions - endpoint_blocklists type: string Security_Exceptions_API_ExceptionListVersion: description: The document version, automatically increasd on updates. minimum: 1 type: integer Security_Exceptions_API_ExceptionNamespaceType: description: | Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - `single`: Only available in the Kibana space in which it is created. - `agnostic`: Available in all Kibana spaces. enum: - agnostic - single type: string Security_Exceptions_API_FindExceptionListItemsFilter: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' Security_Exceptions_API_FindExceptionListsFilter: example: exception-list.attributes.name:%Detection%20List type: string Security_Exceptions_API_ListId: description: Value list's identifier. example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string Security_Exceptions_API_ListType: description: | Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - `ip`: IP addresses - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean - byte - date - date_nanos - date_range - double - double_range - float - float_range - geo_point - geo_shape - half_float - integer - integer_range - ip - ip_range - keyword - long - long_range - shape - short - text type: string Security_Exceptions_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty minLength: 1 type: string Security_Exceptions_API_PlatformErrorResponse: type: object properties: error: type: string message: type: string statusCode: type: integer required: - statusCode - error - message Security_Exceptions_API_RuleId: $ref: '#/components/schemas/Security_Exceptions_API_UUID' Security_Exceptions_API_SiemErrorResponse: type: object properties: message: type: string status_code: type: integer required: - status_code - message Security_Exceptions_API_UpdateExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' id: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - comment Security_Exceptions_API_UpdateExceptionListItemCommentArray: items: $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' type: array Security_Exceptions_API_UUID: description: A universally unique identifier format: uuid type: string Security_Lists_API_FindListItemsCursor: description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly. example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d format: nonempty minLength: 1 type: string Security_Lists_API_FindListItemsFilter: example: value:127.0.0.1 type: string Security_Lists_API_FindListsCursor: example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d format: nonempty minLength: 1 type: string Security_Lists_API_FindListsFilter: example: value:127.0.0.1 type: string Security_Lists_API_List: type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' '@timestamp': example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_at: description: Autogenerated date of object creation. example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: description: Autogenerated value - user that created object. example: elastic type: string description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' deserializer: $ref: '#/components/schemas/Security_Lists_API_ListDeserializer' id: $ref: '#/components/schemas/Security_Lists_API_ListId' immutable: type: boolean meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' serializer: $ref: '#/components/schemas/Security_Lists_API_ListSerializer' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string type: $ref: '#/components/schemas/Security_Lists_API_ListType' updated_at: description: Autogenerated date of last object update. example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. example: elastic type: string version: $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - id - type - name - description - immutable - version - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Lists_API_ListDescription: description: Describes the value list. format: nonempty minLength: 1 type: string Security_Lists_API_ListDeserializer: description: | Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions: - `{{{value}}}` - Single value item types, such as `ip`, `long`, `date`, `keyword`, and `text`. - `{{{gte}}}-{{{lte}}}` - Range value item types, such as `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`. - `{{{gte}}},{{{lte}}}` - Date range values. example: '{{value}}' type: string Security_Lists_API_ListId: description: Value list's identifier. example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string Security_Lists_API_ListItem: type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' '@timestamp': example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_at: description: Autogenerated date of object creation. example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: description: Autogenerated value - user that created object. example: elastic type: string deserializer: $ref: '#/components/schemas/Security_Lists_API_ListDeserializer' id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' list_id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' serializer: $ref: '#/components/schemas/Security_Lists_API_ListSerializer' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string type: $ref: '#/components/schemas/Security_Lists_API_ListType' updated_at: description: Autogenerated date of last object update. example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. example: elastic type: string value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id - type - list_id - value - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Lists_API_ListItemId: description: Value list item's identifier. example: 54b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string Security_Lists_API_ListItemMetadata: additionalProperties: true description: Placeholder for metadata about the value list item. type: object Security_Lists_API_ListItemPrivileges: type: object properties: application: additionalProperties: type: boolean type: object cluster: additionalProperties: type: boolean type: object has_all_requested: type: boolean index: additionalProperties: additionalProperties: type: boolean type: object type: object username: type: string required: - username - has_all_requested - cluster - index - application Security_Lists_API_ListItemValue: description: The value used to evaluate exceptions. format: nonempty minLength: 1 type: string Security_Lists_API_ListMetadata: additionalProperties: true description: Placeholder for metadata about the value list. type: object Security_Lists_API_ListName: description: Value list's name. example: List of bad IPs format: nonempty minLength: 1 type: string Security_Lists_API_ListPrivileges: type: object properties: application: additionalProperties: type: boolean type: object cluster: additionalProperties: type: boolean type: object has_all_requested: type: boolean index: additionalProperties: additionalProperties: type: boolean type: object type: object username: type: string required: - username - has_all_requested - cluster - index - application Security_Lists_API_ListSerializer: description: | Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups: - `(?.+)` - Single value item types, such as ip, long, date, keyword, and text. - `(?.+)-(?.+)|(?.+)` - Range value item types, such as `date_range`, `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`. example: (?((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)) type: string Security_Lists_API_ListType: description: | Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - `ip`: IP addresses - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean - byte - date - date_nanos - date_range - double - double_range - float - float_range - geo_point - geo_shape - half_float - integer - integer_range - ip - ip_range - keyword - long - long_range - shape - short - text type: string Security_Lists_API_ListVersion: description: The document version number. example: 1 minimum: 1 type: integer Security_Lists_API_ListVersionId: description: | The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version. example: WzIsMV0= type: string Security_Lists_API_PlatformErrorResponse: type: object properties: error: type: string message: type: string statusCode: type: integer required: - statusCode - error - message Security_Lists_API_SiemErrorResponse: type: object properties: message: type: string status_code: type: integer required: - status_code - message Security_Osquery_API_ArrayQueries: description: An array of queries to run. items: $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' type: array Security_Osquery_API_ArrayQueriesItem: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: $ref: '#/components/schemas/Security_Osquery_API_QueryId' platform: $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' snapshot: $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' version: $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' Security_Osquery_API_CreateLiveQueryRequestBody: example: agent_all: true ecs_mapping: host.uptime: field: total_seconds query: select * from uptime; type: object properties: agent_all: description: When `true`, the query runs on all agents. type: boolean agent_ids: description: A list of agent IDs to run the query on. items: type: string type: array agent_platforms: description: A list of agent platforms to run the query on. items: type: string type: array agent_policy_ids: description: A list of agent policy IDs to run the query on. items: type: string type: array alert_ids: description: A list of alert IDs associated with the live query. items: type: string type: array case_ids: description: A list of case IDs associated with the live query. items: type: string type: array ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' event_ids: description: A list of event IDs associated with the live query. items: type: string type: array metadata: description: Custom metadata object associated with the live query. nullable: true type: object pack_id: $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' queries: $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' query: $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' saved_query_id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' Security_Osquery_API_CreateLiveQueryResponse: example: data: '@timestamp': '2022-07-26T09:59:32.220Z' action_id: 3c42c847-eb30-4452-80e0-728584042334 agent_all: true agent_ids: [] agent_platforms: [] agent_policy_ids: [] agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 expiration: '2022-07-26T10:04:32.220Z' input_type: osquery metadata: execution_context: name: osquery url: /app/osquery/live_queries/new queries: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 ecs_mapping: host.uptime: field: total_seconds id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 query: select * from uptime; timeout: 120 type: INPUT_ACTION user_id: elastic type: object properties: {} Security_Osquery_API_CreatePacksRequestBody: example: description: My pack enabled: true name: my_pack policy_ids: - my_policy_id - fleet-server-policy queries: my_query: ecs_mapping: client.port: field: port tags: value: - tag1 - tag2 interval: 60 query: SELECT * FROM listening_ports; timeout: 120 shards: fleet-server-policy: 58 my_policy_id: 35 type: object properties: description: $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' enabled: $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: $ref: '#/components/schemas/Security_Osquery_API_Shards' Security_Osquery_API_CreatePacksResponse: example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: true name: my_pack queries: ports: ecs_mapping: client.port: field: port interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 shards: - key: 47638692-7c4c-4053-aa3e-7186f28df349 value: 35 - key: 5e267651-fe50-443e-8d3f-3bbc9171b618 value: 58 updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic type: object properties: {} Security_Osquery_API_CreateSavedQueryRequestBody: example: description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: saved_query_id interval: '60' platform: linux,darwin query: select * from uptime; timeout: 120 version: 2.8.0 type: object properties: description: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined' ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: $ref: '#/components/schemas/Security_Osquery_API_Interval' platform: $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' query: $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' removed: $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' snapshot: $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' version: $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' Security_Osquery_API_CreateSavedQueryResponse: example: data: {} type: object properties: {} Security_Osquery_API_DefaultSuccessResponse: type: object properties: {} Security_Osquery_API_ECSMapping: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields example: host.uptime: field: total_seconds type: object Security_Osquery_API_ECSMappingItem: type: object properties: field: description: The ECS field to map to. example: host.uptime type: string value: description: The value to map to the ECS field. example: total_seconds oneOf: - type: string - items: type: string type: array Security_Osquery_API_ECSMappingOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' nullable: true Security_Osquery_API_Enabled: description: Enables the pack. example: true type: boolean Security_Osquery_API_EnabledOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Enabled' nullable: true Security_Osquery_API_FindLiveQueryDetailsResponse: example: data: '@timestamp': '2022-07-26T09:59:32.220Z' action_id: 3c42c847-eb30-4452-80e0-728584042334 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 expiration: '2022-07-26T10:04:32.220Z' queries: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 docs: 0 ecs_mapping: host.uptime: field: total_seconds failed: 1 id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 pending: 0 query: select * from uptime; responded: 1 saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d status: completed successful: 0 status: completed user_id: elastic type: object properties: {} Security_Osquery_API_FindLiveQueryResponse: example: data: items: - fields: '@timestamp': '2023-10-31T00:00:00Z' action_id: 3c42c847-eb30-4452-80e0-728584042334 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 expiration: '2023-10-31T00:00:00Z' queries: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 ecs_mapping: host.uptime: field: total_seconds id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 query: select * from uptime; saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d user_id: elastic type: object properties: {} Security_Osquery_API_FindPackResponse: example: data: created_at: '2022-07-25T19:41:10.263Z' created_by: elastic description: '' enabled: true id: 3c42c847-eb30-4452-80e0-728584042334 name: test_pack namespaces: - default policy_ids: [] queries: uptime: ecs_mapping: message: field: days interval: 3600 query: select * from uptime read_only: false type: osquery-pack updated_at: '2022-07-25T20:12:01.455Z' updated_by: elastic type: object properties: {} Security_Osquery_API_FindPacksResponse: example: data: - attributes: created_at: '2023-10-31T00:00:00Z' created_by: elastic description: My pack description enabled: true name: My Pack queries: - ecs_mapping: - host.uptime: field: total_seconds id: uptime interval: '3600' query: select * from uptime; updated_at: '2023-10-31T00:00:00Z' updated_by: elastic id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d namespaces: - default type: osquery-pack page: 1 pageSize: 10 policy_ids: [] total: 1 type: object properties: {} Security_Osquery_API_FindSavedQueryDetailResponse: example: data: attributes: created_at: '2022-07-26T09:28:08.597Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: saved_query_id interval: '60' platform: linux,darwin prebuilt: false query: select * from uptime; updated_at: '2022-07-26T09:28:08.597Z' updated_by: elastic version: 2.8.0 coreMigrationVersion: 8.4.0 id: 3c42c847-eb30-4452-80e0-728584042334 namespaces: - default references: [] type: osquery-saved-query updated_at: '2022-07-26T09:28:08.600Z' version: WzQzMTcsMV0= type: object properties: {} Security_Osquery_API_FindSavedQueryResponse: example: data: - attributes: created_at: '2022-07-26T09:28:08.597Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: saved_query_id interval: '60' platform: linux,darwin prebuilt: false query: select * from uptime; updated_at: '2022-07-26T09:28:08.597Z' updated_by: elastic version: 2.8.0 id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d namespaces: - default type: osquery-saved-query page: 1 per_page: 100 total: 11 type: object properties: {} Security_Osquery_API_GetLiveQueryResultsResponse: description: The response for getting live query results. example: data: edges: - {} - {} total: 2 type: object properties: {} Security_Osquery_API_Interval: description: An interval, in seconds, on which to run the query. example: '60' type: string Security_Osquery_API_IntervalOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Interval' nullable: true Security_Osquery_API_KueryOrUndefined: description: The kuery to filter the results by. example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' nullable: true type: string Security_Osquery_API_ObjectQueries: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' description: An object of queries. type: object Security_Osquery_API_ObjectQueriesItem: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: $ref: '#/components/schemas/Security_Osquery_API_QueryId' platform: $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' saved_query_id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' snapshot: $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' version: $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' Security_Osquery_API_PackDescription: description: The pack description. example: Pack description type: string Security_Osquery_API_PackDescriptionOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_PackDescription' nullable: true Security_Osquery_API_PackId: description: The ID of the pack you want to run, retrieve, update, or delete. example: 3c42c847-eb30-4452-80e0-728584042334 type: string Security_Osquery_API_PackIdOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_PackId' nullable: true Security_Osquery_API_PackName: description: The pack name. type: string Security_Osquery_API_PageOrUndefined: description: The page number to return. The default is 1. example: 1 nullable: true type: integer Security_Osquery_API_PageSizeOrUndefined: description: The number of results to return per page. The default is 20. example: 20 nullable: true type: integer Security_Osquery_API_Platform: description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. example: linux,darwin type: string Security_Osquery_API_PlatformOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Platform' nullable: true Security_Osquery_API_PolicyIds: description: A list of agents policy IDs. example: - policyId1 - policyId2 items: type: string type: array Security_Osquery_API_PolicyIdsOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' nullable: true Security_Osquery_API_Query: description: The SQL query you want to run. example: select * from uptime; type: string Security_Osquery_API_QueryId: description: The ID of the query. example: 3c42c847-eb30-4452-80e0-728584042334 type: string Security_Osquery_API_QueryOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Query' nullable: true Security_Osquery_API_Removed: description: Indicates whether the query is removed. example: false type: boolean Security_Osquery_API_RemovedOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Removed' nullable: true Security_Osquery_API_SavedQueryDescription: description: The saved query description. example: Saved query description type: string Security_Osquery_API_SavedQueryDescriptionOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' nullable: true Security_Osquery_API_SavedQueryId: description: The ID of a saved query. example: 3c42c847-eb30-4452-80e0-728584042334 type: string Security_Osquery_API_SavedQueryIdOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' nullable: true Security_Osquery_API_Shards: additionalProperties: type: number description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. example: policy_id: 50 type: object Security_Osquery_API_Snapshot: description: Indicates whether the query is a snapshot. example: true type: boolean Security_Osquery_API_SnapshotOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' nullable: true Security_Osquery_API_SortOrderOrUndefined: description: Specifies the sort order. enum: - asc - desc example: desc type: string Security_Osquery_API_SortOrUndefined: default: createdAt description: The field that is used to sort the results. example: createdAt nullable: true type: string Security_Osquery_API_UpdatePacksRequestBody: example: name: updated_my_pack_name type: object properties: description: $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' enabled: $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: $ref: '#/components/schemas/Security_Osquery_API_Shards' Security_Osquery_API_UpdatePacksResponse: example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: true name: updated_my_pack_name queries: ports: ecs_mapping: client.port: field: port interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 shards: - key: 47638692-7c4c-4053-aa3e-7186f28df349 value: 35 - key: 5e267651-fe50-443e-8d3f-3bbc9171b618 value: 58 updated_at: '2025-02-26T13:40:16.297Z' updated_by: elastic type: object properties: {} Security_Osquery_API_UpdateSavedQueryRequestBody: example: id: updated_my_saved_query_name type: object properties: description: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined' ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' platform: $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' query: $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' removed: $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' snapshot: $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' version: $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' Security_Osquery_API_UpdateSavedQueryResponse: example: data: {} type: object properties: {} Security_Osquery_API_Version: description: Uses the Osquery versions greater than or equal to the specified version string. example: 1.0.0 type: string Security_Osquery_API_VersionOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Version' nullable: true Security_Timeline_API_AssociatedFilterType: description: Filter notes based on their association with a document or saved object. enum: - all - document_only - saved_object_only - document_and_saved_object - orphan type: string Security_Timeline_API_BareNote: allOf: - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' - type: object properties: eventId: description: The `_id` of the associated event for this note. example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc nullable: true type: string note: description: The text of the note example: This is an example text nullable: true type: string timelineId: description: The `savedObjectId` of the Timeline that this note is associated with example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - timelineId Security_Timeline_API_BarePinnedEvent: allOf: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' - type: object properties: eventId: description: The `_id` of the associated event for this pinned event. example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc type: string timelineId: description: The `savedObjectId` of the timeline that this pinned event is associated with example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - eventId - timelineId Security_Timeline_API_ColumnHeaderResult: type: object properties: aggregatable: nullable: true type: boolean category: nullable: true type: string columnHeaderType: nullable: true type: string description: nullable: true type: string example: nullable: true type: string id: nullable: true type: string indexes: items: type: string nullable: true type: array name: nullable: true type: string placeholder: nullable: true type: string searchable: nullable: true type: boolean type: nullable: true type: string Security_Timeline_API_DataProviderQueryMatch: type: object properties: enabled: nullable: true type: boolean excluded: nullable: true type: boolean id: nullable: true type: string kqlQuery: nullable: true type: string name: nullable: true type: string queryMatch: $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' nullable: true type: $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' nullable: true Security_Timeline_API_DataProviderResult: type: object properties: and: items: $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' nullable: true type: array enabled: nullable: true type: boolean excluded: nullable: true type: boolean id: nullable: true type: string kqlQuery: nullable: true type: string name: nullable: true type: string queryMatch: $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' nullable: true type: $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' nullable: true Security_Timeline_API_DataProviderType: description: The type of data provider. enum: - default - template type: string Security_Timeline_API_DocumentIds: oneOf: - items: type: string type: array - type: string Security_Timeline_API_FavoriteTimelineResponse: type: object properties: favorite: items: $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' type: array savedObjectId: type: string templateTimelineId: nullable: true type: string templateTimelineVersion: nullable: true type: number timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' version: type: string required: - savedObjectId - version Security_Timeline_API_FavoriteTimelineResult: description: Indicates when and who marked a Timeline as a favorite. example: favoriteDate: 1741337636741 userName: elastic type: object properties: favoriteDate: nullable: true type: number fullName: nullable: true type: string userName: nullable: true type: string Security_Timeline_API_FilterTimelineResult: example: meta: alias: Custom filter name disabled: false index: .alerts-security.alerts-default,logs-* key: '@timestamp' negate: false, type: exists value: exists query: '{"exists":{"field":"@timestamp"}}' type: object properties: exists: nullable: true type: string match_all: nullable: true type: string meta: nullable: true type: object properties: alias: nullable: true type: string controlledBy: nullable: true type: string disabled: nullable: true type: boolean field: nullable: true type: string formattedValue: nullable: true type: string index: nullable: true type: string key: nullable: true type: string negate: nullable: true type: boolean params: nullable: true type: string type: nullable: true type: string value: nullable: true type: string missing: nullable: true type: string query: nullable: true type: string range: nullable: true type: string script: nullable: true type: string Security_Timeline_API_GetNotesResult: type: object properties: notes: items: $ref: '#/components/schemas/Security_Timeline_API_Note' type: array totalCount: type: number required: - totalCount - notes Security_Timeline_API_ImportTimelineResult: type: object properties: errors: description: The list of failed Timeline imports items: type: object properties: error: description: The error containing the reason why the timeline could not be imported type: object properties: message: description: The reason why the timeline could not be imported example: Malformed JSON type: string status_code: description: The HTTP status code of the error example: 400 type: number id: description: The ID of the timeline that failed to import example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 type: string type: array success: description: Indicates whether any of the Timelines were successfully imports type: boolean success_count: description: The amount of successfully imported/updated Timelines example: 99 type: number timelines_installed: description: The amount of successfully installed Timelines example: 80 type: number timelines_updated: description: The amount of successfully updated Timelines example: 19 type: number Security_Timeline_API_ImportTimelines: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - type: object properties: eventNotes: items: $ref: '#/components/schemas/Security_Timeline_API_BareNote' nullable: true type: array globalNotes: items: $ref: '#/components/schemas/Security_Timeline_API_BareNote' nullable: true type: array pinnedEventIds: items: type: string nullable: true type: array savedObjectId: nullable: true type: string version: nullable: true type: string required: - savedObjectId - version - pinnedEventIds - eventNotes - globalNotes Security_Timeline_API_Note: allOf: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - type: object properties: noteId: description: The `savedObjectId` of the note example: 709f99c6-89b6-4953-9160-35945c8e174e type: string version: description: The version of the note example: WzQ2LDFd type: string required: - noteId - version Security_Timeline_API_NoteCreatedAndUpdatedMetadata: type: object properties: created: description: The time the note was created, using a 13-digit Epoch timestamp. example: 1587468588922 nullable: true type: number createdBy: description: The user who created the note. example: casetester nullable: true type: string updated: description: The last time the note was updated, using a 13-digit Epoch timestamp example: 1741344876825 nullable: true type: number updatedBy: description: The user who last updated the note example: casetester nullable: true type: string Security_Timeline_API_PersistPinnedEventResponse: oneOf: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - type: object properties: unpinned: description: Indicates whether the event was successfully unpinned type: boolean required: - unpinned Security_Timeline_API_PersistTimelineResponse: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' Security_Timeline_API_PinnedEvent: allOf: - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - type: object properties: pinnedEventId: description: The `savedObjectId` of this pinned event example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 type: string version: description: The version of this pinned event example: WzQ2LDFe type: string required: - pinnedEventId - version Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: type: object properties: created: description: The time the pinned event was created, using a 13-digit Epoch timestamp. example: 1587468588922 nullable: true type: number createdBy: description: The user who created the pinned event. example: casetester nullable: true type: string updated: description: The last time the pinned event was updated, using a 13-digit Epoch timestamp example: 1741344876825 nullable: true type: number updatedBy: description: The user who last updated the pinned event example: casetester nullable: true type: string Security_Timeline_API_QueryMatchResult: type: object properties: displayField: nullable: true type: string displayValue: nullable: true type: string field: nullable: true type: string operator: nullable: true type: string value: oneOf: - nullable: true type: string - items: type: string nullable: true type: array Security_Timeline_API_ResolvedTimeline: type: object properties: alias_purpose: $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' alias_target_id: type: string outcome: $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' timeline: $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' required: - timeline - outcome Security_Timeline_API_ResponseNote: type: object properties: note: $ref: '#/components/schemas/Security_Timeline_API_Note' required: - note Security_Timeline_API_RowRendererId: description: Identifies the available row renderers enum: - alert - alerts - auditd - auditd_file - library - netflow - plain - registry - suricata - system - system_dns - system_endgame_process - system_file - system_fim - system_security_event - system_socket - threat_match - zeek type: string Security_Timeline_API_SavedObjectIds: oneOf: - items: type: string type: array - type: string Security_Timeline_API_SavedObjectResolveAliasPurpose: enum: - savedObjectConversion - savedObjectImport type: string Security_Timeline_API_SavedObjectResolveOutcome: enum: - exactMatch - aliasMatch - conflict type: string Security_Timeline_API_SavedTimeline: type: object properties: columns: description: The Timeline's columns example: - columnHeaderType: not-filtered id: '@timestamp' - columnHeaderType: not-filtered id: event.category items: $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' nullable: true type: array created: description: The time the Timeline was created, using a 13-digit Epoch timestamp. example: 1587468588922 nullable: true type: number createdBy: description: The user who created the Timeline. example: casetester nullable: true type: string dataProviders: description: Object containing query clauses example: - enabled: true excluded: false id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b queryMatch: field: _id, operator: ':' value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, items: $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' nullable: true type: array dataViewId: description: ID of the Timeline's Data View example: security-solution-default nullable: true type: string dateRange: description: The Timeline's search period. example: end: 1587456479201 start: 1587370079200 nullable: true type: object properties: end: oneOf: - nullable: true type: string - nullable: true type: number start: oneOf: - nullable: true type: string - nullable: true type: number description: description: The Timeline's description example: Investigating exposure of CVE XYZ nullable: true type: string eqlOptions: description: EQL query that is used in the correlation tab example: eventCategoryField: event.category query: sequence\n[process where process.name == "sudo"]\n[any where true] size: 100 timestampField: '@timestamp' nullable: true type: object properties: eventCategoryField: nullable: true type: string query: nullable: true type: string size: oneOf: - nullable: true type: string - nullable: true type: number tiebreakerField: nullable: true type: string timestampField: nullable: true type: string eventType: deprecated: true description: Event types displayed in the Timeline example: all nullable: true type: string excludedRowRendererIds: description: A list of row renderers that should not be used when in `Event renderers` mode items: $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' nullable: true type: array favorite: items: $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' nullable: true type: array filters: description: A list of filters that should be applied to the query items: $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' nullable: true type: array indexNames: description: A list of index names to use in the query (e.g. when the default data view has been modified) example: - .logs* items: type: string nullable: true type: array kqlMode: description: |- Indicates whether the KQL bar filters the query results or searches for additional results, where: * `filter`: filters query results * `search`: displays additional search results example: search nullable: true type: string kqlQuery: $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' nullable: true savedQueryId: description: The ID of the saved query that might be used in the Query tab example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e nullable: true type: string savedSearchId: description: The ID of the saved search that is used in the ES|QL tab example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string sort: $ref: '#/components/schemas/Security_Timeline_API_Sort' nullable: true status: $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true templateTimelineId: description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string templateTimelineVersion: description: Timeline template version number. For Timelines, the value is `null`. example: 12 nullable: true type: number timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true title: description: The Timeline's title. example: CVE XYZ investigation nullable: true type: string updated: description: The last time the Timeline was updated, using a 13-digit Epoch timestamp example: 1741344876825 nullable: true type: number updatedBy: description: The user who last updated the Timeline example: casetester nullable: true type: string Security_Timeline_API_SavedTimelineWithSavedObjectId: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - type: object properties: savedObjectId: description: The `savedObjectId` of the Timeline or Timeline template example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string version: description: The version of the Timeline or Timeline template example: WzE0LDFd type: string required: - savedObjectId - version Security_Timeline_API_SerializedFilterQueryResult: description: KQL bar query. example: filterQuery: null kuery: expression: '_id : *' kind: kuery serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}' type: object properties: filterQuery: nullable: true type: object properties: kuery: nullable: true type: object properties: expression: nullable: true type: string kind: nullable: true type: string serializedQuery: nullable: true type: string Security_Timeline_API_Sort: oneOf: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - items: $ref: '#/components/schemas/Security_Timeline_API_SortObject' type: array Security_Timeline_API_SortFieldTimeline: description: The field to sort the timelines by. enum: - title - description - updated - created type: string Security_Timeline_API_SortObject: description: Object indicating how rows are sorted in the Timeline's grid example: columnId: '@timestamp' sortDirection: desc type: object properties: columnId: nullable: true type: string columnType: nullable: true type: string sortDirection: nullable: true type: string Security_Timeline_API_TimelineResponse: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' - type: object properties: eventIdToNoteIds: description: A list of all the notes that are associated to this Timeline. items: $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true type: array noteIds: description: A list of all the ids of notes that are associated to this Timeline. example: - 709f99c6-89b6-4953-9160-35945c8e174e items: type: string nullable: true type: array notes: description: A list of all the notes that are associated to this Timeline. items: $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true type: array pinnedEventIds: description: A list of all the ids of pinned events that are associated to this Timeline. example: - 983f99c6-89b6-4953-9160-35945c8a194f items: type: string nullable: true type: array pinnedEventsSaveObject: description: A list of all the pinned events that are associated to this Timeline. items: $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' nullable: true type: array Security_Timeline_API_TimelineSavedToReturnObject: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - type: object properties: eventIdToNoteIds: items: $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true type: array noteIds: items: type: string nullable: true type: array notes: items: $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true type: array pinnedEventIds: items: type: string nullable: true type: array pinnedEventsSaveObject: items: $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' nullable: true type: array savedObjectId: type: string version: type: string required: - savedObjectId - version Security_Timeline_API_TimelineStatus: description: The status of the Timeline. enum: - active - draft - immutable type: string Security_Timeline_API_TimelineType: description: The type of Timeline. enum: - default - template type: string Short_URL_APIs_urlResponse: type: object properties: accessCount: type: integer accessDate: type: string createDate: type: string id: description: The identifier for the short URL. type: string locator: type: object properties: id: description: The identifier for the locator. type: string state: description: The locator parameters. type: object version: description: The version of Kibana when the short URL was created. type: string slug: description: | A random human-readable slug is automatically generated if the `humanReadableSlug` parameter is set to `true`. If it is set to `false`, a random short string is generated. type: string SLOs_400_response: title: Bad request type: object properties: error: example: Bad Request type: string message: example: 'Invalid value ''foo'' supplied to: [...]' type: string statusCode: example: 400 type: number required: - statusCode - error - message SLOs_401_response: title: Unauthorized type: object properties: error: example: Unauthorized type: string message: example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" type: string statusCode: example: 401 type: number required: - statusCode - error - message SLOs_403_response: title: Unauthorized type: object properties: error: example: Unauthorized type: string message: example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" type: string statusCode: example: 403 type: number required: - statusCode - error - message SLOs_404_response: title: Not found type: object properties: error: example: Not Found type: string message: example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found type: string statusCode: example: 404 type: number required: - statusCode - error - message SLOs_409_response: title: Conflict type: object properties: error: example: Conflict type: string message: example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists type: string statusCode: example: 409 type: number required: - statusCode - error - message SLOs_budgeting_method: description: The budgeting method to use when computing the rollup data. enum: - occurrences - timeslices example: occurrences title: Budgeting method type: string SLOs_bulk_delete_request: description: | The bulk delete SLO request takes a list of SLOs Definition id to delete. properties: list: description: An array of SLO Definition id items: description: The SLO Definition id example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string type: array required: - list title: Bulk delete SLO request type: object SLOs_bulk_delete_response: description: | The bulk delete SLO response returns a taskId that can be used to poll for its status properties: taskId: description: The taskId of the bulk delete operation example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 type: string title: Bulk delete SLO response type: object SLOs_bulk_delete_status_response: description: Indicates if the bulk deletion is completed, with the detailed results of the operation. properties: error: description: The error message if the bulk deletion operation failed example: Task not found type: string isDone: description: Indicates if the bulk deletion operation is completed example: true type: boolean results: description: The results of the bulk deletion operation, including the success status and any errors for each SLO items: type: object properties: error: description: The error message if the deletion operation failed for this SLO example: SLO [d08506b7-f0e8-4f8b-a06a-a83940f4db91] not found type: string id: description: The ID of the SLO that was deleted example: d08506b7-f0e8-4f8b-a06a-a83940f4db91 type: string success: description: The result of the deletion operation for this SLO example: true type: boolean type: array title: The status of the bulk deletion type: object SLOs_bulk_purge_rollup_request: description: | The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated. properties: list: description: An array of slo ids items: description: The SLO Definition id example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string type: array purgePolicy: description: Policy that dictates which SLI documents to purge based on age oneOf: - type: object properties: age: description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided. example: 7d type: string purgeType: description: Specifies whether documents will be purged based on a specific age or on a timestamp enum: - fixed-age type: string - type: object properties: purgeType: description: Specifies whether documents will be purged based on a specific age or on a timestamp enum: - fixed-time type: string timestamp: description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided. example: '2024-12-31T00:00:00.000Z' type: string type: object required: - list - purgePolicy title: Bulk Purge Rollup data request type: object SLOs_bulk_purge_rollup_response: description: | The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response. properties: taskId: description: The task id of the purge operation example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string title: Bulk Purge Rollup data response type: object SLOs_create_slo_request: description: | The create SLO API request body varies depending on the type of indicator, time window and budgeting method. properties: budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' description: description: A description for the SLO. type: string groupBy: $ref: '#/components/schemas/SLOs_group_by' id: description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars example: my-super-slo-id type: string indicator: oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' name: description: A name for the SLO. type: string objective: $ref: '#/components/schemas/SLOs_objective' settings: $ref: '#/components/schemas/SLOs_settings' tags: description: List of tags items: type: string type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' required: - name - description - indicator - timeWindow - budgetingMethod - objective title: Create SLO request type: object SLOs_create_slo_response: title: Create SLO response type: object properties: id: example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string required: - id SLOs_delete_slo_instances_request: description: | The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. properties: list: description: An array of slo id and instance id items: type: object properties: instanceId: description: The SLO instance identifier example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string sloId: description: The SLO unique identifier example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string required: - sloId - instanceId type: array required: - list title: Delete SLO instances request type: object SLOs_error_budget: title: Error budget type: object properties: consumed: description: The error budget consummed, as a percentage of the initial value. example: 0.8 type: number initial: description: The initial error budget, as 1 - objective example: 0.02 type: number isEstimated: description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. example: true type: boolean remaining: description: The error budget remaining, as a percentage of the initial value. example: 0.2 type: number required: - initial - consumed - remaining - isEstimated SLOs_filter: description: Defines properties for a filter properties: meta: $ref: '#/components/schemas/SLOs_filter_meta' query: type: object title: Filter type: object SLOs_filter_meta: description: Defines properties for a filter properties: alias: nullable: true type: string controlledBy: type: string disabled: type: boolean field: type: string group: type: string index: type: string isMultiIndex: type: boolean key: type: string negate: type: boolean params: type: object type: type: string value: type: string title: FilterMeta type: object SLOs_find_slo_definitions_response: description: | A paginated response of SLO definitions matching the query. oneOf: - type: object properties: page: example: 1 type: number perPage: example: 25 type: number results: items: $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array total: example: 34 type: number - type: object properties: page: default: 1 description: for backward compability type: number perPage: description: for backward compability example: 25 type: number results: items: $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array searchAfter: description: the cursor to provide to get the next paged results example: - some-slo-id - other-cursor-id items: type: string type: array size: example: 25 type: number total: example: 34 type: number title: Find SLO definitions response type: object SLOs_find_slo_response: description: | A paginated response of SLOs matching the query. properties: page: example: 1 type: number perPage: example: 25 type: number results: items: $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array searchAfter: type: string size: description: Size provided for cursor based pagination example: 25 type: number total: example: 34 type: number title: Find SLO response type: object SLOs_group_by: description: optional group by field or fields to use to generate an SLO per distinct value example: - - service.name - service.name - - service.name - service.environment oneOf: - type: string - items: type: string type: array title: Group by SLOs_indicator_properties_apm_availability: description: Defines properties for the APM availability indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: environment: description: The APM service environment or "*" example: production type: string filter: description: KQL query used for filtering the data example: 'service.foo : "bar"' type: string index: description: The index used by APM metrics example: metrics-apm*,apm* type: string service: description: The APM service name example: o11y-app type: string transactionName: description: The APM transaction name or "*" example: GET /my/api type: string transactionType: description: The APM transaction type or "*" example: request type: string required: - service - environment - transactionType - transactionName - index type: description: The type of indicator. example: sli.apm.transactionDuration type: string required: - type - params title: APM availability SLOs_indicator_properties_apm_latency: description: Defines properties for the APM latency indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: environment: description: The APM service environment or "*" example: production type: string filter: description: KQL query used for filtering the data example: 'service.foo : "bar"' type: string index: description: The index used by APM metrics example: metrics-apm*,apm* type: string service: description: The APM service name example: o11y-app type: string threshold: description: The latency threshold in milliseconds example: 250 type: number transactionName: description: The APM transaction name or "*" example: GET /my/api type: string transactionType: description: The APM transaction type or "*" example: request type: string required: - service - environment - transactionType - transactionName - index - threshold type: description: The type of indicator. example: sli.apm.transactionDuration type: string required: - type - params title: APM latency SLOs_indicator_properties_custom_kql: description: Defines properties for a custom query indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: dataViewId: description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: $ref: '#/components/schemas/SLOs_kql_with_filters' good: $ref: '#/components/schemas/SLOs_kql_with_filters_good' index: description: The index or index pattern to use example: my-service-* type: string timestampField: description: | The timestamp field used in the source indice. example: timestamp type: string total: $ref: '#/components/schemas/SLOs_kql_with_filters_total' required: - index - timestampField - good - total type: description: The type of indicator. example: sli.kql.custom type: string required: - type - params title: Custom Query SLOs_indicator_properties_custom_metric: description: Defines properties for a custom metric indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: dataViewId: description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string good: description: | An object defining the "good" metrics and equation type: object properties: equation: description: The equation to calculate the "good" metric. example: A type: string metrics: description: List of metrics with their name, aggregation type, and field. items: oneOf: - type: object properties: aggregation: description: The aggregation type of the metric. enum: - sum example: sum type: string field: description: The field of the metric. example: processor.processed type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: *' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation - field - type: object properties: aggregation: description: The aggregation type of the metric. enum: - doc_count example: doc_count type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: *' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation type: array required: - metrics - equation index: description: The index or index pattern to use example: my-service-* type: string timestampField: description: | The timestamp field used in the source indice. example: timestamp type: string total: description: | An object defining the "total" metrics and equation type: object properties: equation: description: The equation to calculate the "total" metric. example: A type: string metrics: description: List of metrics with their name, aggregation type, and field. items: oneOf: - type: object properties: aggregation: description: The aggregation type of the metric. enum: - sum example: sum type: string field: description: The field of the metric. example: processor.processed type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: *' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation - field - type: object properties: aggregation: description: The aggregation type of the metric. enum: - doc_count example: doc_count type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: *' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation type: array required: - metrics - equation required: - index - timestampField - good - total type: description: The type of indicator. example: sli.metric.custom type: string required: - type - params title: Custom metric SLOs_indicator_properties_histogram: description: Defines properties for a histogram indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: dataViewId: description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string good: description: | An object defining the "good" events type: object properties: aggregation: description: The type of aggregation to use. enum: - value_count - range example: value_count type: string field: description: The field use to aggregate the good events. example: processor.latency type: string filter: description: The filter for good events. example: 'processor.outcome: "success"' type: string from: description: The starting value of the range. Only required for "range" aggregations. example: 0 type: number to: description: The ending value of the range. Only required for "range" aggregations. example: 100 type: number required: - aggregation - field index: description: The index or index pattern to use example: my-service-* type: string timestampField: description: | The timestamp field used in the source indice. example: timestamp type: string total: description: | An object defining the "total" events type: object properties: aggregation: description: The type of aggregation to use. enum: - value_count - range example: value_count type: string field: description: The field use to aggregate the good events. example: processor.latency type: string filter: description: The filter for total events. example: 'processor.outcome : *' type: string from: description: The starting value of the range. Only required for "range" aggregations. example: 0 type: number to: description: The ending value of the range. Only required for "range" aggregations. example: 100 type: number required: - aggregation - field required: - index - timestampField - good - total type: description: The type of indicator. example: sli.histogram.custom type: string required: - type - params title: Histogram indicator SLOs_indicator_properties_timeslice_metric: description: Defines properties for a timeslice metric indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: dataViewId: description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string index: description: The index or index pattern to use example: my-service-* type: string metric: description: | An object defining the metrics, equation, and threshold to determine if it's a good slice or not type: object properties: comparator: description: The comparator to use to compare the equation to the threshold. enum: - GT - GTE - LT - LTE example: GT type: string equation: description: The equation to calculate the metric. example: A type: string metrics: description: List of metrics with their name, aggregation type, and field. items: anyOf: - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' type: array threshold: description: The threshold used to determine if the metric is a good slice or not. example: 100 type: number required: - metrics - equation - comparator - threshold timestampField: description: | The timestamp field used in the source indice. example: timestamp type: string required: - index - timestampField - metric type: description: The type of indicator. example: sli.metric.timeslice type: string required: - type - params title: Timeslice metric SLOs_kql_with_filters: description: Defines properties for a filter oneOf: - description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string - type: object properties: filters: items: $ref: '#/components/schemas/SLOs_filter' type: array kqlQuery: type: string title: KQL with filters SLOs_kql_with_filters_good: description: The KQL query used to define the good events. oneOf: - description: the KQL query to filter the documents with. example: 'request.latency <= 150 and request.status_code : "2xx"' type: string - type: object properties: filters: items: $ref: '#/components/schemas/SLOs_filter' type: array kqlQuery: type: string title: KQL query for good events SLOs_kql_with_filters_total: description: The KQL query used to define all events. oneOf: - description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string - type: object properties: filters: items: $ref: '#/components/schemas/SLOs_filter' type: array kqlQuery: type: string title: KQL query for all events SLOs_objective: description: Defines properties for the SLO objective type: object properties: target: description: the target objective between 0 and 1 excluded example: 0.99 exclusiveMaximum: true exclusiveMinimum: true maximum: 100 minimum: 0 type: number timesliceTarget: description: the target objective for each slice when using a timeslices budgeting method example: 0.995 maximum: 100 minimum: 0 type: number timesliceWindow: description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} example: 5m type: string required: - target title: Objective SLOs_settings: description: Defines properties for SLO settings. properties: frequency: default: 1m description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. example: 5m type: string preventInitialBackfill: default: false description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. example: true type: boolean syncDelay: default: 1m description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. example: 5m type: string syncField: description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. example: event.ingested type: string title: Settings type: object SLOs_slo_definition_response: title: SLO definition response type: object properties: budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' createdAt: description: The creation date example: '2023-01-12T10:03:19.000Z' type: string description: description: The description of the SLO. example: My SLO description type: string enabled: description: Indicate if the SLO is enabled example: true type: boolean groupBy: $ref: '#/components/schemas/SLOs_group_by' id: description: The identifier of the SLO. example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string indicator: discriminator: mapping: sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' propertyName: type oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' name: description: The name of the SLO. example: My Service SLO type: string objective: $ref: '#/components/schemas/SLOs_objective' revision: description: The SLO revision example: 2 type: number settings: $ref: '#/components/schemas/SLOs_settings' tags: description: List of tags items: type: string type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' updatedAt: description: The last update date example: '2023-01-12T10:03:19.000Z' type: string version: description: The internal SLO version example: 2 type: number required: - id - name - description - indicator - timeWindow - budgetingMethod - objective - settings - revision - enabled - groupBy - tags - createdAt - updatedAt - version SLOs_slo_with_summary_response: title: SLO response type: object properties: budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' createdAt: description: The creation date example: '2023-01-12T10:03:19.000Z' type: string description: description: The description of the SLO. example: My SLO description type: string enabled: description: Indicate if the SLO is enabled example: true type: boolean groupBy: $ref: '#/components/schemas/SLOs_group_by' id: description: The identifier of the SLO. example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string indicator: discriminator: mapping: sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' propertyName: type oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' instanceId: description: the value derived from the groupBy field, if present, otherwise '*' example: host-abcde type: string name: description: The name of the SLO. example: My Service SLO type: string objective: $ref: '#/components/schemas/SLOs_objective' revision: description: The SLO revision example: 2 type: number settings: $ref: '#/components/schemas/SLOs_settings' summary: $ref: '#/components/schemas/SLOs_summary' tags: description: List of tags items: type: string type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' updatedAt: description: The last update date example: '2023-01-12T10:03:19.000Z' type: string version: description: The internal SLO version example: 2 type: number required: - id - name - description - indicator - timeWindow - budgetingMethod - objective - settings - revision - summary - enabled - groupBy - instanceId - tags - createdAt - updatedAt - version SLOs_summary: description: The SLO computed data properties: errorBudget: $ref: '#/components/schemas/SLOs_error_budget' sliValue: example: 0.9836 type: number status: $ref: '#/components/schemas/SLOs_summary_status' required: - status - sliValue - errorBudget title: Summary type: object SLOs_summary_status: enum: - NO_DATA - HEALTHY - DEGRADING - VIOLATED example: HEALTHY title: summary status type: string SLOs_time_window: description: Defines properties for the SLO time window type: object properties: duration: description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' example: 30d type: string type: description: Indicates weither the time window is a rolling or a calendar aligned time window. enum: - rolling - calendarAligned example: rolling type: string required: - duration - type title: Time window SLOs_timeslice_metric_basic_metric_with_field: type: object properties: aggregation: description: The aggregation type of the metric. enum: - sum - avg - min - max - std_deviation - last_value - cardinality example: sum type: string field: description: The field of the metric. example: processor.processed type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: "success"' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation - field title: Timeslice Metric Basic Metric with Field SLOs_timeslice_metric_doc_count_metric: type: object properties: aggregation: description: The aggregation type of the metric. Only valid option is "doc_count" enum: - doc_count example: doc_count type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: "success"' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation title: Timeslice Metric Doc Count Metric SLOs_timeslice_metric_percentile_metric: type: object properties: aggregation: description: The aggregation type of the metric. Only valid option is "percentile" enum: - percentile example: percentile type: string field: description: The field of the metric. example: processor.processed type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: "success"' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string percentile: description: The percentile value. example: 95 type: number required: - name - aggregation - field - percentile title: Timeslice Metric Percentile Metric SLOs_update_slo_request: description: | The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. properties: budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' description: description: A description for the SLO. type: string groupBy: $ref: '#/components/schemas/SLOs_group_by' indicator: oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' name: description: A name for the SLO. type: string objective: $ref: '#/components/schemas/SLOs_objective' settings: $ref: '#/components/schemas/SLOs_settings' tags: description: List of tags items: type: string type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' title: Update SLO request type: object Synthetics_browserMonitorFields: allOf: - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - additionalProperties: true type: object properties: ignore_https_errors: default: false description: Ignore HTTPS errors. type: boolean inline_script: description: The inline script. type: string playwright_options: description: Playwright options. type: object screenshots: default: 'on' description: The screenshot option. enum: - 'on' - 'off' - only-on-failure type: string synthetics_args: description: Synthetics agent CLI arguments. type: array type: description: The monitor type. enum: - browser type: string required: - inline_script - type title: Browser monitor fields Synthetics_commonMonitorFields: title: Common monitor fields type: object properties: alert: description: | The alert configuration. The default is `{ status: { enabled: true }, tls: { enabled: true } }`. type: object enabled: default: true description: Specify whether the monitor is enabled. type: boolean labels: additionalProperties: type: string description: | Key-value pairs of labels to associate with the monitor. Labels can be used for filtering and grouping monitors. type: object locations: description: | The location to deploy the monitor. Monitors can be deployed in multiple locations so that you can detect differences in availability and response times across those locations. To list available locations you can: - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. - Go to *Synthetics > Management* and click *Create monitor*. Locations will be listed in *Locations*. externalDocs: url: https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts items: type: string type: array name: description: The monitor name. type: string namespace: default: default description: | The namespace field should be lowercase and not contain spaces. The namespace must not include any of the following characters: `*`, `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or `-`. type: string params: description: The monitor parameters. type: string private_locations: description: | The private locations to which the monitors will be deployed. These private locations refer to locations hosted and managed by you, whereas `locations` are hosted by Elastic. You can specify a private location using the location's name. To list available private locations you can: - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. - Go to *Synthetics > Settings* and click *Private locationsr*. Private locations will be listed in the table. > info > You can provide `locations` or `private_locations` or both. At least one is required. items: type: string type: array retest_on_failure: default: true description: | Turn retesting for when a monitor fails on or off. By default, monitors are automatically retested if the monitor goes from "up" to "down". If the result of the retest is also "down", an error will be created and if configured, an alert sent. The monitor will then resume running according to the defined schedule. Using `retest_on_failure` can reduce noise related to transient problems. type: boolean schedule: description: | The monitor's schedule in minutes. Supported values are `1`, `3`, `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is `3` minutes for HTTP, TCP, and ICMP monitors. The default value is `10` minutes for Browser monitors. type: number service.name: description: The APM service name. type: string tags: description: An array of tags. items: type: string type: array timeout: default: 16 description: | The monitor timeout in seconds. The monitor will fail if it doesn't complete within this time. type: number required: - name Synthetics_getParameterResponse: title: Get parameter response type: object properties: description: description: | The description of the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. type: string id: description: The unique identifier of the parameter. type: string key: description: The key of the parameter. type: string namespaces: description: | The namespaces associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. items: type: string type: array tags: description: | An array of tags associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. items: type: string type: array value: description: | The value associated with the parameter. It will be included in the response if the user has write permissions. type: string required: null Synthetics_getPrivateLocation: additionalProperties: true properties: agentPolicyId: description: The ID of the agent policy associated with the private location. type: string geo: description: Geographic coordinates (WGS84) for the location. type: object properties: lat: description: The latitude of the location. type: number lon: description: The longitude of the location. type: number required: - lat - lon id: description: The unique identifier of the private location. type: string isInvalid: description: | Indicates whether the location is invalid. If `true`, the location is invalid, which means the agent policy associated with the location is deleted. type: boolean label: description: A label for the private location. type: string namespace: description: The namespace of the location, which is the same as the namespace of the agent policy associated with the location. type: string title: Post a private location type: object Synthetics_httpMonitorFields: allOf: - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - additionalproperties: true type: object properties: check: description: The check request settings. type: objects properties: request: description: An optional request to send to the remote host. type: object properties: body: description: Optional request body content. type: string headers: description: | A dictionary of additional HTTP headers to send. By default, Synthetics will set the User-Agent header to identify itself. type: object method: description: The HTTP method to use. enum: - HEAD - GET - POST - OPTIONS type: string response: additionalProperties: true description: The expected response. type: object properties: body: type: object headers: description: A dictionary of expected HTTP headers. If the header is not found, the check fails. type: object ipv4: default: true description: If `true`, ping using the ipv4 protocol. type: boolean ipv6: default: true description: If `true`, ping using the ipv6 protocol. type: boolean max_redirects: default: 0 description: The maximum number of redirects to follow. type: number mode: default: any description: | The mode of the monitor. If it is `all`, the monitor pings all resolvable IPs for a hostname. If it is `any`, the monitor pings only one IP address for a hostname. If you're using a DNS-load balancer and want to ping every IP address for the specified hostname, you should use `all`. enum: - all - any type: string password: description: | The password for authenticating with the server. The credentials are passed with the request. type: string proxy_headers: description: Additional headers to send to proxies during CONNECT requests. type: object proxy_url: description: The URL of the proxy to use for this monitor. type: string response: description: Controls the indexing of the HTTP response body contents to the `http.response.body.contents field`. type: object ssl: description: | The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. type: object type: description: The monitor type. enum: - http type: string url: description: The URL to monitor. type: string username: description: | The username for authenticating with the server. The credentials are passed with the request. type: string required: - type - url title: HTTP monitor fields Synthetics_icmpMonitorFields: allOf: - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - additionalProperties: true type: object properties: host: description: The host to ping. type: string type: description: The monitor type. enum: - icmp type: string wait: default: 1 description: The wait time in seconds. type: number required: - host - type title: ICMP monitor fields Synthetics_parameterRequest: title: Parameter request type: object properties: description: description: A description of the parameter. type: string key: description: The key of the parameter. type: string share_across_spaces: description: Specify whether the parameter should be shared across spaces. type: boolean tags: description: An array of tags to categorize the parameter. items: type: string type: array value: description: The value associated with the parameter. type: string required: - key - value Synthetics_postParameterResponse: title: Post parameter response type: object properties: description: description: A description of the parameter. type: string id: description: The unique identifier for the parameter. type: string key: description: The parameter key. type: string share_across_spaces: description: Indicates whether the parameter is shared across spaces. type: boolean tags: description: An array of tags associated with the parameter. items: type: string type: array value: description: The value associated with the parameter. type: string Synthetics_tcpMonitorFields: allOf: - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - additionalProperties: true type: object properties: host: description: | The host to monitor; it can be an IP address or a hostname. The host can include the port using a colon, for example "example.com:9200". type: string proxy_url: description: | The URL of the SOCKS5 proxy to use when connecting to the server. The value must be a URL with a scheme of `socks5://`. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL. When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the `proxy_use_local_resolver` option. type: string proxy_use_local_resolver: default: false description: | Specify that hostnames are resolved locally instead of being resolved on the proxy server. If `false`, name resolution occurs on the proxy server. type: boolean ssl: description: | The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. type: object type: description: The monitor type. enum: - tcp type: string required: - host - type title: TCP monitor fields Task_manager_health_APIs_configuration: description: | This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. type: object Task_manager_health_APIs_health_response: title: Task health response properties type: object properties: id: type: string last_update: type: string stats: type: object properties: capacity_estimation: description: | This object provides a rough estimate about the sufficiency of its capacity. These are estimates based on historical data and should not be used as predictions. type: object configuration: $ref: '#/components/schemas/Task_manager_health_APIs_configuration' runtime: description: | This object tracks runtime performance of Task Manager, tracking task drift, worker load, and stats broken down by type, including duration and run results. type: object workload: $ref: '#/components/schemas/Task_manager_health_APIs_workload' status: type: string timestamp: type: string Task_manager_health_APIs_workload: description: | This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. type: object bedrock_config: title: Connector request properties for an Amazon Bedrock connector description: Defines properties for connectors when type is `.bedrock`. type: object required: - apiUrl properties: apiUrl: type: string description: The Amazon Bedrock request URL. defaultModel: type: string description: | The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. default: us.anthropic.claude-3-7-sonnet-20250219-v1:0 crowdstrike_config: title: Connector request config properties for a Crowdstrike connector required: - url description: Defines config properties for connectors when type is `.crowdstrike`. type: object properties: url: description: | The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string d3security_config: title: Connector request properties for a D3 Security connector description: Defines properties for connectors when type is `.d3security`. type: object required: - url properties: url: type: string description: | The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. email_config: title: Connector request properties for an email connector description: Defines properties for connectors when type is `.email`. required: - from type: object properties: clientId: description: | The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. type: string nullable: true from: description: | The from address for all emails sent by the connector. It must be specified in `user@host-name` format. type: string hasAuth: description: | Specifies whether a user and password are required inside the secrets configuration. default: true type: boolean host: description: | The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. type: string oauthTokenUrl: type: string nullable: true port: description: | The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. type: integer secure: description: | Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. type: boolean service: description: | The name of the email service. type: string enum: - elastic_cloud - exchange_server - gmail - other - outlook365 - ses tenantId: description: | The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. type: string nullable: true gemini_config: title: Connector request properties for an Google Gemini connector description: Defines properties for connectors when type is `.gemini`. type: object required: - apiUrl - gcpRegion - gcpProjectID properties: apiUrl: type: string description: The Google Gemini request URL. defaultModel: type: string description: The generative artificial intelligence model for Google Gemini to use. default: gemini-1.5-pro-002 gcpRegion: type: string description: The GCP region where the Vertex AI endpoint enabled. gcpProjectID: type: string description: The Google ProjectID that has Vertex AI endpoint enabled. resilient_config: title: Connector request properties for a IBM Resilient connector required: - apiUrl - orgId description: Defines properties for connectors when type is `.resilient`. type: object properties: apiUrl: description: The IBM Resilient instance URL. type: string orgId: description: The IBM Resilient organization ID. type: string index_config: title: Connector request properties for an index connector required: - index description: Defines properties for connectors when type is `.index`. type: object properties: executionTimeField: description: A field that indicates when the document was indexed. default: null type: string nullable: true index: description: The Elasticsearch index to be written to. type: string refresh: description: | The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. default: false type: boolean jira_config: title: Connector request properties for a Jira connector required: - apiUrl - projectKey description: Defines properties for connectors when type is `.jira`. type: object properties: apiUrl: description: The Jira instance URL. type: string projectKey: description: The Jira project key. type: string defender_config: title: Connector request properties for a Microsoft Defender for Endpoint connector required: - apiUrl - projectKey description: Defines properties for connectors when type is `.microsoft_defender_endpoint`. type: object properties: apiUrl: type: string description: | The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts. clientId: type: string description: The application (client) identifier for your app in the Azure portal. oAuthScope: type: string description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API. oAuthServerUrl: type: string description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API. tenantId: description: The tenant identifier for your app in the Azure portal. type: string genai_azure_config: title: Connector request properties for an OpenAI connector that uses Azure OpenAI description: | Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. type: object required: - apiProvider - apiUrl properties: apiProvider: type: string description: The OpenAI API provider. enum: - Azure OpenAI apiUrl: type: string description: The OpenAI API endpoint. genai_openai_config: title: Connector request properties for an OpenAI connector description: | Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. type: object required: - apiProvider - apiUrl properties: apiProvider: type: string description: The OpenAI API provider. enum: - OpenAI apiUrl: type: string description: The OpenAI API endpoint. defaultModel: type: string description: The default model to use for requests. opsgenie_config: title: Connector request properties for an Opsgenie connector required: - apiUrl description: Defines properties for connectors when type is `.opsgenie`. type: object properties: apiUrl: description: | The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string pagerduty_config: title: Connector request properties for a PagerDuty connector description: Defines properties for connectors when type is `.pagerduty`. type: object properties: apiUrl: description: The PagerDuty event URL. type: string nullable: true example: https://events.pagerduty.com/v2/enqueue sentinelone_config: title: Connector request properties for a SentinelOne connector required: - url description: Defines properties for connectors when type is `.sentinelone`. type: object properties: url: description: | The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string servicenow_config: title: Connector request properties for a ServiceNow ITSM connector required: - apiUrl description: Defines properties for connectors when type is `.servicenow`. type: object properties: apiUrl: type: string description: The ServiceNow instance URL. clientId: description: | The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. type: string isOAuth: description: | The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). default: false type: boolean jwtKeyId: description: | The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. type: string userIdentifierValue: description: | The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. type: string usesTableApi: description: | Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. default: true type: boolean servicenow_itom_config: title: Connector request properties for a ServiceNow ITOM connector required: - apiUrl description: Defines properties for connectors when type is `.servicenow-itom`. type: object properties: apiUrl: type: string description: The ServiceNow instance URL. clientId: description: | The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. type: string isOAuth: description: | The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). default: false type: boolean jwtKeyId: description: | The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. type: string userIdentifierValue: description: | The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. type: string slack_api_config: title: Connector request properties for a Slack connector description: Defines properties for connectors when type is `.slack_api`. type: object properties: allowedChannels: type: array description: A list of valid Slack channels. items: type: object required: - id - name maxItems: 25 properties: id: type: string description: The Slack channel ID. example: C123ABC456 minLength: 1 name: type: string description: The Slack channel name. minLength: 1 swimlane_config: title: Connector request properties for a Swimlane connector required: - apiUrl - appId - connectorType description: Defines properties for connectors when type is `.swimlane`. type: object properties: apiUrl: description: The Swimlane instance URL. type: string appId: description: The Swimlane application ID. type: string connectorType: description: The type of connector. Valid values are `all`, `alerts`, and `cases`. type: string enum: - all - alerts - cases mappings: title: Connector mappings properties for a Swimlane connector description: The field mapping. type: object properties: alertIdConfig: title: Alert identifier mapping description: Mapping for the alert ID. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. caseIdConfig: title: Case identifier mapping description: Mapping for the case ID. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. caseNameConfig: title: Case name mapping description: Mapping for the case name. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. commentsConfig: title: Case comment mapping description: Mapping for the case comments. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. descriptionConfig: title: Case description mapping description: Mapping for the case description. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. ruleNameConfig: title: Rule name mapping description: Mapping for the name of the alert's rule. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. severityConfig: title: Severity mapping description: Mapping for the severity. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. thehive_config: title: Connector request properties for a TheHive connector description: Defines configuration properties for connectors when type is `.thehive`. type: object required: - url properties: organisation: type: string description: | The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. url: type: string description: | The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. tines_config: title: Connector request properties for a Tines connector description: Defines properties for connectors when type is `.tines`. type: object required: - url properties: url: description: | The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. type: string torq_config: title: Connector request properties for a Torq connector description: Defines properties for connectors when type is `.torq`. type: object required: - webhookIntegrationUrl properties: webhookIntegrationUrl: description: The endpoint URL of the Elastic Security integration in Torq. type: string auth_type: title: Authentication type type: string nullable: true enum: - webhook-authentication-basic - webhook-authentication-ssl description: | The type of authentication to use: basic, SSL, or none. ca: title: Certificate authority type: string description: | A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. cert_type: title: Certificate type type: string description: | If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. enum: - ssl-crt-key - ssl-pfx has_auth: title: Has authentication type: boolean description: If true, a username and password for login type authentication must be provided. default: true verification_mode: title: Verification mode type: string enum: - certificate - full - none default: full description: | Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. webhook_config: title: Connector request properties for a Webhook connector description: Defines properties for connectors when type is `.webhook`. type: object properties: authType: $ref: '#/components/schemas/auth_type' ca: $ref: '#/components/schemas/ca' certType: $ref: '#/components/schemas/cert_type' hasAuth: $ref: '#/components/schemas/has_auth' headers: type: object nullable: true description: A set of key-value pairs sent as headers with the request. method: type: string default: post enum: - post - put description: | The HTTP request method, either `post` or `put`. url: type: string description: | The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. verificationMode: $ref: '#/components/schemas/verification_mode' cases_webhook_config: title: Connector request properties for Webhook - Case Management connector required: - createIncidentJson - createIncidentResponseKey - createIncidentUrl - getIncidentResponseExternalTitleKey - getIncidentUrl - updateIncidentJson - updateIncidentUrl - viewIncidentUrl description: Defines properties for connectors when type is `.cases-webhook`. type: object properties: authType: $ref: '#/components/schemas/auth_type' ca: $ref: '#/components/schemas/ca' certType: $ref: '#/components/schemas/cert_type' createCommentJson: type: string description: | A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. example: '{"body": {{{case.comment}}}}' createCommentMethod: type: string description: | The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. default: put enum: - patch - post - put createCommentUrl: type: string description: | The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. example: https://example.com/issue/{{{external.system.id}}}/comment createIncidentJson: type: string description: | A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' createIncidentMethod: type: string description: | The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. enum: - patch - post - put default: post createIncidentResponseKey: type: string description: The JSON key in the create external case response that contains the case ID. createIncidentUrl: type: string description: | The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. getIncidentResponseExternalTitleKey: type: string description: The JSON key in get external case response that contains the case title. getIncidentUrl: type: string description: | The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. example: https://example.com/issue/{{{external.system.id}}} hasAuth: $ref: '#/components/schemas/has_auth' headers: type: string description: | A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. updateIncidentJson: type: string description: | The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' updateIncidentMethod: type: string description: | The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. default: put enum: - patch - post - put updateIncidentUrl: type: string description: | The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. example: https://example.com/issue/{{{external.system.ID}}} verificationMode: $ref: '#/components/schemas/verification_mode' viewIncidentUrl: type: string description: | The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}} xmatters_config: title: Connector request properties for an xMatters connector description: Defines properties for connectors when type is `.xmatters`. type: object properties: configUrl: description: | The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. type: string nullable: true usesBasic: description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). type: boolean default: true bedrock_secrets: title: Connector secrets properties for an Amazon Bedrock connector description: Defines secrets for connectors when type is `.bedrock`. type: object required: - accessKey - secret properties: accessKey: type: string description: The AWS access key for authentication. secret: type: string description: The AWS secret for authentication. crowdstrike_secrets: title: Connector secrets properties for a Crowdstrike connector description: Defines secrets for connectors when type is `.crowdstrike`. type: object required: - clientId - clientSecret properties: clientId: description: The CrowdStrike API client identifier. type: string clientSecret: description: The CrowdStrike API client secret to authenticate the `clientId`. type: string d3security_secrets: title: Connector secrets properties for a D3 Security connector description: Defines secrets for connectors when type is `.d3security`. required: - token type: object properties: token: type: string description: The D3 Security token. email_secrets: title: Connector secrets properties for an email connector description: Defines secrets for connectors when type is `.email`. type: object properties: clientSecret: type: string description: | The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. password: type: string description: | The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. user: type: string description: | The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. gemini_secrets: title: Connector secrets properties for a Google Gemini connector description: Defines secrets for connectors when type is `.gemini`. type: object required: - credentialsJson properties: credentialsJson: type: string description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. resilient_secrets: title: Connector secrets properties for IBM Resilient connector required: - apiKeyId - apiKeySecret description: Defines secrets for connectors when type is `.resilient`. type: object properties: apiKeyId: type: string description: The authentication key ID for HTTP Basic authentication. apiKeySecret: type: string description: The authentication key secret for HTTP Basic authentication. jira_secrets: title: Connector secrets properties for a Jira connector required: - apiToken - email description: Defines secrets for connectors when type is `.jira`. type: object properties: apiToken: description: The Jira API authentication token for HTTP basic authentication. type: string email: description: The account email for HTTP Basic authentication. type: string teams_secrets: title: Connector secrets properties for a Microsoft Teams connector description: Defines secrets for connectors when type is `.teams`. type: object required: - webhookUrl properties: webhookUrl: type: string description: | The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. genai_secrets: title: Connector secrets properties for an OpenAI connector description: | Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content. type: object properties: apiKey: type: string description: | The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one. certificateData: type: string description: | Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI. minLength: 1 privateKeyData: type: string description: | Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI. minLength: 1 caData: type: string description: | Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional. minLength: 1 required: [] opsgenie_secrets: title: Connector secrets properties for an Opsgenie connector required: - apiKey description: Defines secrets for connectors when type is `.opsgenie`. type: object properties: apiKey: description: The Opsgenie API authentication key for HTTP Basic authentication. type: string pagerduty_secrets: title: Connector secrets properties for a PagerDuty connector description: Defines secrets for connectors when type is `.pagerduty`. type: object required: - routingKey properties: routingKey: description: | A 32 character PagerDuty Integration Key for an integration on a service. type: string sentinelone_secrets: title: Connector secrets properties for a SentinelOne connector description: Defines secrets for connectors when type is `.sentinelone`. type: object required: - token properties: token: description: The A SentinelOne API token. type: string servicenow_secrets: title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. type: object properties: clientSecret: type: string description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. password: type: string description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. privateKey: type: string description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. privateKeyPassword: type: string description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. username: type: string description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. slack_api_secrets: title: Connector secrets properties for a Web API Slack connector description: Defines secrets for connectors when type is `.slack`. required: - token type: object properties: token: type: string description: Slack bot user OAuth token. swimlane_secrets: title: Connector secrets properties for a Swimlane connector description: Defines secrets for connectors when type is `.swimlane`. type: object properties: apiToken: description: Swimlane API authentication token. type: string thehive_secrets: title: Connector secrets properties for a TheHive connector description: Defines secrets for connectors when type is `.thehive`. required: - apiKey type: object properties: apiKey: type: string description: The API key for authentication in TheHive. tines_secrets: title: Connector secrets properties for a Tines connector description: Defines secrets for connectors when type is `.tines`. type: object required: - email - token properties: email: description: The email used to sign in to Tines. type: string token: description: The Tines API token. type: string torq_secrets: title: Connector secrets properties for a Torq connector description: Defines secrets for connectors when type is `.torq`. type: object required: - token properties: token: description: The secret of the webhook authentication header. type: string crt: title: Certificate type: string description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. key: title: Certificate key type: string description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. pfx: title: Personal information exchange type: string description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. webhook_secrets: title: Connector secrets properties for a Webhook connector description: Defines secrets for connectors when type is `.webhook`. type: object properties: crt: $ref: '#/components/schemas/crt' key: $ref: '#/components/schemas/key' pfx: $ref: '#/components/schemas/pfx' password: type: string description: | The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. user: type: string description: | The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. cases_webhook_secrets: title: Connector secrets properties for Webhook - Case Management connector type: object properties: crt: $ref: '#/components/schemas/crt' key: $ref: '#/components/schemas/key' pfx: $ref: '#/components/schemas/pfx' password: type: string description: | The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. user: type: string description: | The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. xmatters_secrets: title: Connector secrets properties for an xMatters connector description: Defines secrets for connectors when type is `.xmatters`. type: object properties: password: description: | A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. type: string secretsUrl: description: | The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. type: string user: description: | A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. type: string genai_openai_other_config: title: Connector request properties for an OpenAI connector with Other provider description: | Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication. type: object required: - apiProvider - apiUrl - defaultModel properties: apiProvider: type: string description: The OpenAI API provider. enum: - Other apiUrl: type: string description: The OpenAI-compatible API endpoint. defaultModel: type: string description: The default model to use for requests. certificateData: type: string description: PEM-encoded certificate content. minLength: 1 privateKeyData: type: string description: PEM-encoded private key content. minLength: 1 caData: type: string description: PEM-encoded CA certificate content. minLength: 1 verificationMode: type: string description: SSL verification mode for PKI authentication. enum: - full - certificate - none default: full headers: type: object description: Custom headers to include in requests. additionalProperties: type: string defender_secrets: title: Connector secrets properties for a Microsoft Defender for Endpoint connector required: - clientSecret description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`. type: object properties: clientSecret: description: The client secret for your app in the Azure portal. type: string run_acknowledge_resolve_pagerduty: title: PagerDuty connector parameters description: Test an action that acknowledges or resolves a PagerDuty alert. type: object required: - dedupKey - eventAction properties: dedupKey: description: The deduplication key for the PagerDuty alert. type: string maxLength: 255 eventAction: description: The type of event. type: string enum: - acknowledge - resolve run_documents: title: Index connector parameters description: Test an action that indexes a document into Elasticsearch. type: object required: - documents properties: documents: type: array description: The documents in JSON format for index connectors. items: type: object additionalProperties: true run_message_email: title: Email connector parameters description: | Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. type: object required: - message - subject - anyOf: - to - cc - bcc properties: bcc: type: array items: type: string description: | A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format cc: type: array items: type: string description: | A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format message: type: string description: The email message text. Markdown format is supported. subject: type: string description: The subject line of the email. to: type: array description: | A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format. items: type: string run_message_serverlog: title: Server log connector parameters description: Test an action that writes an entry to the Kibana server log. type: object required: - message properties: level: type: string description: The log level of the message for server log connectors. enum: - debug - error - fatal - info - trace - warn default: info message: type: string description: The message for server log connectors. run_message_slack: title: Slack connector parameters description: | Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. type: object required: - message properties: message: type: string description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. run_trigger_pagerduty: title: PagerDuty connector parameters description: Test an action that triggers a PagerDuty alert. type: object required: - eventAction properties: class: description: The class or type of the event. type: string example: cpu load component: description: The component of the source machine that is responsible for the event. type: string example: eth0 customDetails: description: Additional details to add to the event. type: object dedupKey: description: | All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. type: string maxLength: 255 eventAction: description: The type of event. type: string enum: - trigger group: description: The logical grouping of components of a service. type: string example: app-stack links: description: A list of links to add to the event. type: array items: type: object properties: href: description: The URL for the link. type: string text: description: A plain text description of the purpose of the link. type: string severity: description: The severity of the event on the affected system. type: string enum: - critical - error - info - warning default: info source: description: | The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. type: string summary: description: A summery of the event. type: string maxLength: 1024 timestamp: description: An ISO-8601 timestamp that indicates when the event was detected or generated. type: string format: date-time run_addevent: title: The addEvent subaction type: object required: - subAction description: The `addEvent` subaction for ServiceNow ITOM connectors. properties: subAction: type: string description: The action to test. enum: - addEvent subActionParams: type: object description: The set of configuration properties for the action. properties: additional_info: type: string description: Additional information about the event. description: type: string description: The details about the event. event_class: type: string description: A specific instance of the source. message_key: type: string description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`. metric_name: type: string description: The name of the metric. node: type: string description: The host that the event was triggered for. resource: type: string description: The name of the resource. severity: type: string description: The severity of the event. source: type: string description: The name of the event source type. time_of_event: type: string description: The time of the event. type: type: string description: The type of event. run_closealert: title: The closeAlert subaction type: object required: - subAction - subActionParams description: The `closeAlert` subaction for Opsgenie connectors. properties: subAction: type: string description: The action to test. enum: - closeAlert subActionParams: type: object required: - alias properties: alias: type: string description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. note: type: string description: Additional information for the alert. source: type: string description: The display name for the source of the alert. user: type: string description: The display name for the owner. run_closeincident: title: The closeIncident subaction type: object required: - subAction - subActionParams description: The `closeIncident` subaction for ServiceNow ITSM connectors. properties: subAction: type: string description: The action to test. enum: - closeIncident subActionParams: type: object required: - incident properties: incident: type: object anyOf: - required: - correlation_id - required: - externalId properties: correlation_id: type: string nullable: true description: | An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. maxLength: 100 default: '{{rule.id}}:{{alert.id}}' externalId: type: string nullable: true description: The unique identifier (`incidentId`) for the incident in ServiceNow. run_createalert: title: The createAlert subaction type: object required: - subAction - subActionParams description: The `createAlert` subaction for Opsgenie and TheHive connectors. properties: subAction: type: string description: The action to test. enum: - createAlert subActionParams: type: object properties: actions: type: array description: The custom actions available to the alert in Opsgenie connectors. items: type: string alias: type: string description: The unique identifier used for alert deduplication in Opsgenie. description: type: string description: A description that provides detailed information about the alert. details: type: object description: The custom properties of the alert in Opsgenie connectors. additionalProperties: true example: key1: value1 key2: value2 entity: type: string description: The domain of the alert in Opsgenie connectors. For example, the application or server name. message: type: string description: The alert message in Opsgenie connectors. note: type: string description: Additional information for the alert in Opsgenie connectors. priority: type: string description: The priority level for the alert in Opsgenie connectors. enum: - P1 - P2 - P3 - P4 - P5 responders: type: array description: | The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. items: type: object properties: id: type: string description: The identifier for the entity. name: type: string description: The name of the entity. type: type: string description: The type of responders, in this case `escalation`. enum: - escalation - schedule - team - user username: type: string description: A valid email address for the user. severity: type: integer minimum: 1 maximum: 4 description: | The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). source: type: string description: The display name for the source of the alert in Opsgenie and TheHive connectors. sourceRef: type: string description: A source reference for the alert in TheHive connectors. tags: type: array description: The tags for the alert in Opsgenie and TheHive connectors. items: type: string title: type: string description: | A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. tlp: type: integer minimum: 0 maximum: 4 default: 2 description: | The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). type: type: string description: The type of alert in TheHive connectors. user: type: string description: The display name for the owner. visibleTo: type: array description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. items: type: object required: - type properties: id: type: string description: The identifier for the entity. name: type: string description: The name of the entity. type: type: string description: Valid values are `team` and `user`. enum: - team - user username: type: string description: The user name. This property is required only when the `type` is `user`. run_fieldsbyissuetype: title: The fieldsByIssueType subaction type: object required: - subAction - subActionParams description: The `fieldsByIssueType` subaction for Jira connectors. properties: subAction: type: string description: The action to test. enum: - fieldsByIssueType subActionParams: type: object required: - id properties: id: type: string description: The Jira issue type identifier. example: 10024 run_getagentdetails: title: The getAgentDetails subaction type: object required: - subAction - subActionParams description: The `getAgentDetails` subaction for CrowdStrike connectors. properties: subAction: type: string description: The action to test. enum: - getAgentDetails subActionParams: type: object description: The set of configuration properties for the action. required: - ids properties: ids: type: array description: An array of CrowdStrike agent identifiers. items: type: string run_getagents: title: The getAgents subaction type: object required: - subAction description: The `getAgents` subaction for SentinelOne connectors. properties: subAction: type: string description: The action to test. enum: - getAgents run_getchoices: title: The getChoices subaction type: object required: - subAction - subActionParams description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: subAction: type: string description: The action to test. enum: - getChoices subActionParams: type: object description: The set of configuration properties for the action. required: - fields properties: fields: type: array description: An array of fields. items: type: string run_getfields: title: The getFields subaction type: object required: - subAction description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: subAction: type: string description: The action to test. enum: - getFields run_getincident: title: The getIncident subaction type: object description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. required: - subAction - subActionParams properties: subAction: type: string description: The action to test. enum: - getIncident subActionParams: type: object required: - externalId properties: externalId: type: string description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. example: 71778 run_issue: title: The issue subaction type: object required: - subAction description: The `issue` subaction for Jira connectors. properties: subAction: type: string description: The action to test. enum: - issue subActionParams: type: object required: - id properties: id: type: string description: The Jira issue identifier. example: 71778 run_issues: title: The issues subaction type: object required: - subAction - subActionParams description: The `issues` subaction for Jira connectors. properties: subAction: type: string description: The action to test. enum: - issues subActionParams: type: object required: - title properties: title: type: string description: The title of the Jira issue. run_issuetypes: title: The issueTypes subaction type: object required: - subAction description: The `issueTypes` subaction for Jira connectors. properties: subAction: type: string description: The action to test. enum: - issueTypes run_postmessage: title: The postMessage subaction type: object description: | Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. required: - subAction - subActionParams properties: subAction: type: string description: The action to test. enum: - postMessage subActionParams: type: object description: The set of configuration properties for the action. properties: channelIds: type: array maxItems: 1 description: | The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. items: type: string channels: type: array deprecated: true description: | The name of a channel that your Slack app has access to. maxItems: 1 items: type: string text: type: string description: | The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. minLength: 1 run_pushtoservice: title: The pushToService subaction type: object required: - subAction - subActionParams description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. properties: subAction: type: string description: The action to test. enum: - pushToService subActionParams: type: object description: The set of configuration properties for the action. properties: comments: type: array description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. items: type: object properties: comment: type: string description: A comment related to the incident. For example, describe how to troubleshoot the issue. commentId: type: integer description: A unique identifier for the comment. incident: type: object description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. properties: additional_fields: type: string nullable: true maxLength: 20 description: | Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. alertId: type: string description: The alert identifier for Swimlane connectors. caseId: type: string description: The case identifier for the incident for Swimlane connectors. caseName: type: string description: The case name for the incident for Swimlane connectors. category: type: string description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. correlation_display: type: string description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. correlation_id: type: string description: | The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. description: type: string description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. dest_ip: description: | A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. oneOf: - type: string - type: array items: type: string externalId: type: string description: | The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. id: type: string description: The external case identifier for Webhook - Case Management connectors. impact: type: string description: The impact of the incident for ServiceNow ITSM connectors. issueType: type: integer description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. labels: type: array items: type: string description: | The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. malware_hash: description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. oneOf: - type: string - type: array items: type: string malware_url: type: string description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. oneOf: - type: string - type: array items: type: string otherFields: type: object additionalProperties: true maxProperties: 20 description: | Custom field identifiers and their values for Jira connectors. parent: type: string description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. priority: type: string description: The priority of the incident in Jira and ServiceNow SecOps connectors. ruleName: type: string description: The rule name for Swimlane connectors. severity: type: integer description: | The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). short_description: type: string description: | A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. source_ip: description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. oneOf: - type: string - type: array items: type: string status: type: string description: The status of the incident for Webhook - Case Management connectors. subcategory: type: string description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. summary: type: string description: A summary of the incident for Jira connectors. tags: type: array items: type: string description: A list of tags for TheHive and Webhook - Case Management connectors. title: type: string description: | A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. tlp: type: integer minimum: 0 maximum: 4 default: 2 description: | The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). urgency: type: string description: The urgency of the incident for ServiceNow ITSM connectors. run_validchannelid: title: The validChannelId subaction type: object description: | Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. required: - subAction - subActionParams properties: subAction: type: string description: The action to test. enum: - validChannelId subActionParams: type: object required: - channelId properties: channelId: type: string description: The Slack channel identifier. example: C123ABC456 params_property_apm_anomaly: required: - windowSize - windowUnit - environment - anomalySeverityType properties: serviceName: type: string description: Filter the rule to apply to a specific service name. transactionType: type: string description: Filter the rule to apply to a specific transaction type. windowSize: type: number example: 6 description: | The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. windowUnit: type: string description: | The type of units for the time window. For example: minutes, hours, or days. enum: - m - h - d environment: type: string description: Filter the rule to apply to a specific environment. anomalySeverityType: type: string description: | The severity of anomalies that will generate alerts: critical, major, minor, or warning. enum: - critical - major - minor - warning params_property_apm_error_count: required: - windowSize - windowUnit - threshold - environment properties: serviceName: type: string description: Filter the errors coming from your application to apply the rule to a specific service. windowSize: type: number description: | The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. example: 6 windowUnit: type: string description: | The type of units for the time window: minutes, hours, or days. enum: - m - h - d environment: type: string description: Filter the errors coming from your application to apply the rule to a specific environment. threshold: type: number description: The error count threshold. groupBy: type: array default: - service.name - service.environment uniqueItems: true items: type: string enum: - service.name - service.environment - transaction.name - error.grouping_key description: | Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. errorGroupingKey: type: string description: | Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. params_property_apm_transaction_duration: required: - windowSize - windowUnit - threshold - environment - aggregationType properties: serviceName: type: string description: Filter the rule to apply to a specific service. transactionType: type: string description: Filter the rule to apply to a specific transaction type. transactionName: type: string description: Filter the rule to apply to a specific transaction name. windowSize: type: number description: | The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. example: 6 windowUnit: type: string description: | The type of units for the time window. For example: minutes, hours, or days. enum: - m - h - d environment: type: string description: Filter the rule to apply to a specific environment. threshold: type: number description: The latency threshold value. groupBy: type: array default: - service.name - service.environment - transaction.type uniqueItems: true items: type: string enum: - service.name - service.environment - transaction.type - transaction.name description: | Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. aggregationType: type: string enum: - avg - 95th - 99th description: The type of aggregation to perform. params_property_apm_transaction_error_rate: required: - windowSize - windowUnit - threshold - environment properties: serviceName: type: string description: The service name from APM transactionType: type: string description: The transaction type from APM transactionName: type: string description: The transaction name from APM windowSize: type: number description: The window size example: 6 windowUnit: type: string description: The window size unit enum: - m - h - d environment: type: string description: The environment from APM threshold: type: number description: The error rate threshold value groupBy: type: array default: - service.name - service.environment - transaction.type uniqueItems: true items: type: string enum: - service.name - service.environment - transaction.type - transaction.name aggfield: description: | The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. type: string aggtype: description: The type of aggregation to perform. type: string enum: - avg - count - max - min - sum default: count excludehitsfrompreviousrun: description: | Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. type: boolean groupby: description: | Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. type: string enum: - all - top default: all size: description: | The number of documents to pass to the configured actions when the threshold condition is met. type: integer termfield: description: | The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. oneOf: - type: string - type: array items: type: string maxItems: 4 termsize: description: | This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. type: integer threshold: description: | The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. type: array items: type: integer example: 4000 thresholdcomparator: description: The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between". type: string enum: - '>' - '>=' - < - <= - between - notBetween example: '>' timefield: description: The field that is used to calculate the time window. type: string timewindowsize: description: | The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: integer example: 5 timewindowunit: description: | The type of units for the time window: seconds, minutes, hours, or days. type: string enum: - s - m - h - d example: m params_es_query_dsl_rule: title: Elasticsearch DSL query rule params description: | An Elasticsearch query rule can run a query defined in Elasticsearch Query DSL and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`. type: object required: - esQuery - index - threshold - thresholdComparator - timeField - timeWindowSize - timeWindowUnit properties: aggField: $ref: '#/components/schemas/aggfield' aggType: $ref: '#/components/schemas/aggtype' esQuery: description: The query definition, which uses Elasticsearch Query DSL. type: string excludeHitsFromPreviousRun: $ref: '#/components/schemas/excludehitsfrompreviousrun' groupBy: $ref: '#/components/schemas/groupby' index: description: The indices to query. oneOf: - type: array items: type: string - type: string searchType: description: The type of query, in this case a query that uses Elasticsearch Query DSL. type: string enum: - esQuery default: esQuery example: esQuery size: $ref: '#/components/schemas/size' termField: $ref: '#/components/schemas/termfield' termSize: $ref: '#/components/schemas/termsize' threshold: $ref: '#/components/schemas/threshold' thresholdComparator: $ref: '#/components/schemas/thresholdcomparator' timeField: $ref: '#/components/schemas/timefield' timeWindowSize: $ref: '#/components/schemas/timewindowsize' timeWindowUnit: $ref: '#/components/schemas/timewindowunit' params_es_query_esql_rule: title: Elasticsearch ES|QL query rule params description: | An Elasticsearch query rule can run an ES|QL query and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`. type: object required: - esqlQuery - searchType - size - threshold - thresholdComparator - timeWindowSize - timeWindowUnit properties: aggField: $ref: '#/components/schemas/aggfield' aggType: $ref: '#/components/schemas/aggtype' esqlQuery: type: object required: - esql properties: esql: description: The query definition, which uses Elasticsearch Query Language. type: string excludeHitsFromPreviousRun: $ref: '#/components/schemas/excludehitsfrompreviousrun' groupBy: $ref: '#/components/schemas/groupby' searchType: description: The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL). type: string enum: - esqlQuery example: esqlQuery size: type: integer description: | When `searchType` is `esqlQuery`, this property is required but it does not affect the rule behavior. example: 0 termSize: $ref: '#/components/schemas/termsize' threshold: type: array items: type: integer minimum: 0 maximum: 0 description: | The threshold value that is used with the `thresholdComparator`. When `searchType` is `esqlQuery`, this property is required and must be set to zero. thresholdComparator: type: string description: | The comparison function for the threshold. When `searchType` is `esqlQuery`, this property is required and must be set to ">". Since the `threshold` value must be `0`, the result is that an alert occurs whenever the query returns results. enum: - '>' example: '>' timeField: $ref: '#/components/schemas/timefield' timeWindowSize: $ref: '#/components/schemas/timewindowsize' timeWindowUnit: $ref: '#/components/schemas/timewindowunit' filter: type: object description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. properties: meta: type: object properties: alias: type: string nullable: true controlledBy: type: string disabled: type: boolean field: type: string group: type: string index: type: string isMultiIndex: type: boolean key: type: string negate: type: boolean params: type: object type: type: string value: type: string query: type: object $state: type: object params_es_query_kql_rule: title: Elasticsearch KQL query rule params description: | An Elasticsearch query rule can run a query defined in KQL or Lucene and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`. type: object required: - searchType - size - threshold - thresholdComparator - timeWindowSize - timeWindowUnit properties: aggField: $ref: '#/components/schemas/aggfield' aggType: $ref: '#/components/schemas/aggtype' excludeHitsFromPreviousRun: $ref: '#/components/schemas/excludehitsfrompreviousrun' groupBy: $ref: '#/components/schemas/groupby' searchConfiguration: description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. type: object properties: filter: type: array items: $ref: '#/components/schemas/filter' index: description: The indices to query. oneOf: - type: string - type: array items: type: string query: type: object properties: language: type: string example: kuery query: type: string searchType: description: The type of query, in this case a text-based query that uses KQL or Lucene. type: string enum: - searchSource example: searchSource size: $ref: '#/components/schemas/size' termField: $ref: '#/components/schemas/termfield' termSize: $ref: '#/components/schemas/termsize' threshold: $ref: '#/components/schemas/threshold' thresholdComparator: $ref: '#/components/schemas/thresholdcomparator' timeField: $ref: '#/components/schemas/timefield' timeWindowSize: $ref: '#/components/schemas/timewindowsize' timeWindowUnit: $ref: '#/components/schemas/timewindowunit' params_index_threshold_rule: title: Index threshold rule params description: An index threshold rule runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met. These parameters are appropriate when `rule_type_id` is `.index-threshold`. type: object required: - index - threshold - thresholdComparator - timeField - timeWindowSize - timeWindowUnit properties: aggField: $ref: '#/components/schemas/aggfield' aggType: $ref: '#/components/schemas/aggtype' filterKuery: description: A KQL expression thats limits the scope of alerts. type: string groupBy: $ref: '#/components/schemas/groupby' index: description: The indices to query. type: array items: type: string termField: $ref: '#/components/schemas/termfield' termSize: $ref: '#/components/schemas/termsize' threshold: $ref: '#/components/schemas/threshold' thresholdComparator: $ref: '#/components/schemas/thresholdcomparator' timeField: $ref: '#/components/schemas/timefield' timeWindowSize: $ref: '#/components/schemas/timewindowsize' timeWindowUnit: $ref: '#/components/schemas/timewindowunit' params_property_infra_inventory: properties: criteria: type: array items: type: object properties: metric: type: string enum: - count - cpu - diskLatency - load - memory - memoryTotal - tx - rx - logRate - diskIOReadBytes - diskIOWriteBytes - s3TotalRequests - s3NumberOfObjects - s3BucketSize - s3DownloadBytes - s3UploadBytes - rdsConnections - rdsQueriesExecuted - rdsActiveTransactions - rdsLatency - sqsMessagesVisible - sqsMessagesDelayed - sqsMessagesSent - sqsMessagesEmpty - sqsOldestMessage - custom timeSize: type: number timeUnit: type: string enum: - s - m - h - d sourceId: type: string threshold: type: array items: type: number comparator: type: string enum: - < - <= - '>' - '>=' - between - outside customMetric: type: object properties: type: type: string enum: - custom field: type: string aggregation: type: string enum: - avg - max - min - rate id: type: string label: type: string warningThreshold: type: array items: type: number warningComparator: type: string enum: - < - <= - '>' - '>=' - between - outside filterQuery: type: string filterQueryText: type: string nodeType: type: string enum: - host - pod - container - awsEC2 - awsS3 - awsSQS - awsRDS sourceId: type: string alertOnNoData: type: boolean params_property_log_threshold: oneOf: - title: Count type: object required: - count - timeSize - timeUnit - logView properties: criteria: type: array items: type: object properties: field: type: string example: my.field comparator: type: string enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase value: oneOf: - type: number example: 42 - type: string example: value count: type: object properties: comparator: type: string enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase value: type: number example: 100 timeSize: type: number example: 6 timeUnit: type: string enum: - s - m - h - d logView: type: object properties: logViewId: type: string type: type: string enum: - log-view-reference example: log-view-reference groupBy: type: array items: type: string - title: Ratio type: object required: - count - timeSize - timeUnit - logView properties: criteria: type: array items: minItems: 2 maxItems: 2 type: array items: type: object properties: field: type: string example: my.field comparator: type: string enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase value: oneOf: - type: number example: 42 - type: string example: value count: type: object properties: comparator: type: string enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase value: type: number example: 100 timeSize: type: number example: 6 timeUnit: type: string enum: - s - m - h - d logView: type: object properties: logViewId: type: string type: type: string enum: - log-view-reference example: log-view-reference groupBy: type: array items: type: string params_property_infra_metric_threshold: properties: criteria: type: array items: oneOf: - title: non count criterion type: object properties: threshold: type: array items: type: number description: | The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. comparator: type: string enum: - < - <= - '>' - '>=' - between - outside description: | The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "outside". timeUnit: type: string enum: - s - m - h - d description: | The type of units for the time window: seconds, minutes, hours, or days. timeSize: type: number description: | The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. warningThreshold: type: array items: type: number description: | The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. warningComparator: type: string enum: - < - <= - '>' - '>=' - between - outside metric: type: string aggType: type: string enum: - avg - max - min - cardinality - rate - count - sum - p95 - p99 - custom - title: count criterion type: object properties: threshold: type: array items: type: number comparator: type: string enum: - < - <= - '>' - '>=' - between - outside timeUnit: type: string enum: - s - m - h - d description: | The type of units for the time window: seconds, minutes, hours, or days. timeSize: type: number description: | The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. warningThreshold: type: array items: type: number warningComparator: type: string enum: - < - <= - '>' - '>=' - between - outside aggType: type: string enum: - count - title: custom criterion type: object properties: threshold: type: array items: type: number comparator: type: string enum: - < - <= - '>' - '>=' - between - outside timeUnit: type: string enum: - s - m - h - d description: | The type of units for the time window: seconds, minutes, hours, or days. timeSize: type: number description: | The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. warningThreshold: type: array items: type: number warningComparator: type: string enum: - < - <= - '>' - '>=' - between - outside aggType: type: string enum: - custom customMetric: type: array items: oneOf: - type: object properties: name: type: string aggType: type: string enum: - avg - sum - max - min - cardinality description: | An aggregation to gather data for the rule. For example, find the average, highest or lowest value of a numeric field. Or use a cardinality aggregation to find the approximate number of unique values in a field. field: type: string - type: object properties: name: type: string aggType: type: string enum: - count filter: type: string equation: type: string label: type: string groupBy: oneOf: - type: string - type: array items: type: string description: | Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region. filterQuery: type: string description: | A query that limits the scope of the rule. The rule evaluates only metric data that matches the query. sourceId: type: string alertOnNoData: type: boolean description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails. alertOnGroupDisappear: type: boolean description: | If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically. params_property_slo_burn_rate: properties: sloId: description: The SLO identifier used by the rule type: string example: 8853df00-ae2e-11ed-90af-09bb6422b258 burnRateThreshold: description: The burn rate threshold used to trigger the alert type: number example: 14.4 maxBurnRateThreshold: description: The maximum burn rate threshold value defined by the SLO error budget type: number example: 168 longWindow: description: The duration of the long window used to compute the burn rate type: object properties: value: description: The duration value type: number example: 6 unit: description: The duration unit type: string example: h shortWindow: description: The duration of the short window used to compute the burn rate type: object properties: value: description: The duration value type: number example: 30 unit: description: The duration unit type: string example: m params_property_synthetics_uptime_tls: properties: search: type: string certExpirationThreshold: type: number certAgeThreshold: type: number params_property_synthetics_monitor_status: required: - numTimes - shouldCheckStatus - shouldCheckAvailability properties: availability: type: object properties: range: type: number rangeUnit: type: string threshold: type: string filters: oneOf: - type: string - type: object deprecated: true properties: monitor.type: type: array items: type: string observer.geo.name: type: array items: type: string tags: type: array items: type: string url.port: type: array items: type: string locations: deprecated: true type: array items: type: string numTimes: type: number search: type: string shouldCheckStatus: type: boolean shouldCheckAvailability: type: boolean timerangeCount: type: number timerangeUnit: type: string timerange: deprecated: true type: object properties: from: type: string to: type: string version: type: number isAutoGenerated: type: boolean securitySchemes: apiKeyAuth: description: | These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: `Authorization: ApiKey base64AccessApiKey` in: header name: Authorization type: apiKey basicAuth: scheme: basic type: http x-topics: - title: Kibana spaces content: | Spaces enable you to organize your dashboards and other saved objects into meaningful categories. You can use the default space or create your own spaces. To run APIs in non-default spaces, you must add `s/{space_id}/` to the path. For example: ``` curl -X GET "http://localhost:5601/s/marketing/api/data_views" ``` If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. To learn more, check out [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces).