mirror of
https://github.com/elastic/kibana.git
synced 2025-04-23 01:13:23 -04:00
b85b1cb506
## Summary Includes alerting rule APIs in our OAS snapshots. ## How to test Using bump CLI you can preview the output: ```sh bump preview ./oas_docs/bundle.json # or bump preview ./oas_docs/bundle.serverless.json ``` --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
5149 lines
No EOL
237 KiB
JSON
5149 lines
No EOL
237 KiB
JSON
{
|
|
"components": {
|
|
"schemas": {
|
|
"core_status_redactedResponse": {
|
|
"additionalProperties": false,
|
|
"description": "A minimal representation of Kibana's operational status.",
|
|
"properties": {
|
|
"status": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"overall": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"level": {
|
|
"description": "Service status levels as human and machine readable values.",
|
|
"enum": [
|
|
"available",
|
|
"degraded",
|
|
"unavailable",
|
|
"critical"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"level"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"overall"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"status"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"core_status_response": {
|
|
"additionalProperties": false,
|
|
"description": "Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request.",
|
|
"properties": {
|
|
"metrics": {
|
|
"additionalProperties": false,
|
|
"description": "Metric groups collected by Kibana.",
|
|
"properties": {
|
|
"collection_interval_in_millis": {
|
|
"description": "The interval at which metrics should be collected.",
|
|
"type": "number"
|
|
},
|
|
"elasticsearch_client": {
|
|
"additionalProperties": false,
|
|
"description": "Current network metrics of Kibana's Elasticsearch client.",
|
|
"properties": {
|
|
"totalActiveSockets": {
|
|
"description": "Count of network sockets currently in use.",
|
|
"type": "number"
|
|
},
|
|
"totalIdleSockets": {
|
|
"description": "Count of network sockets currently idle.",
|
|
"type": "number"
|
|
},
|
|
"totalQueuedRequests": {
|
|
"description": "Count of requests not yet assigned to sockets.",
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"totalActiveSockets",
|
|
"totalIdleSockets",
|
|
"totalQueuedRequests"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"last_updated": {
|
|
"description": "The time metrics were collected.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"elasticsearch_client",
|
|
"last_updated",
|
|
"collection_interval_in_millis"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"name": {
|
|
"description": "Kibana instance name.",
|
|
"type": "string"
|
|
},
|
|
"status": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"core": {
|
|
"additionalProperties": false,
|
|
"description": "Statuses of core Kibana services.",
|
|
"properties": {
|
|
"elasticsearch": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"detail": {
|
|
"description": "Human readable detail of the service status.",
|
|
"type": "string"
|
|
},
|
|
"documentationUrl": {
|
|
"description": "A URL to further documentation regarding this service.",
|
|
"type": "string"
|
|
},
|
|
"level": {
|
|
"description": "Service status levels as human and machine readable values.",
|
|
"enum": [
|
|
"available",
|
|
"degraded",
|
|
"unavailable",
|
|
"critical"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"meta": {
|
|
"additionalProperties": {},
|
|
"description": "An unstructured set of extra metadata about this service.",
|
|
"type": "object"
|
|
},
|
|
"summary": {
|
|
"description": "A human readable summary of the service status.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"level",
|
|
"summary",
|
|
"meta"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"savedObjects": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"detail": {
|
|
"description": "Human readable detail of the service status.",
|
|
"type": "string"
|
|
},
|
|
"documentationUrl": {
|
|
"description": "A URL to further documentation regarding this service.",
|
|
"type": "string"
|
|
},
|
|
"level": {
|
|
"description": "Service status levels as human and machine readable values.",
|
|
"enum": [
|
|
"available",
|
|
"degraded",
|
|
"unavailable",
|
|
"critical"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"meta": {
|
|
"additionalProperties": {},
|
|
"description": "An unstructured set of extra metadata about this service.",
|
|
"type": "object"
|
|
},
|
|
"summary": {
|
|
"description": "A human readable summary of the service status.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"level",
|
|
"summary",
|
|
"meta"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"elasticsearch",
|
|
"savedObjects"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"overall": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"detail": {
|
|
"description": "Human readable detail of the service status.",
|
|
"type": "string"
|
|
},
|
|
"documentationUrl": {
|
|
"description": "A URL to further documentation regarding this service.",
|
|
"type": "string"
|
|
},
|
|
"level": {
|
|
"description": "Service status levels as human and machine readable values.",
|
|
"enum": [
|
|
"available",
|
|
"degraded",
|
|
"unavailable",
|
|
"critical"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"meta": {
|
|
"additionalProperties": {},
|
|
"description": "An unstructured set of extra metadata about this service.",
|
|
"type": "object"
|
|
},
|
|
"summary": {
|
|
"description": "A human readable summary of the service status.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"level",
|
|
"summary",
|
|
"meta"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"plugins": {
|
|
"additionalProperties": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"detail": {
|
|
"description": "Human readable detail of the service status.",
|
|
"type": "string"
|
|
},
|
|
"documentationUrl": {
|
|
"description": "A URL to further documentation regarding this service.",
|
|
"type": "string"
|
|
},
|
|
"level": {
|
|
"description": "Service status levels as human and machine readable values.",
|
|
"enum": [
|
|
"available",
|
|
"degraded",
|
|
"unavailable",
|
|
"critical"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"meta": {
|
|
"additionalProperties": {},
|
|
"description": "An unstructured set of extra metadata about this service.",
|
|
"type": "object"
|
|
},
|
|
"summary": {
|
|
"description": "A human readable summary of the service status.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"level",
|
|
"summary",
|
|
"meta"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"description": "A dynamic mapping of plugin ID to plugin status.",
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"overall",
|
|
"core",
|
|
"plugins"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"uuid": {
|
|
"description": "Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts.",
|
|
"type": "string"
|
|
},
|
|
"version": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"build_date": {
|
|
"description": "The date and time of this build.",
|
|
"type": "string"
|
|
},
|
|
"build_flavor": {
|
|
"description": "The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the \"traditional\" flavour, while other flavours are reserved for Elastic-specific use cases.",
|
|
"enum": [
|
|
"serverless",
|
|
"traditional"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"build_hash": {
|
|
"description": "A unique hash value representing the git commit of this Kibana build.",
|
|
"type": "string"
|
|
},
|
|
"build_number": {
|
|
"description": "A monotonically increasing number, each subsequent build will have a higher number.",
|
|
"type": "number"
|
|
},
|
|
"build_snapshot": {
|
|
"description": "Whether this build is a snapshot build.",
|
|
"type": "boolean"
|
|
},
|
|
"number": {
|
|
"description": "A semantic version number.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"number",
|
|
"build_hash",
|
|
"build_number",
|
|
"build_snapshot",
|
|
"build_flavor",
|
|
"build_date"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"name",
|
|
"uuid",
|
|
"version",
|
|
"status",
|
|
"metrics"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"securitySchemes": {
|
|
"apiKeyAuth": {
|
|
"in": "header",
|
|
"name": "Authorization",
|
|
"type": "apiKey"
|
|
},
|
|
"basicAuth": {
|
|
"scheme": "basic",
|
|
"type": "http"
|
|
}
|
|
}
|
|
},
|
|
"info": {
|
|
"title": "Kibana HTTP APIs",
|
|
"version": "0.0.0"
|
|
},
|
|
"openapi": "3.0.0",
|
|
"paths": {
|
|
"/api/alerting/rule/{id}": {
|
|
"delete": {
|
|
"operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D#2",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "A required header to protect against CSRF attacks",
|
|
"in": "header",
|
|
"name": "kbn-xsrf",
|
|
"required": true,
|
|
"schema": {
|
|
"example": "true",
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the rule.",
|
|
"in": "path",
|
|
"name": "id",
|
|
"required": true,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
],
|
|
"responses": {
|
|
"204": {
|
|
"description": "Indicates a successful call."
|
|
}
|
|
},
|
|
"summary": "Delete a rule",
|
|
"tags": [
|
|
"alerting"
|
|
]
|
|
},
|
|
"get": {
|
|
"operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D#0",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the rule.",
|
|
"in": "path",
|
|
"name": "id",
|
|
"required": true,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
],
|
|
"responses": {
|
|
"200": {
|
|
"content": {
|
|
"application/json; Elastic-Api-Version=2023-10-31": {
|
|
"schema": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"actions": {
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"alerts_filter": {
|
|
"additionalProperties": false,
|
|
"description": "Defines a period that limits whether the action runs.",
|
|
"properties": {
|
|
"query": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"dsl": {
|
|
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL).",
|
|
"type": "string"
|
|
},
|
|
"filters": {
|
|
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.",
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"$state": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"store": {
|
|
"description": "A filter can be either specific to an application context or applied globally.",
|
|
"enum": [
|
|
"appState",
|
|
"globalState"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"store"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"meta": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
},
|
|
"query": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"meta"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"kql": {
|
|
"description": "A filter written in Kibana Query Language (KQL).",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"kql",
|
|
"filters"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"timeframe": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"days": {
|
|
"description": "Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.",
|
|
"items": {
|
|
"enum": [
|
|
1,
|
|
2,
|
|
3,
|
|
4,
|
|
5,
|
|
6,
|
|
7
|
|
],
|
|
"type": "integer"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"hours": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"end": {
|
|
"description": "The end of the time frame in 24-hour notation (`hh:mm`).",
|
|
"type": "string"
|
|
},
|
|
"start": {
|
|
"description": "The start of the time frame in 24-hour notation (`hh:mm`).",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"start",
|
|
"end"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"timezone": {
|
|
"description": "The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"days",
|
|
"hours",
|
|
"timezone"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"connector_type_id": {
|
|
"description": "The type of connector. This property appears in responses but cannot be set in requests.",
|
|
"type": "string"
|
|
},
|
|
"frequency": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"notify_when": {
|
|
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"enum": [
|
|
"onActionGroupChange",
|
|
"onActiveAlert",
|
|
"onThrottleInterval"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"summary": {
|
|
"description": "Indicates whether the action is a summary.",
|
|
"type": "boolean"
|
|
},
|
|
"throttle": {
|
|
"description": "The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"summary",
|
|
"notify_when",
|
|
"throttle"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"group": {
|
|
"description": "The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.",
|
|
"type": "string"
|
|
},
|
|
"id": {
|
|
"description": "The identifier for the connector saved object.",
|
|
"type": "string"
|
|
},
|
|
"params": {
|
|
"additionalProperties": {},
|
|
"description": "The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.",
|
|
"type": "object"
|
|
},
|
|
"use_alert_data_for_template": {
|
|
"description": "Indicates whether to use alert data as a template.",
|
|
"type": "boolean"
|
|
},
|
|
"uuid": {
|
|
"description": "A universally unique identifier (UUID) for the action.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"id",
|
|
"connector_type_id",
|
|
"params"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"active_snoozes": {
|
|
"items": {
|
|
"description": "List of active snoozes for the rule.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"alert_delay": {
|
|
"additionalProperties": false,
|
|
"description": "Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.",
|
|
"properties": {
|
|
"active": {
|
|
"description": "The number of consecutive runs that must meet the rule conditions.",
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"active"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"api_key_created_by_user": {
|
|
"description": "Indicates whether the API key that is associated with the rule was created by the user.",
|
|
"nullable": true,
|
|
"type": "boolean"
|
|
},
|
|
"api_key_owner": {
|
|
"description": "The owner of the API key that is associated with the rule and used to run background tasks.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"consumer": {
|
|
"description": "The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.",
|
|
"type": "string"
|
|
},
|
|
"created_at": {
|
|
"description": "The date and time that the rule was created.",
|
|
"type": "string"
|
|
},
|
|
"created_by": {
|
|
"description": "The identifier for the user that created the rule.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"enabled": {
|
|
"description": "Indicates whether you want to run the rule on an interval basis after it is created.",
|
|
"type": "boolean"
|
|
},
|
|
"execution_status": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"error": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"message": {
|
|
"description": "Error message.",
|
|
"type": "string"
|
|
},
|
|
"reason": {
|
|
"description": "Reason for error.",
|
|
"enum": [
|
|
"read",
|
|
"decrypt",
|
|
"execute",
|
|
"unknown",
|
|
"license",
|
|
"timeout",
|
|
"disabled",
|
|
"validate"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"reason",
|
|
"message"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"last_duration": {
|
|
"description": "Duration of last execution of the rule.",
|
|
"type": "number"
|
|
},
|
|
"last_execution_date": {
|
|
"description": "The date and time when rule was executed last.",
|
|
"type": "string"
|
|
},
|
|
"status": {
|
|
"description": "Status of rule execution.",
|
|
"enum": [
|
|
"ok",
|
|
"active",
|
|
"error",
|
|
"warning",
|
|
"pending",
|
|
"unknown"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"warning": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"message": {
|
|
"description": "Warning message.",
|
|
"type": "string"
|
|
},
|
|
"reason": {
|
|
"description": "Reason for warning.",
|
|
"enum": [
|
|
"maxExecutableActions",
|
|
"maxAlerts",
|
|
"maxQueuedActions"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"reason",
|
|
"message"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"status",
|
|
"last_execution_date"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"id": {
|
|
"description": "The identifier for the rule.",
|
|
"type": "string"
|
|
},
|
|
"is_snoozed_until": {
|
|
"description": "The date when the rule will no longer be snoozed.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"last_run": {
|
|
"additionalProperties": false,
|
|
"nullable": true,
|
|
"properties": {
|
|
"alerts_count": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"active": {
|
|
"description": "Number of active alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"ignored": {
|
|
"description": "Number of ignored alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"new": {
|
|
"description": "Number of new alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"recovered": {
|
|
"description": "Number of recovered alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"outcome": {
|
|
"description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.",
|
|
"enum": [
|
|
"succeeded",
|
|
"warning",
|
|
"failed"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"outcome_msg": {
|
|
"items": {
|
|
"description": "Outcome message generated during last rule run.",
|
|
"type": "string"
|
|
},
|
|
"nullable": true,
|
|
"type": "array"
|
|
},
|
|
"outcome_order": {
|
|
"description": "Order of the outcome.",
|
|
"type": "number"
|
|
},
|
|
"warning": {
|
|
"description": "Warning of last rule execution.",
|
|
"enum": [
|
|
"read",
|
|
"decrypt",
|
|
"execute",
|
|
"unknown",
|
|
"license",
|
|
"timeout",
|
|
"disabled",
|
|
"validate",
|
|
"maxExecutableActions",
|
|
"maxAlerts",
|
|
"maxQueuedActions"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"outcome",
|
|
"alerts_count"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"mapped_params": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
},
|
|
"monitoring": {
|
|
"additionalProperties": false,
|
|
"description": "Monitoring details of the rule.",
|
|
"properties": {
|
|
"run": {
|
|
"additionalProperties": false,
|
|
"description": "Rule run details.",
|
|
"properties": {
|
|
"calculated_metrics": {
|
|
"additionalProperties": false,
|
|
"description": "Calculation of different percentiles and success ratio.",
|
|
"properties": {
|
|
"p50": {
|
|
"type": "number"
|
|
},
|
|
"p95": {
|
|
"type": "number"
|
|
},
|
|
"p99": {
|
|
"type": "number"
|
|
},
|
|
"success_ratio": {
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"success_ratio"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"history": {
|
|
"description": "History of the rule run.",
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"duration": {
|
|
"description": "Duration of the rule run.",
|
|
"type": "number"
|
|
},
|
|
"outcome": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"alerts_count": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"active": {
|
|
"description": "Number of active alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"ignored": {
|
|
"description": "Number of ignored alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"new": {
|
|
"description": "Number of new alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"recovered": {
|
|
"description": "Number of recovered alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"outcome": {
|
|
"description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.",
|
|
"enum": [
|
|
"succeeded",
|
|
"warning",
|
|
"failed"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"outcome_msg": {
|
|
"items": {
|
|
"description": "Outcome message generated during last rule run.",
|
|
"type": "string"
|
|
},
|
|
"nullable": true,
|
|
"type": "array"
|
|
},
|
|
"outcome_order": {
|
|
"description": "Order of the outcome.",
|
|
"type": "number"
|
|
},
|
|
"warning": {
|
|
"description": "Warning of last rule execution.",
|
|
"enum": [
|
|
"read",
|
|
"decrypt",
|
|
"execute",
|
|
"unknown",
|
|
"license",
|
|
"timeout",
|
|
"disabled",
|
|
"validate",
|
|
"maxExecutableActions",
|
|
"maxAlerts",
|
|
"maxQueuedActions"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"outcome",
|
|
"alerts_count"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"success": {
|
|
"description": "Indicates whether the rule run was successful.",
|
|
"type": "boolean"
|
|
},
|
|
"timestamp": {
|
|
"description": "Time of rule run.",
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"success",
|
|
"timestamp"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"last_run": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"metrics": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"duration": {
|
|
"description": "Duration of most recent rule run.",
|
|
"type": "number"
|
|
},
|
|
"gap_duration_s": {
|
|
"description": "Duration in seconds of rule run gap.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_alerts_created": {
|
|
"description": "Total number of alerts created during last rule run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_alerts_detected": {
|
|
"description": "Total number of alerts detected during last rule run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_indexing_duration_ms": {
|
|
"description": "Total time spent indexing documents during last rule run in milliseconds.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_search_duration_ms": {
|
|
"description": "Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"timestamp": {
|
|
"description": "Time of the most recent rule run.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"timestamp",
|
|
"metrics"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"history",
|
|
"calculated_metrics",
|
|
"last_run"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"run"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"mute_all": {
|
|
"description": "Indicates whether all alerts are muted.",
|
|
"type": "boolean"
|
|
},
|
|
"muted_alert_ids": {
|
|
"items": {
|
|
"description": "List of identifiers of muted alerts. ",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"name": {
|
|
"description": " The name of the rule.",
|
|
"type": "string"
|
|
},
|
|
"next_run": {
|
|
"description": "Date and time of the next run of the rule.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"notify_when": {
|
|
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"enum": [
|
|
"onActionGroupChange",
|
|
"onActiveAlert",
|
|
"onThrottleInterval"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"params": {
|
|
"additionalProperties": {},
|
|
"description": "The parameters for the rule.",
|
|
"type": "object"
|
|
},
|
|
"revision": {
|
|
"description": "The rule revision number.",
|
|
"type": "number"
|
|
},
|
|
"rule_type_id": {
|
|
"description": "The rule type identifier.",
|
|
"type": "string"
|
|
},
|
|
"running": {
|
|
"description": "Indicates whether the rule is running.",
|
|
"nullable": true,
|
|
"type": "boolean"
|
|
},
|
|
"schedule": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"interval": {
|
|
"description": "The interval is specified in seconds, minutes, hours, or days.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"interval"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"scheduled_task_id": {
|
|
"description": "Identifier of the scheduled task.",
|
|
"type": "string"
|
|
},
|
|
"snooze_schedule": {
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"duration": {
|
|
"description": "Duration of the rule snooze schedule.",
|
|
"type": "number"
|
|
},
|
|
"id": {
|
|
"description": "Identifier of the rule snooze schedule.",
|
|
"type": "string"
|
|
},
|
|
"rRule": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"byhour": {
|
|
"items": {
|
|
"description": "Indicates hours of the day to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byminute": {
|
|
"items": {
|
|
"description": "Indicates minutes of the hour to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bymonth": {
|
|
"items": {
|
|
"description": "Indicates months of the year that this rule should recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bymonthday": {
|
|
"items": {
|
|
"description": "Indicates the days of the month to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bysecond": {
|
|
"items": {
|
|
"description": "Indicates seconds of the day to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bysetpos": {
|
|
"items": {
|
|
"description": "A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byweekday": {
|
|
"items": {
|
|
"anyOf": [
|
|
{
|
|
"type": "string"
|
|
},
|
|
{
|
|
"type": "number"
|
|
}
|
|
],
|
|
"description": "Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination."
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byweekno": {
|
|
"items": {
|
|
"description": "Indicates number of the week hours to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byyearday": {
|
|
"items": {
|
|
"description": "Indicates the days of the year that this rule should recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"count": {
|
|
"description": "Number of times the rule should recur until it stops.",
|
|
"type": "number"
|
|
},
|
|
"dtstart": {
|
|
"description": "Rule start date in Coordinated Universal Time (UTC).",
|
|
"type": "string"
|
|
},
|
|
"freq": {
|
|
"description": "Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.",
|
|
"enum": [
|
|
0,
|
|
1,
|
|
2,
|
|
3,
|
|
4,
|
|
5,
|
|
6
|
|
],
|
|
"type": "integer"
|
|
},
|
|
"interval": {
|
|
"description": "Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.",
|
|
"type": "number"
|
|
},
|
|
"tzid": {
|
|
"description": "Indicates timezone abbreviation.",
|
|
"type": "string"
|
|
},
|
|
"until": {
|
|
"description": "Recur the rule until this date.",
|
|
"type": "string"
|
|
},
|
|
"wkst": {
|
|
"description": "Indicates the start of week, defaults to Monday.",
|
|
"enum": [
|
|
"MO",
|
|
"TU",
|
|
"WE",
|
|
"TH",
|
|
"FR",
|
|
"SA",
|
|
"SU"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"dtstart",
|
|
"tzid"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"skipRecurrences": {
|
|
"items": {
|
|
"description": "Skips recurrence of rule on this date.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
}
|
|
},
|
|
"required": [
|
|
"duration",
|
|
"rRule"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"tags": {
|
|
"items": {
|
|
"description": "The tags for the rule.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"throttle": {
|
|
"deprecated": true,
|
|
"description": "Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"updated_at": {
|
|
"description": "The date and time that the rule was updated most recently.",
|
|
"type": "string"
|
|
},
|
|
"updated_by": {
|
|
"description": "The identifier for the user that updated this rule most recently.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"view_in_app_relative_url": {
|
|
"description": "Relative URL to view rule in the app.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"id",
|
|
"enabled",
|
|
"name",
|
|
"tags",
|
|
"rule_type_id",
|
|
"consumer",
|
|
"schedule",
|
|
"actions",
|
|
"params",
|
|
"created_by",
|
|
"updated_by",
|
|
"created_at",
|
|
"updated_at",
|
|
"api_key_owner",
|
|
"mute_all",
|
|
"muted_alert_ids",
|
|
"execution_status",
|
|
"revision"
|
|
],
|
|
"type": "object"
|
|
}
|
|
}
|
|
},
|
|
"description": "Indicates a successful call."
|
|
}
|
|
},
|
|
"summary": "Get rule details",
|
|
"tags": [
|
|
"alerting"
|
|
]
|
|
},
|
|
"post": {
|
|
"operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%3F%7D#0",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "A required header to protect against CSRF attacks",
|
|
"in": "header",
|
|
"name": "kbn-xsrf",
|
|
"required": true,
|
|
"schema": {
|
|
"example": "true",
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the rule. If it is omitted, an ID is randomly generated.",
|
|
"in": "path",
|
|
"name": "id",
|
|
"required": false,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
],
|
|
"requestBody": {
|
|
"content": {
|
|
"application/json; Elastic-Api-Version=2023-10-31": {
|
|
"schema": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"actions": {
|
|
"default": [],
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"description": "An action that runs under defined conditions.",
|
|
"properties": {
|
|
"alerts_filter": {
|
|
"additionalProperties": false,
|
|
"description": "Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.",
|
|
"properties": {
|
|
"query": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"dsl": {
|
|
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL).",
|
|
"type": "string"
|
|
},
|
|
"filters": {
|
|
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.",
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"$state": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"store": {
|
|
"description": "A filter can be either specific to an application context or applied globally.",
|
|
"enum": [
|
|
"appState",
|
|
"globalState"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"store"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"meta": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
},
|
|
"query": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"meta"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"kql": {
|
|
"description": "A filter written in Kibana Query Language (KQL).",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"kql",
|
|
"filters"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"timeframe": {
|
|
"additionalProperties": false,
|
|
"description": "Defines a period that limits whether the action runs.",
|
|
"properties": {
|
|
"days": {
|
|
"description": "Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.",
|
|
"items": {
|
|
"enum": [
|
|
1,
|
|
2,
|
|
3,
|
|
4,
|
|
5,
|
|
6,
|
|
7
|
|
],
|
|
"type": "integer"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"hours": {
|
|
"additionalProperties": false,
|
|
"description": "Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.",
|
|
"properties": {
|
|
"end": {
|
|
"description": "The end of the time frame in 24-hour notation (`hh:mm`).",
|
|
"type": "string"
|
|
},
|
|
"start": {
|
|
"description": "The start of the time frame in 24-hour notation (`hh:mm`).",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"start",
|
|
"end"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"timezone": {
|
|
"description": "The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"days",
|
|
"hours",
|
|
"timezone"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"frequency": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"notify_when": {
|
|
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"enum": [
|
|
"onActionGroupChange",
|
|
"onActiveAlert",
|
|
"onThrottleInterval"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"summary": {
|
|
"description": "Indicates whether the action is a summary.",
|
|
"type": "boolean"
|
|
},
|
|
"throttle": {
|
|
"description": "The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"summary",
|
|
"notify_when",
|
|
"throttle"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"group": {
|
|
"description": "The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.",
|
|
"type": "string"
|
|
},
|
|
"id": {
|
|
"description": "The identifier for the connector saved object.",
|
|
"type": "string"
|
|
},
|
|
"params": {
|
|
"additionalProperties": {},
|
|
"default": {},
|
|
"description": "The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.",
|
|
"type": "object"
|
|
},
|
|
"use_alert_data_for_template": {
|
|
"description": "Indicates whether to use alert data as a template.",
|
|
"type": "boolean"
|
|
},
|
|
"uuid": {
|
|
"description": "A universally unique identifier (UUID) for the action.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"id"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"alert_delay": {
|
|
"additionalProperties": false,
|
|
"description": "Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.",
|
|
"properties": {
|
|
"active": {
|
|
"description": "The number of consecutive runs that must meet the rule conditions.",
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"active"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"consumer": {
|
|
"description": "The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.",
|
|
"type": "string"
|
|
},
|
|
"enabled": {
|
|
"default": true,
|
|
"description": "Indicates whether you want to run the rule on an interval basis after it is created.",
|
|
"type": "boolean"
|
|
},
|
|
"name": {
|
|
"description": "The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.",
|
|
"type": "string"
|
|
},
|
|
"notify_when": {
|
|
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"enum": [
|
|
"onActionGroupChange",
|
|
"onActiveAlert",
|
|
"onThrottleInterval"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"params": {
|
|
"additionalProperties": {},
|
|
"default": {},
|
|
"description": "The parameters for the rule.",
|
|
"type": "object"
|
|
},
|
|
"rule_type_id": {
|
|
"description": "The rule type identifier.",
|
|
"type": "string"
|
|
},
|
|
"schedule": {
|
|
"additionalProperties": false,
|
|
"description": "The check interval, which specifies how frequently the rule conditions are checked.",
|
|
"properties": {
|
|
"interval": {
|
|
"description": "The interval is specified in seconds, minutes, hours, or days.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"interval"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"tags": {
|
|
"default": [],
|
|
"description": "The tags for the rule.",
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"throttle": {
|
|
"description": "Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"name",
|
|
"rule_type_id",
|
|
"consumer",
|
|
"schedule"
|
|
],
|
|
"type": "object"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"responses": {
|
|
"200": {
|
|
"content": {
|
|
"application/json; Elastic-Api-Version=2023-10-31": {
|
|
"schema": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"actions": {
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"alerts_filter": {
|
|
"additionalProperties": false,
|
|
"description": "Defines a period that limits whether the action runs.",
|
|
"properties": {
|
|
"query": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"dsl": {
|
|
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL).",
|
|
"type": "string"
|
|
},
|
|
"filters": {
|
|
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.",
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"$state": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"store": {
|
|
"description": "A filter can be either specific to an application context or applied globally.",
|
|
"enum": [
|
|
"appState",
|
|
"globalState"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"store"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"meta": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
},
|
|
"query": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"meta"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"kql": {
|
|
"description": "A filter written in Kibana Query Language (KQL).",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"kql",
|
|
"filters"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"timeframe": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"days": {
|
|
"description": "Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.",
|
|
"items": {
|
|
"enum": [
|
|
1,
|
|
2,
|
|
3,
|
|
4,
|
|
5,
|
|
6,
|
|
7
|
|
],
|
|
"type": "integer"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"hours": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"end": {
|
|
"description": "The end of the time frame in 24-hour notation (`hh:mm`).",
|
|
"type": "string"
|
|
},
|
|
"start": {
|
|
"description": "The start of the time frame in 24-hour notation (`hh:mm`).",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"start",
|
|
"end"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"timezone": {
|
|
"description": "The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"days",
|
|
"hours",
|
|
"timezone"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"connector_type_id": {
|
|
"description": "The type of connector. This property appears in responses but cannot be set in requests.",
|
|
"type": "string"
|
|
},
|
|
"frequency": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"notify_when": {
|
|
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"enum": [
|
|
"onActionGroupChange",
|
|
"onActiveAlert",
|
|
"onThrottleInterval"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"summary": {
|
|
"description": "Indicates whether the action is a summary.",
|
|
"type": "boolean"
|
|
},
|
|
"throttle": {
|
|
"description": "The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"summary",
|
|
"notify_when",
|
|
"throttle"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"group": {
|
|
"description": "The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.",
|
|
"type": "string"
|
|
},
|
|
"id": {
|
|
"description": "The identifier for the connector saved object.",
|
|
"type": "string"
|
|
},
|
|
"params": {
|
|
"additionalProperties": {},
|
|
"description": "The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.",
|
|
"type": "object"
|
|
},
|
|
"use_alert_data_for_template": {
|
|
"description": "Indicates whether to use alert data as a template.",
|
|
"type": "boolean"
|
|
},
|
|
"uuid": {
|
|
"description": "A universally unique identifier (UUID) for the action.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"id",
|
|
"connector_type_id",
|
|
"params"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"active_snoozes": {
|
|
"items": {
|
|
"description": "List of active snoozes for the rule.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"alert_delay": {
|
|
"additionalProperties": false,
|
|
"description": "Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.",
|
|
"properties": {
|
|
"active": {
|
|
"description": "The number of consecutive runs that must meet the rule conditions.",
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"active"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"api_key_created_by_user": {
|
|
"description": "Indicates whether the API key that is associated with the rule was created by the user.",
|
|
"nullable": true,
|
|
"type": "boolean"
|
|
},
|
|
"api_key_owner": {
|
|
"description": "The owner of the API key that is associated with the rule and used to run background tasks.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"consumer": {
|
|
"description": "The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.",
|
|
"type": "string"
|
|
},
|
|
"created_at": {
|
|
"description": "The date and time that the rule was created.",
|
|
"type": "string"
|
|
},
|
|
"created_by": {
|
|
"description": "The identifier for the user that created the rule.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"enabled": {
|
|
"description": "Indicates whether you want to run the rule on an interval basis after it is created.",
|
|
"type": "boolean"
|
|
},
|
|
"execution_status": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"error": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"message": {
|
|
"description": "Error message.",
|
|
"type": "string"
|
|
},
|
|
"reason": {
|
|
"description": "Reason for error.",
|
|
"enum": [
|
|
"read",
|
|
"decrypt",
|
|
"execute",
|
|
"unknown",
|
|
"license",
|
|
"timeout",
|
|
"disabled",
|
|
"validate"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"reason",
|
|
"message"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"last_duration": {
|
|
"description": "Duration of last execution of the rule.",
|
|
"type": "number"
|
|
},
|
|
"last_execution_date": {
|
|
"description": "The date and time when rule was executed last.",
|
|
"type": "string"
|
|
},
|
|
"status": {
|
|
"description": "Status of rule execution.",
|
|
"enum": [
|
|
"ok",
|
|
"active",
|
|
"error",
|
|
"warning",
|
|
"pending",
|
|
"unknown"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"warning": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"message": {
|
|
"description": "Warning message.",
|
|
"type": "string"
|
|
},
|
|
"reason": {
|
|
"description": "Reason for warning.",
|
|
"enum": [
|
|
"maxExecutableActions",
|
|
"maxAlerts",
|
|
"maxQueuedActions"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"reason",
|
|
"message"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"status",
|
|
"last_execution_date"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"id": {
|
|
"description": "The identifier for the rule.",
|
|
"type": "string"
|
|
},
|
|
"is_snoozed_until": {
|
|
"description": "The date when the rule will no longer be snoozed.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"last_run": {
|
|
"additionalProperties": false,
|
|
"nullable": true,
|
|
"properties": {
|
|
"alerts_count": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"active": {
|
|
"description": "Number of active alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"ignored": {
|
|
"description": "Number of ignored alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"new": {
|
|
"description": "Number of new alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"recovered": {
|
|
"description": "Number of recovered alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"outcome": {
|
|
"description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.",
|
|
"enum": [
|
|
"succeeded",
|
|
"warning",
|
|
"failed"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"outcome_msg": {
|
|
"items": {
|
|
"description": "Outcome message generated during last rule run.",
|
|
"type": "string"
|
|
},
|
|
"nullable": true,
|
|
"type": "array"
|
|
},
|
|
"outcome_order": {
|
|
"description": "Order of the outcome.",
|
|
"type": "number"
|
|
},
|
|
"warning": {
|
|
"description": "Warning of last rule execution.",
|
|
"enum": [
|
|
"read",
|
|
"decrypt",
|
|
"execute",
|
|
"unknown",
|
|
"license",
|
|
"timeout",
|
|
"disabled",
|
|
"validate",
|
|
"maxExecutableActions",
|
|
"maxAlerts",
|
|
"maxQueuedActions"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"outcome",
|
|
"alerts_count"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"mapped_params": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
},
|
|
"monitoring": {
|
|
"additionalProperties": false,
|
|
"description": "Monitoring details of the rule.",
|
|
"properties": {
|
|
"run": {
|
|
"additionalProperties": false,
|
|
"description": "Rule run details.",
|
|
"properties": {
|
|
"calculated_metrics": {
|
|
"additionalProperties": false,
|
|
"description": "Calculation of different percentiles and success ratio.",
|
|
"properties": {
|
|
"p50": {
|
|
"type": "number"
|
|
},
|
|
"p95": {
|
|
"type": "number"
|
|
},
|
|
"p99": {
|
|
"type": "number"
|
|
},
|
|
"success_ratio": {
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"success_ratio"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"history": {
|
|
"description": "History of the rule run.",
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"duration": {
|
|
"description": "Duration of the rule run.",
|
|
"type": "number"
|
|
},
|
|
"outcome": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"alerts_count": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"active": {
|
|
"description": "Number of active alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"ignored": {
|
|
"description": "Number of ignored alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"new": {
|
|
"description": "Number of new alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"recovered": {
|
|
"description": "Number of recovered alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"outcome": {
|
|
"description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.",
|
|
"enum": [
|
|
"succeeded",
|
|
"warning",
|
|
"failed"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"outcome_msg": {
|
|
"items": {
|
|
"description": "Outcome message generated during last rule run.",
|
|
"type": "string"
|
|
},
|
|
"nullable": true,
|
|
"type": "array"
|
|
},
|
|
"outcome_order": {
|
|
"description": "Order of the outcome.",
|
|
"type": "number"
|
|
},
|
|
"warning": {
|
|
"description": "Warning of last rule execution.",
|
|
"enum": [
|
|
"read",
|
|
"decrypt",
|
|
"execute",
|
|
"unknown",
|
|
"license",
|
|
"timeout",
|
|
"disabled",
|
|
"validate",
|
|
"maxExecutableActions",
|
|
"maxAlerts",
|
|
"maxQueuedActions"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"outcome",
|
|
"alerts_count"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"success": {
|
|
"description": "Indicates whether the rule run was successful.",
|
|
"type": "boolean"
|
|
},
|
|
"timestamp": {
|
|
"description": "Time of rule run.",
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"success",
|
|
"timestamp"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"last_run": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"metrics": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"duration": {
|
|
"description": "Duration of most recent rule run.",
|
|
"type": "number"
|
|
},
|
|
"gap_duration_s": {
|
|
"description": "Duration in seconds of rule run gap.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_alerts_created": {
|
|
"description": "Total number of alerts created during last rule run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_alerts_detected": {
|
|
"description": "Total number of alerts detected during last rule run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_indexing_duration_ms": {
|
|
"description": "Total time spent indexing documents during last rule run in milliseconds.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_search_duration_ms": {
|
|
"description": "Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"timestamp": {
|
|
"description": "Time of the most recent rule run.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"timestamp",
|
|
"metrics"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"history",
|
|
"calculated_metrics",
|
|
"last_run"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"run"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"mute_all": {
|
|
"description": "Indicates whether all alerts are muted.",
|
|
"type": "boolean"
|
|
},
|
|
"muted_alert_ids": {
|
|
"items": {
|
|
"description": "List of identifiers of muted alerts. ",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"name": {
|
|
"description": " The name of the rule.",
|
|
"type": "string"
|
|
},
|
|
"next_run": {
|
|
"description": "Date and time of the next run of the rule.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"notify_when": {
|
|
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"enum": [
|
|
"onActionGroupChange",
|
|
"onActiveAlert",
|
|
"onThrottleInterval"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"params": {
|
|
"additionalProperties": {},
|
|
"description": "The parameters for the rule.",
|
|
"type": "object"
|
|
},
|
|
"revision": {
|
|
"description": "The rule revision number.",
|
|
"type": "number"
|
|
},
|
|
"rule_type_id": {
|
|
"description": "The rule type identifier.",
|
|
"type": "string"
|
|
},
|
|
"running": {
|
|
"description": "Indicates whether the rule is running.",
|
|
"nullable": true,
|
|
"type": "boolean"
|
|
},
|
|
"schedule": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"interval": {
|
|
"description": "The interval is specified in seconds, minutes, hours, or days.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"interval"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"scheduled_task_id": {
|
|
"description": "Identifier of the scheduled task.",
|
|
"type": "string"
|
|
},
|
|
"snooze_schedule": {
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"duration": {
|
|
"description": "Duration of the rule snooze schedule.",
|
|
"type": "number"
|
|
},
|
|
"id": {
|
|
"description": "Identifier of the rule snooze schedule.",
|
|
"type": "string"
|
|
},
|
|
"rRule": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"byhour": {
|
|
"items": {
|
|
"description": "Indicates hours of the day to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byminute": {
|
|
"items": {
|
|
"description": "Indicates minutes of the hour to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bymonth": {
|
|
"items": {
|
|
"description": "Indicates months of the year that this rule should recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bymonthday": {
|
|
"items": {
|
|
"description": "Indicates the days of the month to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bysecond": {
|
|
"items": {
|
|
"description": "Indicates seconds of the day to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bysetpos": {
|
|
"items": {
|
|
"description": "A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byweekday": {
|
|
"items": {
|
|
"anyOf": [
|
|
{
|
|
"type": "string"
|
|
},
|
|
{
|
|
"type": "number"
|
|
}
|
|
],
|
|
"description": "Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination."
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byweekno": {
|
|
"items": {
|
|
"description": "Indicates number of the week hours to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byyearday": {
|
|
"items": {
|
|
"description": "Indicates the days of the year that this rule should recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"count": {
|
|
"description": "Number of times the rule should recur until it stops.",
|
|
"type": "number"
|
|
},
|
|
"dtstart": {
|
|
"description": "Rule start date in Coordinated Universal Time (UTC).",
|
|
"type": "string"
|
|
},
|
|
"freq": {
|
|
"description": "Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.",
|
|
"enum": [
|
|
0,
|
|
1,
|
|
2,
|
|
3,
|
|
4,
|
|
5,
|
|
6
|
|
],
|
|
"type": "integer"
|
|
},
|
|
"interval": {
|
|
"description": "Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.",
|
|
"type": "number"
|
|
},
|
|
"tzid": {
|
|
"description": "Indicates timezone abbreviation.",
|
|
"type": "string"
|
|
},
|
|
"until": {
|
|
"description": "Recur the rule until this date.",
|
|
"type": "string"
|
|
},
|
|
"wkst": {
|
|
"description": "Indicates the start of week, defaults to Monday.",
|
|
"enum": [
|
|
"MO",
|
|
"TU",
|
|
"WE",
|
|
"TH",
|
|
"FR",
|
|
"SA",
|
|
"SU"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"dtstart",
|
|
"tzid"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"skipRecurrences": {
|
|
"items": {
|
|
"description": "Skips recurrence of rule on this date.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
}
|
|
},
|
|
"required": [
|
|
"duration",
|
|
"rRule"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"tags": {
|
|
"items": {
|
|
"description": "The tags for the rule.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"throttle": {
|
|
"deprecated": true,
|
|
"description": "Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"updated_at": {
|
|
"description": "The date and time that the rule was updated most recently.",
|
|
"type": "string"
|
|
},
|
|
"updated_by": {
|
|
"description": "The identifier for the user that updated this rule most recently.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"view_in_app_relative_url": {
|
|
"description": "Relative URL to view rule in the app.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"id",
|
|
"enabled",
|
|
"name",
|
|
"tags",
|
|
"rule_type_id",
|
|
"consumer",
|
|
"schedule",
|
|
"actions",
|
|
"params",
|
|
"created_by",
|
|
"updated_by",
|
|
"created_at",
|
|
"updated_at",
|
|
"api_key_owner",
|
|
"mute_all",
|
|
"muted_alert_ids",
|
|
"execution_status",
|
|
"revision"
|
|
],
|
|
"type": "object"
|
|
}
|
|
}
|
|
},
|
|
"description": "Indicates a successful call."
|
|
}
|
|
},
|
|
"summary": "Create a rule",
|
|
"tags": [
|
|
"alerting"
|
|
]
|
|
},
|
|
"put": {
|
|
"operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D#1",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "A required header to protect against CSRF attacks",
|
|
"in": "header",
|
|
"name": "kbn-xsrf",
|
|
"required": true,
|
|
"schema": {
|
|
"example": "true",
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the rule.",
|
|
"in": "path",
|
|
"name": "id",
|
|
"required": true,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
],
|
|
"requestBody": {
|
|
"content": {
|
|
"application/json; Elastic-Api-Version=2023-10-31": {
|
|
"schema": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"actions": {
|
|
"default": [],
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"description": "An action that runs under defined conditions.",
|
|
"properties": {
|
|
"alerts_filter": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"query": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"dsl": {
|
|
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL).",
|
|
"type": "string"
|
|
},
|
|
"filters": {
|
|
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.",
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"$state": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"store": {
|
|
"description": "A filter can be either specific to an application context or applied globally.",
|
|
"enum": [
|
|
"appState",
|
|
"globalState"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"store"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"meta": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
},
|
|
"query": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"meta"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"kql": {
|
|
"description": "A filter written in Kibana Query Language (KQL).",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"kql",
|
|
"filters"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"timeframe": {
|
|
"additionalProperties": false,
|
|
"description": "Defines a period that limits whether the action runs.",
|
|
"properties": {
|
|
"days": {
|
|
"description": "Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.",
|
|
"items": {
|
|
"enum": [
|
|
1,
|
|
2,
|
|
3,
|
|
4,
|
|
5,
|
|
6,
|
|
7
|
|
],
|
|
"type": "integer"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"hours": {
|
|
"additionalProperties": false,
|
|
"description": "Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.",
|
|
"properties": {
|
|
"end": {
|
|
"description": "The end of the time frame in 24-hour notation (`hh:mm`).",
|
|
"type": "string"
|
|
},
|
|
"start": {
|
|
"description": "The start of the time frame in 24-hour notation (`hh:mm`).",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"start",
|
|
"end"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"timezone": {
|
|
"description": "The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"days",
|
|
"hours",
|
|
"timezone"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"frequency": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"notify_when": {
|
|
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"enum": [
|
|
"onActionGroupChange",
|
|
"onActiveAlert",
|
|
"onThrottleInterval"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"summary": {
|
|
"description": "Indicates whether the action is a summary.",
|
|
"type": "boolean"
|
|
},
|
|
"throttle": {
|
|
"description": "The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"summary",
|
|
"notify_when",
|
|
"throttle"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"group": {
|
|
"description": "The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.",
|
|
"type": "string"
|
|
},
|
|
"id": {
|
|
"description": "The identifier for the connector saved object.",
|
|
"type": "string"
|
|
},
|
|
"params": {
|
|
"additionalProperties": {},
|
|
"default": {},
|
|
"description": "The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.",
|
|
"type": "object"
|
|
},
|
|
"use_alert_data_for_template": {
|
|
"description": "Indicates whether to use alert data as a template.",
|
|
"type": "boolean"
|
|
},
|
|
"uuid": {
|
|
"description": "A universally unique identifier (UUID) for the action.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"id"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"alert_delay": {
|
|
"additionalProperties": false,
|
|
"description": "Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.",
|
|
"properties": {
|
|
"active": {
|
|
"description": "The number of consecutive runs that must meet the rule conditions.",
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"active"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"name": {
|
|
"description": "The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.",
|
|
"type": "string"
|
|
},
|
|
"notify_when": {
|
|
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"enum": [
|
|
"onActionGroupChange",
|
|
"onActiveAlert",
|
|
"onThrottleInterval"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"params": {
|
|
"additionalProperties": {},
|
|
"default": {},
|
|
"description": "The parameters for the rule.",
|
|
"type": "object"
|
|
},
|
|
"schedule": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"interval": {
|
|
"description": "The interval is specified in seconds, minutes, hours, or days.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"interval"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"tags": {
|
|
"default": [],
|
|
"items": {
|
|
"description": "The tags for the rule.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"throttle": {
|
|
"description": "Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"name",
|
|
"schedule"
|
|
],
|
|
"type": "object"
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"responses": {
|
|
"200": {
|
|
"content": {
|
|
"application/json; Elastic-Api-Version=2023-10-31": {
|
|
"schema": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"actions": {
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"alerts_filter": {
|
|
"additionalProperties": false,
|
|
"description": "Defines a period that limits whether the action runs.",
|
|
"properties": {
|
|
"query": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"dsl": {
|
|
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL).",
|
|
"type": "string"
|
|
},
|
|
"filters": {
|
|
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.",
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"$state": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"store": {
|
|
"description": "A filter can be either specific to an application context or applied globally.",
|
|
"enum": [
|
|
"appState",
|
|
"globalState"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"store"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"meta": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
},
|
|
"query": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"meta"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"kql": {
|
|
"description": "A filter written in Kibana Query Language (KQL).",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"kql",
|
|
"filters"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"timeframe": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"days": {
|
|
"description": "Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.",
|
|
"items": {
|
|
"enum": [
|
|
1,
|
|
2,
|
|
3,
|
|
4,
|
|
5,
|
|
6,
|
|
7
|
|
],
|
|
"type": "integer"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"hours": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"end": {
|
|
"description": "The end of the time frame in 24-hour notation (`hh:mm`).",
|
|
"type": "string"
|
|
},
|
|
"start": {
|
|
"description": "The start of the time frame in 24-hour notation (`hh:mm`).",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"start",
|
|
"end"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"timezone": {
|
|
"description": "The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"days",
|
|
"hours",
|
|
"timezone"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"connector_type_id": {
|
|
"description": "The type of connector. This property appears in responses but cannot be set in requests.",
|
|
"type": "string"
|
|
},
|
|
"frequency": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"notify_when": {
|
|
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"enum": [
|
|
"onActionGroupChange",
|
|
"onActiveAlert",
|
|
"onThrottleInterval"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"summary": {
|
|
"description": "Indicates whether the action is a summary.",
|
|
"type": "boolean"
|
|
},
|
|
"throttle": {
|
|
"description": "The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"summary",
|
|
"notify_when",
|
|
"throttle"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"group": {
|
|
"description": "The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.",
|
|
"type": "string"
|
|
},
|
|
"id": {
|
|
"description": "The identifier for the connector saved object.",
|
|
"type": "string"
|
|
},
|
|
"params": {
|
|
"additionalProperties": {},
|
|
"description": "The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.",
|
|
"type": "object"
|
|
},
|
|
"use_alert_data_for_template": {
|
|
"description": "Indicates whether to use alert data as a template.",
|
|
"type": "boolean"
|
|
},
|
|
"uuid": {
|
|
"description": "A universally unique identifier (UUID) for the action.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"id",
|
|
"connector_type_id",
|
|
"params"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"active_snoozes": {
|
|
"items": {
|
|
"description": "List of active snoozes for the rule.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"alert_delay": {
|
|
"additionalProperties": false,
|
|
"description": "Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.",
|
|
"properties": {
|
|
"active": {
|
|
"description": "The number of consecutive runs that must meet the rule conditions.",
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"active"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"api_key_created_by_user": {
|
|
"description": "Indicates whether the API key that is associated with the rule was created by the user.",
|
|
"nullable": true,
|
|
"type": "boolean"
|
|
},
|
|
"api_key_owner": {
|
|
"description": "The owner of the API key that is associated with the rule and used to run background tasks.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"consumer": {
|
|
"description": "The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.",
|
|
"type": "string"
|
|
},
|
|
"created_at": {
|
|
"description": "The date and time that the rule was created.",
|
|
"type": "string"
|
|
},
|
|
"created_by": {
|
|
"description": "The identifier for the user that created the rule.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"enabled": {
|
|
"description": "Indicates whether you want to run the rule on an interval basis after it is created.",
|
|
"type": "boolean"
|
|
},
|
|
"execution_status": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"error": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"message": {
|
|
"description": "Error message.",
|
|
"type": "string"
|
|
},
|
|
"reason": {
|
|
"description": "Reason for error.",
|
|
"enum": [
|
|
"read",
|
|
"decrypt",
|
|
"execute",
|
|
"unknown",
|
|
"license",
|
|
"timeout",
|
|
"disabled",
|
|
"validate"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"reason",
|
|
"message"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"last_duration": {
|
|
"description": "Duration of last execution of the rule.",
|
|
"type": "number"
|
|
},
|
|
"last_execution_date": {
|
|
"description": "The date and time when rule was executed last.",
|
|
"type": "string"
|
|
},
|
|
"status": {
|
|
"description": "Status of rule execution.",
|
|
"enum": [
|
|
"ok",
|
|
"active",
|
|
"error",
|
|
"warning",
|
|
"pending",
|
|
"unknown"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"warning": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"message": {
|
|
"description": "Warning message.",
|
|
"type": "string"
|
|
},
|
|
"reason": {
|
|
"description": "Reason for warning.",
|
|
"enum": [
|
|
"maxExecutableActions",
|
|
"maxAlerts",
|
|
"maxQueuedActions"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"reason",
|
|
"message"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"status",
|
|
"last_execution_date"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"id": {
|
|
"description": "The identifier for the rule.",
|
|
"type": "string"
|
|
},
|
|
"is_snoozed_until": {
|
|
"description": "The date when the rule will no longer be snoozed.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"last_run": {
|
|
"additionalProperties": false,
|
|
"nullable": true,
|
|
"properties": {
|
|
"alerts_count": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"active": {
|
|
"description": "Number of active alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"ignored": {
|
|
"description": "Number of ignored alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"new": {
|
|
"description": "Number of new alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"recovered": {
|
|
"description": "Number of recovered alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"outcome": {
|
|
"description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.",
|
|
"enum": [
|
|
"succeeded",
|
|
"warning",
|
|
"failed"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"outcome_msg": {
|
|
"items": {
|
|
"description": "Outcome message generated during last rule run.",
|
|
"type": "string"
|
|
},
|
|
"nullable": true,
|
|
"type": "array"
|
|
},
|
|
"outcome_order": {
|
|
"description": "Order of the outcome.",
|
|
"type": "number"
|
|
},
|
|
"warning": {
|
|
"description": "Warning of last rule execution.",
|
|
"enum": [
|
|
"read",
|
|
"decrypt",
|
|
"execute",
|
|
"unknown",
|
|
"license",
|
|
"timeout",
|
|
"disabled",
|
|
"validate",
|
|
"maxExecutableActions",
|
|
"maxAlerts",
|
|
"maxQueuedActions"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"outcome",
|
|
"alerts_count"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"mapped_params": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
},
|
|
"monitoring": {
|
|
"additionalProperties": false,
|
|
"description": "Monitoring details of the rule.",
|
|
"properties": {
|
|
"run": {
|
|
"additionalProperties": false,
|
|
"description": "Rule run details.",
|
|
"properties": {
|
|
"calculated_metrics": {
|
|
"additionalProperties": false,
|
|
"description": "Calculation of different percentiles and success ratio.",
|
|
"properties": {
|
|
"p50": {
|
|
"type": "number"
|
|
},
|
|
"p95": {
|
|
"type": "number"
|
|
},
|
|
"p99": {
|
|
"type": "number"
|
|
},
|
|
"success_ratio": {
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"success_ratio"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"history": {
|
|
"description": "History of the rule run.",
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"duration": {
|
|
"description": "Duration of the rule run.",
|
|
"type": "number"
|
|
},
|
|
"outcome": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"alerts_count": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"active": {
|
|
"description": "Number of active alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"ignored": {
|
|
"description": "Number of ignored alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"new": {
|
|
"description": "Number of new alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"recovered": {
|
|
"description": "Number of recovered alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"outcome": {
|
|
"description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.",
|
|
"enum": [
|
|
"succeeded",
|
|
"warning",
|
|
"failed"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"outcome_msg": {
|
|
"items": {
|
|
"description": "Outcome message generated during last rule run.",
|
|
"type": "string"
|
|
},
|
|
"nullable": true,
|
|
"type": "array"
|
|
},
|
|
"outcome_order": {
|
|
"description": "Order of the outcome.",
|
|
"type": "number"
|
|
},
|
|
"warning": {
|
|
"description": "Warning of last rule execution.",
|
|
"enum": [
|
|
"read",
|
|
"decrypt",
|
|
"execute",
|
|
"unknown",
|
|
"license",
|
|
"timeout",
|
|
"disabled",
|
|
"validate",
|
|
"maxExecutableActions",
|
|
"maxAlerts",
|
|
"maxQueuedActions"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"outcome",
|
|
"alerts_count"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"success": {
|
|
"description": "Indicates whether the rule run was successful.",
|
|
"type": "boolean"
|
|
},
|
|
"timestamp": {
|
|
"description": "Time of rule run.",
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"success",
|
|
"timestamp"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"last_run": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"metrics": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"duration": {
|
|
"description": "Duration of most recent rule run.",
|
|
"type": "number"
|
|
},
|
|
"gap_duration_s": {
|
|
"description": "Duration in seconds of rule run gap.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_alerts_created": {
|
|
"description": "Total number of alerts created during last rule run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_alerts_detected": {
|
|
"description": "Total number of alerts detected during last rule run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_indexing_duration_ms": {
|
|
"description": "Total time spent indexing documents during last rule run in milliseconds.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_search_duration_ms": {
|
|
"description": "Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"timestamp": {
|
|
"description": "Time of the most recent rule run.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"timestamp",
|
|
"metrics"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"history",
|
|
"calculated_metrics",
|
|
"last_run"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"run"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"mute_all": {
|
|
"description": "Indicates whether all alerts are muted.",
|
|
"type": "boolean"
|
|
},
|
|
"muted_alert_ids": {
|
|
"items": {
|
|
"description": "List of identifiers of muted alerts. ",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"name": {
|
|
"description": " The name of the rule.",
|
|
"type": "string"
|
|
},
|
|
"next_run": {
|
|
"description": "Date and time of the next run of the rule.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"notify_when": {
|
|
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"enum": [
|
|
"onActionGroupChange",
|
|
"onActiveAlert",
|
|
"onThrottleInterval"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"params": {
|
|
"additionalProperties": {},
|
|
"description": "The parameters for the rule.",
|
|
"type": "object"
|
|
},
|
|
"revision": {
|
|
"description": "The rule revision number.",
|
|
"type": "number"
|
|
},
|
|
"rule_type_id": {
|
|
"description": "The rule type identifier.",
|
|
"type": "string"
|
|
},
|
|
"running": {
|
|
"description": "Indicates whether the rule is running.",
|
|
"nullable": true,
|
|
"type": "boolean"
|
|
},
|
|
"schedule": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"interval": {
|
|
"description": "The interval is specified in seconds, minutes, hours, or days.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"interval"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"scheduled_task_id": {
|
|
"description": "Identifier of the scheduled task.",
|
|
"type": "string"
|
|
},
|
|
"snooze_schedule": {
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"duration": {
|
|
"description": "Duration of the rule snooze schedule.",
|
|
"type": "number"
|
|
},
|
|
"id": {
|
|
"description": "Identifier of the rule snooze schedule.",
|
|
"type": "string"
|
|
},
|
|
"rRule": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"byhour": {
|
|
"items": {
|
|
"description": "Indicates hours of the day to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byminute": {
|
|
"items": {
|
|
"description": "Indicates minutes of the hour to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bymonth": {
|
|
"items": {
|
|
"description": "Indicates months of the year that this rule should recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bymonthday": {
|
|
"items": {
|
|
"description": "Indicates the days of the month to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bysecond": {
|
|
"items": {
|
|
"description": "Indicates seconds of the day to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bysetpos": {
|
|
"items": {
|
|
"description": "A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byweekday": {
|
|
"items": {
|
|
"anyOf": [
|
|
{
|
|
"type": "string"
|
|
},
|
|
{
|
|
"type": "number"
|
|
}
|
|
],
|
|
"description": "Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination."
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byweekno": {
|
|
"items": {
|
|
"description": "Indicates number of the week hours to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byyearday": {
|
|
"items": {
|
|
"description": "Indicates the days of the year that this rule should recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"count": {
|
|
"description": "Number of times the rule should recur until it stops.",
|
|
"type": "number"
|
|
},
|
|
"dtstart": {
|
|
"description": "Rule start date in Coordinated Universal Time (UTC).",
|
|
"type": "string"
|
|
},
|
|
"freq": {
|
|
"description": "Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.",
|
|
"enum": [
|
|
0,
|
|
1,
|
|
2,
|
|
3,
|
|
4,
|
|
5,
|
|
6
|
|
],
|
|
"type": "integer"
|
|
},
|
|
"interval": {
|
|
"description": "Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.",
|
|
"type": "number"
|
|
},
|
|
"tzid": {
|
|
"description": "Indicates timezone abbreviation.",
|
|
"type": "string"
|
|
},
|
|
"until": {
|
|
"description": "Recur the rule until this date.",
|
|
"type": "string"
|
|
},
|
|
"wkst": {
|
|
"description": "Indicates the start of week, defaults to Monday.",
|
|
"enum": [
|
|
"MO",
|
|
"TU",
|
|
"WE",
|
|
"TH",
|
|
"FR",
|
|
"SA",
|
|
"SU"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"dtstart",
|
|
"tzid"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"skipRecurrences": {
|
|
"items": {
|
|
"description": "Skips recurrence of rule on this date.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
}
|
|
},
|
|
"required": [
|
|
"duration",
|
|
"rRule"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"tags": {
|
|
"items": {
|
|
"description": "The tags for the rule.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"throttle": {
|
|
"deprecated": true,
|
|
"description": "Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"updated_at": {
|
|
"description": "The date and time that the rule was updated most recently.",
|
|
"type": "string"
|
|
},
|
|
"updated_by": {
|
|
"description": "The identifier for the user that updated this rule most recently.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"view_in_app_relative_url": {
|
|
"description": "Relative URL to view rule in the app.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"id",
|
|
"enabled",
|
|
"name",
|
|
"tags",
|
|
"rule_type_id",
|
|
"consumer",
|
|
"schedule",
|
|
"actions",
|
|
"params",
|
|
"created_by",
|
|
"updated_by",
|
|
"created_at",
|
|
"updated_at",
|
|
"api_key_owner",
|
|
"mute_all",
|
|
"muted_alert_ids",
|
|
"execution_status",
|
|
"revision"
|
|
],
|
|
"type": "object"
|
|
}
|
|
}
|
|
},
|
|
"description": "Indicates a successful call."
|
|
}
|
|
},
|
|
"summary": "Update a rule",
|
|
"tags": [
|
|
"alerting"
|
|
]
|
|
}
|
|
},
|
|
"/api/alerting/rule/{id}/_disable": {
|
|
"post": {
|
|
"operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_disable#0",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "A required header to protect against CSRF attacks",
|
|
"in": "header",
|
|
"name": "kbn-xsrf",
|
|
"required": true,
|
|
"schema": {
|
|
"example": "true",
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the rule.",
|
|
"in": "path",
|
|
"name": "id",
|
|
"required": true,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
],
|
|
"requestBody": {
|
|
"content": {
|
|
"application/json; Elastic-Api-Version=2023-10-31": {
|
|
"schema": {
|
|
"additionalProperties": false,
|
|
"nullable": true,
|
|
"properties": {
|
|
"untrack": {
|
|
"description": "Defines whether this rule's alerts should be untracked.",
|
|
"type": "boolean"
|
|
}
|
|
},
|
|
"type": "object",
|
|
"x-oas-optional": true
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"responses": {
|
|
"204": {
|
|
"description": "Indicates a successful call."
|
|
}
|
|
},
|
|
"summary": "Disable a rule",
|
|
"tags": [
|
|
"alerting"
|
|
]
|
|
}
|
|
},
|
|
"/api/alerting/rule/{id}/_enable": {
|
|
"post": {
|
|
"operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_enable#0",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "A required header to protect against CSRF attacks",
|
|
"in": "header",
|
|
"name": "kbn-xsrf",
|
|
"required": true,
|
|
"schema": {
|
|
"example": "true",
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the rule.",
|
|
"in": "path",
|
|
"name": "id",
|
|
"required": true,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
],
|
|
"responses": {
|
|
"204": {
|
|
"description": "Indicates a successful call."
|
|
}
|
|
},
|
|
"summary": "Enable a rule",
|
|
"tags": [
|
|
"alerting"
|
|
]
|
|
}
|
|
},
|
|
"/api/alerting/rule/{id}/_mute_all": {
|
|
"post": {
|
|
"operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_mute_all#0",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "A required header to protect against CSRF attacks",
|
|
"in": "header",
|
|
"name": "kbn-xsrf",
|
|
"required": true,
|
|
"schema": {
|
|
"example": "true",
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the rule.",
|
|
"in": "path",
|
|
"name": "id",
|
|
"required": true,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
],
|
|
"responses": {
|
|
"204": {
|
|
"description": "Indicates a successful call."
|
|
}
|
|
},
|
|
"summary": "Mute all alerts",
|
|
"tags": [
|
|
"alerting"
|
|
]
|
|
}
|
|
},
|
|
"/api/alerting/rule/{id}/_unmute_all": {
|
|
"post": {
|
|
"operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_unmute_all#0",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "A required header to protect against CSRF attacks",
|
|
"in": "header",
|
|
"name": "kbn-xsrf",
|
|
"required": true,
|
|
"schema": {
|
|
"example": "true",
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the rule.",
|
|
"in": "path",
|
|
"name": "id",
|
|
"required": true,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
],
|
|
"responses": {
|
|
"204": {
|
|
"description": "Indicates a successful call."
|
|
}
|
|
},
|
|
"summary": "Unmute all alerts",
|
|
"tags": [
|
|
"alerting"
|
|
]
|
|
}
|
|
},
|
|
"/api/alerting/rule/{id}/_update_api_key": {
|
|
"post": {
|
|
"operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_update_api_key#0",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "A required header to protect against CSRF attacks",
|
|
"in": "header",
|
|
"name": "kbn-xsrf",
|
|
"required": true,
|
|
"schema": {
|
|
"example": "true",
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the rule.",
|
|
"in": "path",
|
|
"name": "id",
|
|
"required": true,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
],
|
|
"responses": {
|
|
"204": {
|
|
"description": "Indicates a successful call."
|
|
}
|
|
},
|
|
"summary": "Update the API key for a rule",
|
|
"tags": [
|
|
"alerting"
|
|
]
|
|
}
|
|
},
|
|
"/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute": {
|
|
"post": {
|
|
"operationId": "%2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_mute#0",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "A required header to protect against CSRF attacks",
|
|
"in": "header",
|
|
"name": "kbn-xsrf",
|
|
"required": true,
|
|
"schema": {
|
|
"example": "true",
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the rule.",
|
|
"in": "path",
|
|
"name": "rule_id",
|
|
"required": true,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the alert.",
|
|
"in": "path",
|
|
"name": "alert_id",
|
|
"required": true,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
],
|
|
"responses": {
|
|
"204": {
|
|
"description": "Indicates a successful call."
|
|
}
|
|
},
|
|
"summary": "Mute an alert",
|
|
"tags": [
|
|
"alerting"
|
|
]
|
|
}
|
|
},
|
|
"/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute": {
|
|
"post": {
|
|
"operationId": "%2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_unmute#0",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "A required header to protect against CSRF attacks",
|
|
"in": "header",
|
|
"name": "kbn-xsrf",
|
|
"required": true,
|
|
"schema": {
|
|
"example": "true",
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the rule.",
|
|
"in": "path",
|
|
"name": "rule_id",
|
|
"required": true,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The identifier for the alert.",
|
|
"in": "path",
|
|
"name": "alert_id",
|
|
"required": true,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
}
|
|
],
|
|
"responses": {
|
|
"204": {
|
|
"description": "Indicates a successful call."
|
|
}
|
|
},
|
|
"summary": "Unmute an alert",
|
|
"tags": [
|
|
"alerting"
|
|
]
|
|
}
|
|
},
|
|
"/api/alerting/rules/_find": {
|
|
"get": {
|
|
"operationId": "%2Fapi%2Falerting%2Frules%2F_find#0",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The number of rules to return per page.",
|
|
"in": "query",
|
|
"name": "per_page",
|
|
"required": false,
|
|
"schema": {
|
|
"default": 10,
|
|
"minimum": 0,
|
|
"type": "number"
|
|
}
|
|
},
|
|
{
|
|
"description": "The page number to return.",
|
|
"in": "query",
|
|
"name": "page",
|
|
"required": false,
|
|
"schema": {
|
|
"default": 1,
|
|
"minimum": 1,
|
|
"type": "number"
|
|
}
|
|
},
|
|
{
|
|
"description": "An Elasticsearch simple_query_string query that filters the objects in the response.",
|
|
"in": "query",
|
|
"name": "search",
|
|
"required": false,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The default operator to use for the simple_query_string.",
|
|
"in": "query",
|
|
"name": "default_search_operator",
|
|
"required": false,
|
|
"schema": {
|
|
"default": "OR",
|
|
"enum": [
|
|
"OR",
|
|
"AND"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "The fields to perform the simple_query_string parsed query against.",
|
|
"in": "query",
|
|
"name": "search_fields",
|
|
"required": false,
|
|
"schema": {
|
|
"anyOf": [
|
|
{
|
|
"items": {
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
{
|
|
"type": "string"
|
|
}
|
|
]
|
|
}
|
|
},
|
|
{
|
|
"description": "Determines which field is used to sort the results. The field must exist in the `attributes` key of the response.",
|
|
"in": "query",
|
|
"name": "sort_field",
|
|
"required": false,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "Determines the sort order.",
|
|
"in": "query",
|
|
"name": "sort_order",
|
|
"required": false,
|
|
"schema": {
|
|
"enum": [
|
|
"asc",
|
|
"desc"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "Filters the rules that have a relation with the reference objects with a specific type and identifier.",
|
|
"in": "query",
|
|
"name": "has_reference",
|
|
"required": false,
|
|
"schema": {
|
|
"additionalProperties": false,
|
|
"nullable": true,
|
|
"properties": {
|
|
"id": {
|
|
"type": "string"
|
|
},
|
|
"type": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"type",
|
|
"id"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
{
|
|
"in": "query",
|
|
"name": "fields",
|
|
"required": false,
|
|
"schema": {
|
|
"items": {
|
|
"description": "The fields to return in the `attributes` key of the response.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
}
|
|
},
|
|
{
|
|
"description": "A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: \"myTitle\"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.",
|
|
"in": "query",
|
|
"name": "filter",
|
|
"required": false,
|
|
"schema": {
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"in": "query",
|
|
"name": "filter_consumers",
|
|
"required": false,
|
|
"schema": {
|
|
"items": {
|
|
"description": "List of consumers to filter.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
}
|
|
}
|
|
],
|
|
"responses": {
|
|
"200": {
|
|
"content": {
|
|
"application/json; Elastic-Api-Version=2023-10-31": {
|
|
"schema": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"actions": {
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"alerts_filter": {
|
|
"additionalProperties": false,
|
|
"description": "Defines a period that limits whether the action runs.",
|
|
"properties": {
|
|
"query": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"dsl": {
|
|
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL).",
|
|
"type": "string"
|
|
},
|
|
"filters": {
|
|
"description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.",
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"$state": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"store": {
|
|
"description": "A filter can be either specific to an application context or applied globally.",
|
|
"enum": [
|
|
"appState",
|
|
"globalState"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"store"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"meta": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
},
|
|
"query": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"meta"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"kql": {
|
|
"description": "A filter written in Kibana Query Language (KQL).",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"kql",
|
|
"filters"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"timeframe": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"days": {
|
|
"description": "Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.",
|
|
"items": {
|
|
"enum": [
|
|
1,
|
|
2,
|
|
3,
|
|
4,
|
|
5,
|
|
6,
|
|
7
|
|
],
|
|
"type": "integer"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"hours": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"end": {
|
|
"description": "The end of the time frame in 24-hour notation (`hh:mm`).",
|
|
"type": "string"
|
|
},
|
|
"start": {
|
|
"description": "The start of the time frame in 24-hour notation (`hh:mm`).",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"start",
|
|
"end"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"timezone": {
|
|
"description": "The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"days",
|
|
"hours",
|
|
"timezone"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"connector_type_id": {
|
|
"description": "The type of connector. This property appears in responses but cannot be set in requests.",
|
|
"type": "string"
|
|
},
|
|
"frequency": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"notify_when": {
|
|
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"enum": [
|
|
"onActionGroupChange",
|
|
"onActiveAlert",
|
|
"onThrottleInterval"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"summary": {
|
|
"description": "Indicates whether the action is a summary.",
|
|
"type": "boolean"
|
|
},
|
|
"throttle": {
|
|
"description": "The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"summary",
|
|
"notify_when",
|
|
"throttle"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"group": {
|
|
"description": "The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.",
|
|
"type": "string"
|
|
},
|
|
"id": {
|
|
"description": "The identifier for the connector saved object.",
|
|
"type": "string"
|
|
},
|
|
"params": {
|
|
"additionalProperties": {},
|
|
"description": "The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.",
|
|
"type": "object"
|
|
},
|
|
"use_alert_data_for_template": {
|
|
"description": "Indicates whether to use alert data as a template.",
|
|
"type": "boolean"
|
|
},
|
|
"uuid": {
|
|
"description": "A universally unique identifier (UUID) for the action.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"id",
|
|
"connector_type_id",
|
|
"params"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"active_snoozes": {
|
|
"items": {
|
|
"description": "List of active snoozes for the rule.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"alert_delay": {
|
|
"additionalProperties": false,
|
|
"description": "Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.",
|
|
"properties": {
|
|
"active": {
|
|
"description": "The number of consecutive runs that must meet the rule conditions.",
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"active"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"api_key_created_by_user": {
|
|
"description": "Indicates whether the API key that is associated with the rule was created by the user.",
|
|
"nullable": true,
|
|
"type": "boolean"
|
|
},
|
|
"api_key_owner": {
|
|
"description": "The owner of the API key that is associated with the rule and used to run background tasks.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"consumer": {
|
|
"description": "The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.",
|
|
"type": "string"
|
|
},
|
|
"created_at": {
|
|
"description": "The date and time that the rule was created.",
|
|
"type": "string"
|
|
},
|
|
"created_by": {
|
|
"description": "The identifier for the user that created the rule.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"enabled": {
|
|
"description": "Indicates whether you want to run the rule on an interval basis after it is created.",
|
|
"type": "boolean"
|
|
},
|
|
"execution_status": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"error": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"message": {
|
|
"description": "Error message.",
|
|
"type": "string"
|
|
},
|
|
"reason": {
|
|
"description": "Reason for error.",
|
|
"enum": [
|
|
"read",
|
|
"decrypt",
|
|
"execute",
|
|
"unknown",
|
|
"license",
|
|
"timeout",
|
|
"disabled",
|
|
"validate"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"reason",
|
|
"message"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"last_duration": {
|
|
"description": "Duration of last execution of the rule.",
|
|
"type": "number"
|
|
},
|
|
"last_execution_date": {
|
|
"description": "The date and time when rule was executed last.",
|
|
"type": "string"
|
|
},
|
|
"status": {
|
|
"description": "Status of rule execution.",
|
|
"enum": [
|
|
"ok",
|
|
"active",
|
|
"error",
|
|
"warning",
|
|
"pending",
|
|
"unknown"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"warning": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"message": {
|
|
"description": "Warning message.",
|
|
"type": "string"
|
|
},
|
|
"reason": {
|
|
"description": "Reason for warning.",
|
|
"enum": [
|
|
"maxExecutableActions",
|
|
"maxAlerts",
|
|
"maxQueuedActions"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"reason",
|
|
"message"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"status",
|
|
"last_execution_date"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"id": {
|
|
"description": "The identifier for the rule.",
|
|
"type": "string"
|
|
},
|
|
"is_snoozed_until": {
|
|
"description": "The date when the rule will no longer be snoozed.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"last_run": {
|
|
"additionalProperties": false,
|
|
"nullable": true,
|
|
"properties": {
|
|
"alerts_count": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"active": {
|
|
"description": "Number of active alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"ignored": {
|
|
"description": "Number of ignored alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"new": {
|
|
"description": "Number of new alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"recovered": {
|
|
"description": "Number of recovered alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"outcome": {
|
|
"description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.",
|
|
"enum": [
|
|
"succeeded",
|
|
"warning",
|
|
"failed"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"outcome_msg": {
|
|
"items": {
|
|
"description": "Outcome message generated during last rule run.",
|
|
"type": "string"
|
|
},
|
|
"nullable": true,
|
|
"type": "array"
|
|
},
|
|
"outcome_order": {
|
|
"description": "Order of the outcome.",
|
|
"type": "number"
|
|
},
|
|
"warning": {
|
|
"description": "Warning of last rule execution.",
|
|
"enum": [
|
|
"read",
|
|
"decrypt",
|
|
"execute",
|
|
"unknown",
|
|
"license",
|
|
"timeout",
|
|
"disabled",
|
|
"validate",
|
|
"maxExecutableActions",
|
|
"maxAlerts",
|
|
"maxQueuedActions"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"outcome",
|
|
"alerts_count"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"mapped_params": {
|
|
"additionalProperties": {},
|
|
"type": "object"
|
|
},
|
|
"monitoring": {
|
|
"additionalProperties": false,
|
|
"description": "Monitoring details of the rule.",
|
|
"properties": {
|
|
"run": {
|
|
"additionalProperties": false,
|
|
"description": "Rule run details.",
|
|
"properties": {
|
|
"calculated_metrics": {
|
|
"additionalProperties": false,
|
|
"description": "Calculation of different percentiles and success ratio.",
|
|
"properties": {
|
|
"p50": {
|
|
"type": "number"
|
|
},
|
|
"p95": {
|
|
"type": "number"
|
|
},
|
|
"p99": {
|
|
"type": "number"
|
|
},
|
|
"success_ratio": {
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"success_ratio"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"history": {
|
|
"description": "History of the rule run.",
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"duration": {
|
|
"description": "Duration of the rule run.",
|
|
"type": "number"
|
|
},
|
|
"outcome": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"alerts_count": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"active": {
|
|
"description": "Number of active alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"ignored": {
|
|
"description": "Number of ignored alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"new": {
|
|
"description": "Number of new alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"recovered": {
|
|
"description": "Number of recovered alerts during last run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"outcome": {
|
|
"description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.",
|
|
"enum": [
|
|
"succeeded",
|
|
"warning",
|
|
"failed"
|
|
],
|
|
"type": "string"
|
|
},
|
|
"outcome_msg": {
|
|
"items": {
|
|
"description": "Outcome message generated during last rule run.",
|
|
"type": "string"
|
|
},
|
|
"nullable": true,
|
|
"type": "array"
|
|
},
|
|
"outcome_order": {
|
|
"description": "Order of the outcome.",
|
|
"type": "number"
|
|
},
|
|
"warning": {
|
|
"description": "Warning of last rule execution.",
|
|
"enum": [
|
|
"read",
|
|
"decrypt",
|
|
"execute",
|
|
"unknown",
|
|
"license",
|
|
"timeout",
|
|
"disabled",
|
|
"validate",
|
|
"maxExecutableActions",
|
|
"maxAlerts",
|
|
"maxQueuedActions"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"outcome",
|
|
"alerts_count"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"success": {
|
|
"description": "Indicates whether the rule run was successful.",
|
|
"type": "boolean"
|
|
},
|
|
"timestamp": {
|
|
"description": "Time of rule run.",
|
|
"type": "number"
|
|
}
|
|
},
|
|
"required": [
|
|
"success",
|
|
"timestamp"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"last_run": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"metrics": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"duration": {
|
|
"description": "Duration of most recent rule run.",
|
|
"type": "number"
|
|
},
|
|
"gap_duration_s": {
|
|
"description": "Duration in seconds of rule run gap.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_alerts_created": {
|
|
"description": "Total number of alerts created during last rule run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_alerts_detected": {
|
|
"description": "Total number of alerts detected during last rule run.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_indexing_duration_ms": {
|
|
"description": "Total time spent indexing documents during last rule run in milliseconds.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
},
|
|
"total_search_duration_ms": {
|
|
"description": "Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.",
|
|
"nullable": true,
|
|
"type": "number"
|
|
}
|
|
},
|
|
"type": "object"
|
|
},
|
|
"timestamp": {
|
|
"description": "Time of the most recent rule run.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"timestamp",
|
|
"metrics"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"history",
|
|
"calculated_metrics",
|
|
"last_run"
|
|
],
|
|
"type": "object"
|
|
}
|
|
},
|
|
"required": [
|
|
"run"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"mute_all": {
|
|
"description": "Indicates whether all alerts are muted.",
|
|
"type": "boolean"
|
|
},
|
|
"muted_alert_ids": {
|
|
"items": {
|
|
"description": "List of identifiers of muted alerts. ",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"name": {
|
|
"description": " The name of the rule.",
|
|
"type": "string"
|
|
},
|
|
"next_run": {
|
|
"description": "Date and time of the next run of the rule.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"notify_when": {
|
|
"description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"enum": [
|
|
"onActionGroupChange",
|
|
"onActiveAlert",
|
|
"onThrottleInterval"
|
|
],
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"params": {
|
|
"additionalProperties": {},
|
|
"description": "The parameters for the rule.",
|
|
"type": "object"
|
|
},
|
|
"revision": {
|
|
"description": "The rule revision number.",
|
|
"type": "number"
|
|
},
|
|
"rule_type_id": {
|
|
"description": "The rule type identifier.",
|
|
"type": "string"
|
|
},
|
|
"running": {
|
|
"description": "Indicates whether the rule is running.",
|
|
"nullable": true,
|
|
"type": "boolean"
|
|
},
|
|
"schedule": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"interval": {
|
|
"description": "The interval is specified in seconds, minutes, hours, or days.",
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"interval"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"scheduled_task_id": {
|
|
"description": "Identifier of the scheduled task.",
|
|
"type": "string"
|
|
},
|
|
"snooze_schedule": {
|
|
"items": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"duration": {
|
|
"description": "Duration of the rule snooze schedule.",
|
|
"type": "number"
|
|
},
|
|
"id": {
|
|
"description": "Identifier of the rule snooze schedule.",
|
|
"type": "string"
|
|
},
|
|
"rRule": {
|
|
"additionalProperties": false,
|
|
"properties": {
|
|
"byhour": {
|
|
"items": {
|
|
"description": "Indicates hours of the day to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byminute": {
|
|
"items": {
|
|
"description": "Indicates minutes of the hour to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bymonth": {
|
|
"items": {
|
|
"description": "Indicates months of the year that this rule should recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bymonthday": {
|
|
"items": {
|
|
"description": "Indicates the days of the month to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bysecond": {
|
|
"items": {
|
|
"description": "Indicates seconds of the day to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"bysetpos": {
|
|
"items": {
|
|
"description": "A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byweekday": {
|
|
"items": {
|
|
"anyOf": [
|
|
{
|
|
"type": "string"
|
|
},
|
|
{
|
|
"type": "number"
|
|
}
|
|
],
|
|
"description": "Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination."
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byweekno": {
|
|
"items": {
|
|
"description": "Indicates number of the week hours to recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"byyearday": {
|
|
"items": {
|
|
"description": "Indicates the days of the year that this rule should recur.",
|
|
"type": "number"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"count": {
|
|
"description": "Number of times the rule should recur until it stops.",
|
|
"type": "number"
|
|
},
|
|
"dtstart": {
|
|
"description": "Rule start date in Coordinated Universal Time (UTC).",
|
|
"type": "string"
|
|
},
|
|
"freq": {
|
|
"description": "Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.",
|
|
"enum": [
|
|
0,
|
|
1,
|
|
2,
|
|
3,
|
|
4,
|
|
5,
|
|
6
|
|
],
|
|
"type": "integer"
|
|
},
|
|
"interval": {
|
|
"description": "Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.",
|
|
"type": "number"
|
|
},
|
|
"tzid": {
|
|
"description": "Indicates timezone abbreviation.",
|
|
"type": "string"
|
|
},
|
|
"until": {
|
|
"description": "Recur the rule until this date.",
|
|
"type": "string"
|
|
},
|
|
"wkst": {
|
|
"description": "Indicates the start of week, defaults to Monday.",
|
|
"enum": [
|
|
"MO",
|
|
"TU",
|
|
"WE",
|
|
"TH",
|
|
"FR",
|
|
"SA",
|
|
"SU"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"dtstart",
|
|
"tzid"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"skipRecurrences": {
|
|
"items": {
|
|
"description": "Skips recurrence of rule on this date.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
}
|
|
},
|
|
"required": [
|
|
"duration",
|
|
"rRule"
|
|
],
|
|
"type": "object"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"tags": {
|
|
"items": {
|
|
"description": "The tags for the rule.",
|
|
"type": "string"
|
|
},
|
|
"type": "array"
|
|
},
|
|
"throttle": {
|
|
"deprecated": true,
|
|
"description": "Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"updated_at": {
|
|
"description": "The date and time that the rule was updated most recently.",
|
|
"type": "string"
|
|
},
|
|
"updated_by": {
|
|
"description": "The identifier for the user that updated this rule most recently.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
},
|
|
"view_in_app_relative_url": {
|
|
"description": "Relative URL to view rule in the app.",
|
|
"nullable": true,
|
|
"type": "string"
|
|
}
|
|
},
|
|
"required": [
|
|
"id",
|
|
"enabled",
|
|
"name",
|
|
"tags",
|
|
"rule_type_id",
|
|
"consumer",
|
|
"schedule",
|
|
"actions",
|
|
"params",
|
|
"created_by",
|
|
"updated_by",
|
|
"created_at",
|
|
"updated_at",
|
|
"api_key_owner",
|
|
"mute_all",
|
|
"muted_alert_ids",
|
|
"execution_status",
|
|
"revision"
|
|
],
|
|
"type": "object"
|
|
}
|
|
}
|
|
},
|
|
"description": "Indicates a successful call."
|
|
}
|
|
},
|
|
"summary": "Get information about rules",
|
|
"tags": [
|
|
"alerting"
|
|
]
|
|
}
|
|
},
|
|
"/api/status": {
|
|
"get": {
|
|
"operationId": "%2Fapi%2Fstatus#0",
|
|
"parameters": [
|
|
{
|
|
"description": "The version of the API to use",
|
|
"in": "header",
|
|
"name": "elastic-api-version",
|
|
"schema": {
|
|
"default": "2023-10-31",
|
|
"enum": [
|
|
"2023-10-31"
|
|
],
|
|
"type": "string"
|
|
}
|
|
},
|
|
{
|
|
"description": "Set to \"true\" to get the response in v7 format.",
|
|
"in": "query",
|
|
"name": "v7format",
|
|
"required": false,
|
|
"schema": {
|
|
"type": "boolean"
|
|
}
|
|
},
|
|
{
|
|
"description": "Set to \"true\" to get the response in v8 format.",
|
|
"in": "query",
|
|
"name": "v8format",
|
|
"required": false,
|
|
"schema": {
|
|
"type": "boolean"
|
|
}
|
|
}
|
|
],
|
|
"responses": {
|
|
"200": {
|
|
"content": {
|
|
"application/json; Elastic-Api-Version=2023-10-31": {
|
|
"schema": {
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/components/schemas/core_status_response"
|
|
},
|
|
{
|
|
"$ref": "#/components/schemas/core_status_redactedResponse"
|
|
}
|
|
],
|
|
"description": "Kibana's operational status. A minimal response is sent for unauthorized users."
|
|
}
|
|
}
|
|
},
|
|
"description": "Overall status is OK and Kibana should be functioning normally."
|
|
},
|
|
"503": {
|
|
"content": {
|
|
"application/json; Elastic-Api-Version=2023-10-31": {
|
|
"schema": {
|
|
"anyOf": [
|
|
{
|
|
"$ref": "#/components/schemas/core_status_response"
|
|
},
|
|
{
|
|
"$ref": "#/components/schemas/core_status_redactedResponse"
|
|
}
|
|
],
|
|
"description": "Kibana's operational status. A minimal response is sent for unauthorized users."
|
|
}
|
|
}
|
|
},
|
|
"description": "Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable."
|
|
}
|
|
},
|
|
"summary": "Get Kibana's current status",
|
|
"tags": [
|
|
"system"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"security": [
|
|
{
|
|
"basicAuth": []
|
|
}
|
|
],
|
|
"servers": [
|
|
{
|
|
"url": "http://localhost:5622"
|
|
}
|
|
],
|
|
"tags": [
|
|
{
|
|
"name": "alerting"
|
|
},
|
|
{
|
|
"name": "system"
|
|
}
|
|
]
|
|
} |