Kibana MCP Server

openapi: 3.0.3 info: contact: name: Kibana Team description: | The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. The API calls are stateless. Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation. To interact with Kibana APIs, use the following operations: - GET: Fetches the information. - PATCH: Applies partial modifications to the existing information. - POST: Adds new information. - PUT: Updates the existing information. - DELETE: Removes the information. You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**. For example: ``` GET kbn:/api/data_views ``` For more information about the console, refer to [Run API requests](https://www.elastic.co/guide/en/kibana/current/console-kibana.html). NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs. ## Documentation source and versions This documentation is derived from the `8.18` branch of the [kibana](https://github.com/elastic/kibana) repository. It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). title: Kibana APIs version: 1.0.2 x-doc-license: name: Attribution-NonCommercial-NoDerivatives 4.0 International url: https://creativecommons.org/licenses/by-nc-nd/4.0/ x-feedbackLink: label: Feedback url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ servers: - url: https://{kibana_url} variables: kibana_url: default: localhost:5601 security: - apiKeyAuth: [] - basicAuth: [] tags: - name: alerting description: | Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. externalDocs: description: Alerting documentation url: https://www.elastic.co/guide/en/kibana/8.18/alerting-getting-started.html x-displayName: Alerting - description: | Adjust APM agent configuration without need to redeploy your application. name: APM agent configuration - description: | Configure APM agent keys to authorize requests from APM agents to the APM Server. name: APM agent keys - description: | Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. name: APM annotations - description: Create APM fleet server schema. name: APM server schema - description: Configure APM source maps. name: APM sourcemaps - description: | Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors. name: cases externalDocs: description: Cases documentation url: https://www.elastic.co/guide/en/kibana/8.18/cases.html x-displayName: Cases - name: connectors description: | Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. externalDocs: description: Connector documentation url: https://www.elastic.co/guide/en/kibana/8.18/action-types.html x-displayName: Connectors - name: Dashboards - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. name: data views x-displayName: Data views - description: | Programmatically integrate with Logstash configuration management. > warn > Do not directly access the `.logstash` index. The structure of the `.logstash` index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs. externalDocs: description: Centralized pipeline management url: https://www.elastic.co/guide/en/logstash/current/logstash-centralized-pipeline-management.html name: logstash x-displayName: Logstash configuration management - description: Machine learning name: ml x-displayName: Machine learning - name: roles x-displayName: Roles description: Manage the roles that grant Elasticsearch and Kibana privileges. externalDocs: description: Kibana role management url: https://www.elastic.co/guide/en/kibana/8.18/kibana-role-management.html - description: | Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs. To manage a specific type of saved object, use the corresponding APIs. For example, use: * [Data views](../group/endpoint-data-views) * [Spaces](https://www.elastic.co/guide/en/kibana/8.18/spaces-api.html) * [Short URLs](https://www.elastic.co/guide/en/kibana/8.18/short-urls-api.html) Warning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions name: saved objects x-displayName: Saved objects - description: Manage and interact with Security Assistant resources. name: Security AI Assistant API x-displayName: Security AI assistant - description: | Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. This API supports both key-based authentication and basic authentication. To use key-based authentication, create an API key, then specify the key in the header of your API calls. To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. In both cases, the API key is subsequently used for authorization when the rule runs. > warn > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. name: Security Detections API x-displayName: Security detections - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. name: Security Endpoint Exceptions API x-displayName: Security endpoint exceptions - description: Interact with and manage endpoints running the Elastic Defend integration. name: Security Endpoint Management API x-displayName: Security endpoint management - description: '' name: Security Entity Analytics API x-displayName: Security entity analytics - description: | Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. Exceptions are made up of: * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. > info > You cannot use lists with endpoint rule exceptions. > info > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. ## Exceptions requirements Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). name: Security Exceptions API x-displayName: Security exceptions - description: | Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. Lists are made up of: * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: * `boolean` * `byte` * `date` * `date_nanos` * `date_range` * `double` * `double_range` * `float` * `float_range` * `half_float` * `integer` * `integer_range` * `ip` * `ip_range` * `keyword` * `long` * `long_range` * `short` * `text` * **List items**: The values used to determine whether the exception prevents an alert from being generated. All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: 1. `192.168.1.1` 2. `192.168.1.3` 3. `192.168.1.18` 4. `192.168.1.12` 5. `192.168.1.7` To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. > info > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. ## Lists requirements Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements. name: Security Lists API x-displayName: Security lists - description: Run live queries, manage packs and saved queries. name: Security Osquery API x-displayName: Security Osquery - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. name: Security Timeline API x-displayName: Security timeline - description: Manage Kibana short URLs. name: short url x-displayName: Short URLs - description: SLO APIs enable you to define, manage and track service-level objectives name: slo x-displayName: Service level objectives - name: spaces x-displayName: Spaces description: Manage your Kibana spaces. externalDocs: url: https://www.elastic.co/guide/en/kibana/8.18/xpack-spaces.html description: Space overview - name: synthetics x-displayName: Synthetics externalDocs: description: Synthetic monitoring url: https://www.elastic.co/guide/en/observability/8.18/monitor-uptime-synthetics.html - name: system x-displayName: System description: | Get information about the system status, resource usage, features, and installed plugins. - externalDocs: description: Task manager url: https://www.elastic.co/guide/en/kibana/current/task-manager-production-considerations.html name: task manager x-displayName: Task manager - description: Check the upgrade status of your Elasticsearch cluster and reindex indices that were created in the previous major version. The assistant helps you prepare for the next major version of Elasticsearch. name: upgrade x-displayName: Upgrade assistant - externalDocs: description: Uptime monitoring url: https://www.elastic.co/guide/en/observability/current/uptime-intro.html name: uptime x-displayName: Uptime - name: user session x-displayName: User session management paths: /api/actions: get: deprecated: true operationId: get-actions parameters: [] responses: {} summary: Get all connectors tags: - connectors /api/actions/action: post: deprecated: true operationId: post-actions-action parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: actionTypeId: description: The connector type identifier. type: string config: additionalProperties: {} default: {} type: object name: description: The display name for the connector. type: string secrets: additionalProperties: {} default: {} type: object required: - name - actionTypeId responses: '200': content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the rule.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action description: Indicates a successful call. summary: Create a connector tags: - connectors /api/actions/action/{id}: delete: deprecated: true description: 'WARNING: When you delete a connector, it cannot be recovered.' operationId: delete-actions-action-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. summary: Delete a connector tags: - connectors get: deprecated: true operationId: get-actions-action-id parameters: - description: An identifier for the connector. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the rule.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action description: Indicates a successful call. summary: Get connector information tags: - connectors put: deprecated: true operationId: put-actions-action-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} default: {} type: object name: type: string secrets: additionalProperties: {} default: {} type: object required: - name responses: '200': content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the rule.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action description: Indicates a successful call. summary: Update a connector tags: - connectors /api/actions/action/{id}/_execute: post: deprecated: true operationId: post-actions-action-id-execute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: params: additionalProperties: {} type: object required: - params responses: '200': content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the rule.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action description: Indicates a successful call. summary: Run a connector tags: - connectors /api/actions/connector_types: get: description: You do not need any Kibana feature privileges to run this API. operationId: get-actions-connector-types parameters: - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). in: query name: feature_id required: false schema: type: string responses: '200': description: Indicates a successful call. content: application/json: examples: getConnectorTypesServerlessResponse: $ref: '#/components/examples/get_connector_types_generativeai_response' summary: Get connector types tags: - connectors /api/actions/connector/{id}: delete: description: 'WARNING: When you delete a connector, it cannot be recovered.' operationId: delete-actions-connector-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. summary: Delete a connector tags: - connectors get: operationId: get-actions-connector-id parameters: - description: An identifier for the connector. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the rule.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action examples: getConnectorResponse: $ref: '#/components/examples/get_connector_response' description: Indicates a successful call. summary: Get connector information tags: - connectors post: operationId: post-actions-connector-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: connector_type_id: description: The type of connector. type: string name: description: The display name for the connector. type: string config: additionalProperties: {} default: {} description: The connector configuration details. oneOf: - $ref: '#/components/schemas/bedrock_config' - $ref: '#/components/schemas/crowdstrike_config' - $ref: '#/components/schemas/d3security_config' - $ref: '#/components/schemas/email_config' - $ref: '#/components/schemas/gemini_config' - $ref: '#/components/schemas/resilient_config' - $ref: '#/components/schemas/index_config' - $ref: '#/components/schemas/jira_config' - $ref: '#/components/schemas/genai_azure_config' - $ref: '#/components/schemas/genai_openai_config' - $ref: '#/components/schemas/opsgenie_config' - $ref: '#/components/schemas/pagerduty_config' - $ref: '#/components/schemas/sentinelone_config' - $ref: '#/components/schemas/servicenow_config' - $ref: '#/components/schemas/servicenow_itom_config' - $ref: '#/components/schemas/slack_api_config' - $ref: '#/components/schemas/swimlane_config' - $ref: '#/components/schemas/thehive_config' - $ref: '#/components/schemas/tines_config' - $ref: '#/components/schemas/torq_config' - $ref: '#/components/schemas/webhook_config' - $ref: '#/components/schemas/cases_webhook_config' - $ref: '#/components/schemas/xmatters_config' secrets: additionalProperties: {} default: {} oneOf: - $ref: '#/components/schemas/bedrock_secrets' - $ref: '#/components/schemas/crowdstrike_secrets' - $ref: '#/components/schemas/d3security_secrets' - $ref: '#/components/schemas/email_secrets' - $ref: '#/components/schemas/gemini_secrets' - $ref: '#/components/schemas/resilient_secrets' - $ref: '#/components/schemas/jira_secrets' - $ref: '#/components/schemas/teams_secrets' - $ref: '#/components/schemas/genai_secrets' - $ref: '#/components/schemas/opsgenie_secrets' - $ref: '#/components/schemas/pagerduty_secrets' - $ref: '#/components/schemas/sentinelone_secrets' - $ref: '#/components/schemas/servicenow_secrets' - $ref: '#/components/schemas/slack_api_secrets' - $ref: '#/components/schemas/swimlane_secrets' - $ref: '#/components/schemas/thehive_secrets' - $ref: '#/components/schemas/tines_secrets' - $ref: '#/components/schemas/torq_secrets' - $ref: '#/components/schemas/webhook_secrets' - $ref: '#/components/schemas/cases_webhook_secrets' - $ref: '#/components/schemas/xmatters_secrets' required: - name - connector_type_id examples: createEmailConnectorRequest: $ref: '#/components/examples/create_email_connector_request' createIndexConnectorRequest: $ref: '#/components/examples/create_index_connector_request' createWebhookConnectorRequest: $ref: '#/components/examples/create_webhook_connector_request' createXmattersConnectorRequest: $ref: '#/components/examples/create_xmatters_connector_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the rule.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action examples: createEmailConnectorResponse: $ref: '#/components/examples/create_email_connector_response' createIndexConnectorResponse: $ref: '#/components/examples/create_index_connector_response' createWebhookConnectorResponse: $ref: '#/components/examples/create_webhook_connector_response' createXmattersConnectorResponse: $ref: '#/components/examples/get_connector_response' description: Indicates a successful call. summary: Create a connector tags: - connectors put: operationId: put-actions-connector-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: name: description: The display name for the connector. type: string config: additionalProperties: {} default: {} description: The connector configuration details. oneOf: - $ref: '#/components/schemas/bedrock_config' - $ref: '#/components/schemas/crowdstrike_config' - $ref: '#/components/schemas/d3security_config' - $ref: '#/components/schemas/email_config' - $ref: '#/components/schemas/gemini_config' - $ref: '#/components/schemas/resilient_config' - $ref: '#/components/schemas/index_config' - $ref: '#/components/schemas/jira_config' - $ref: '#/components/schemas/genai_azure_config' - $ref: '#/components/schemas/genai_openai_config' - $ref: '#/components/schemas/opsgenie_config' - $ref: '#/components/schemas/pagerduty_config' - $ref: '#/components/schemas/sentinelone_config' - $ref: '#/components/schemas/servicenow_config' - $ref: '#/components/schemas/servicenow_itom_config' - $ref: '#/components/schemas/slack_api_config' - $ref: '#/components/schemas/swimlane_config' - $ref: '#/components/schemas/thehive_config' - $ref: '#/components/schemas/tines_config' - $ref: '#/components/schemas/torq_config' - $ref: '#/components/schemas/webhook_config' - $ref: '#/components/schemas/cases_webhook_config' - $ref: '#/components/schemas/xmatters_config' secrets: additionalProperties: {} default: {} oneOf: - $ref: '#/components/schemas/bedrock_secrets' - $ref: '#/components/schemas/crowdstrike_secrets' - $ref: '#/components/schemas/d3security_secrets' - $ref: '#/components/schemas/email_secrets' - $ref: '#/components/schemas/gemini_secrets' - $ref: '#/components/schemas/resilient_secrets' - $ref: '#/components/schemas/jira_secrets' - $ref: '#/components/schemas/teams_secrets' - $ref: '#/components/schemas/genai_secrets' - $ref: '#/components/schemas/opsgenie_secrets' - $ref: '#/components/schemas/pagerduty_secrets' - $ref: '#/components/schemas/sentinelone_secrets' - $ref: '#/components/schemas/servicenow_secrets' - $ref: '#/components/schemas/slack_api_secrets' - $ref: '#/components/schemas/swimlane_secrets' - $ref: '#/components/schemas/thehive_secrets' - $ref: '#/components/schemas/tines_secrets' - $ref: '#/components/schemas/torq_secrets' - $ref: '#/components/schemas/webhook_secrets' - $ref: '#/components/schemas/cases_webhook_secrets' - $ref: '#/components/schemas/xmatters_secrets' required: - name examples: updateIndexConnectorRequest: $ref: '#/components/examples/update_index_connector_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the rule.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action description: Indicates a successful call. summary: Update a connector tags: - connectors /api/actions/connector/{id}/_execute: post: description: You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. operationId: post-actions-connector-id-execute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: An identifier for the connector. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: params: additionalProperties: {} oneOf: - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' - $ref: '#/components/schemas/run_documents' - $ref: '#/components/schemas/run_message_email' - $ref: '#/components/schemas/run_message_serverlog' - $ref: '#/components/schemas/run_message_slack' - $ref: '#/components/schemas/run_trigger_pagerduty' - $ref: '#/components/schemas/run_addevent' - $ref: '#/components/schemas/run_closealert' - $ref: '#/components/schemas/run_closeincident' - $ref: '#/components/schemas/run_createalert' - $ref: '#/components/schemas/run_fieldsbyissuetype' - $ref: '#/components/schemas/run_getchoices' - $ref: '#/components/schemas/run_getfields' - $ref: '#/components/schemas/run_getincident' - $ref: '#/components/schemas/run_issue' - $ref: '#/components/schemas/run_issues' - $ref: '#/components/schemas/run_issuetypes' - $ref: '#/components/schemas/run_postmessage' - $ref: '#/components/schemas/run_pushtoservice' - $ref: '#/components/schemas/run_validchannelid' required: - params examples: runIndexConnectorRequest: $ref: '#/components/examples/run_index_connector_request' runJiraConnectorRequest: $ref: '#/components/examples/run_jira_connector_request' runServerLogConnectorRequest: $ref: '#/components/examples/run_servicenow_itom_connector_request' runSlackConnectorRequest: $ref: '#/components/examples/run_slack_api_connector_request' runSwimlaneConnectorRequest: $ref: '#/components/examples/run_swimlane_connector_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: config: additionalProperties: {} type: object connector_type_id: description: The connector type identifier. type: string id: description: The identifier for the connector. type: string is_deprecated: description: Indicates whether the connector is deprecated. type: boolean is_missing_secrets: description: Indicates whether the connector is missing secrets. type: boolean is_preconfigured: description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' type: boolean is_system_action: description: Indicates whether the connector is used for system actions. type: boolean name: description: ' The name of the rule.' type: string required: - id - name - connector_type_id - is_preconfigured - is_deprecated - is_system_action examples: runIndexConnectorResponse: $ref: '#/components/examples/run_index_connector_response' runJiraConnectorResponse: $ref: '#/components/examples/run_jira_connector_response' runServerLogConnectorResponse: $ref: '#/components/examples/run_server_log_connector_response' runServiceNowITOMConnectorResponse: $ref: '#/components/examples/run_servicenow_itom_connector_response' runSlackConnectorResponse: $ref: '#/components/examples/run_slack_api_connector_response' runSwimlaneConnectorResponse: $ref: '#/components/examples/run_swimlane_connector_response' description: Indicates a successful call. summary: Run a connector tags: - connectors /api/actions/connectors: get: operationId: get-actions-connectors parameters: [] responses: '200': description: Indicates a successful call. content: application/json: examples: getConnectorsResponse: $ref: '#/components/examples/get_connectors_response' summary: Get all connectors tags: - connectors /api/actions/list_action_types: get: deprecated: true operationId: get-actions-list-action-types parameters: [] responses: {} summary: Get connector types tags: - connectors /api/alerting/_health: get: description: | You must have `read` privileges for the **Management > Stack Rules** feature or for at least one of the **Analytics > Discover**, **Analytics > Machine Learning**, **Observability**, or **Security** features. operationId: getAlertingHealth responses: '200': content: application/json: examples: getAlertingHealthResponse: $ref: '#/components/examples/Alerting_get_health_response' schema: type: object properties: alerting_framework_health: description: | Three substates identify the health of the alerting framework: `decryption_health`, `execution_health`, and `read_health`. type: object properties: decryption_health: description: The timestamp and status of the rule decryption. type: object properties: status: enum: - error - ok - warn example: ok type: string timestamp: example: '2023-01-13T01:28:00.280Z' format: date-time type: string execution_health: description: The timestamp and status of the rule run. type: object properties: status: enum: - error - ok - warn example: ok type: string timestamp: example: '2023-01-13T01:28:00.280Z' format: date-time type: string read_health: description: The timestamp and status of the rule reading events. type: object properties: status: enum: - error - ok - warn example: ok type: string timestamp: example: '2023-01-13T01:28:00.280Z' format: date-time type: string has_permanent_encryption_key: description: If `false`, the encrypted saved object plugin does not have a permanent encryption key. example: true type: boolean is_sufficiently_secure: description: If `false`, security is enabled but TLS is not. example: true type: boolean description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Get the alerting framework health tags: - alerting /api/alerting/rule_types: get: description: | If you have `read` privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the **Management > Stack Rules** feature, **Analytics > Discover** and **Machine Learning** features, **Observability** features, and **Security** features. To get rule types associated with the **Stack Monitoring** feature, use the `monitoring_user` built-in role. operationId: getRuleTypes responses: '200': content: application/json: examples: getRuleTypesResponse: $ref: '#/components/examples/Alerting_get_rule_types_response' schema: items: type: object properties: action_groups: description: | An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid. items: type: object properties: id: type: string name: type: string type: array action_variables: description: | A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors. type: object properties: context: items: type: object properties: description: type: string name: type: string useWithTripleBracesInTemplates: type: boolean type: array params: items: type: object properties: description: type: string name: type: string type: array state: items: type: object properties: description: type: string name: type: string type: array alerts: description: | Details for writing alerts as data documents for this rule type. type: object properties: context: description: | The namespace for this rule type. enum: - ml.anomaly-detection - observability.apm - observability.logs - observability.metrics - observability.slo - observability.threshold - observability.uptime - security - stack type: string dynamic: description: Indicates whether new fields are added dynamically. enum: - 'false' - runtime - strict - 'true' type: string isSpaceAware: description: | Indicates whether the alerts are space-aware. If true, space-specific alert indices are used. type: boolean mappings: type: object properties: fieldMap: additionalProperties: $ref: '#/components/schemas/Alerting_fieldmap_properties' description: | Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation. type: object secondaryAlias: description: | A secondary alias. It is typically used to support the signals alias for detection rules. type: string shouldWrite: description: | Indicates whether the rule should write out alerts as data. type: boolean useEcs: description: | Indicates whether to include the ECS component template for the alerts. type: boolean useLegacyAlerts: default: false description: | Indicates whether to include the legacy component template for the alerts. type: boolean authorized_consumers: description: The list of the plugins IDs that have access to the rule type. type: object properties: alerts: type: object properties: all: type: boolean read: type: boolean apm: type: object properties: all: type: boolean read: type: boolean discover: type: object properties: all: type: boolean read: type: boolean infrastructure: type: object properties: all: type: boolean read: type: boolean logs: type: object properties: all: type: boolean read: type: boolean ml: type: object properties: all: type: boolean read: type: boolean monitoring: type: object properties: all: type: boolean read: type: boolean siem: type: object properties: all: type: boolean read: type: boolean slo: type: object properties: all: type: boolean read: type: boolean stackAlerts: type: object properties: all: type: boolean read: type: boolean uptime: type: object properties: all: type: boolean read: type: boolean category: description: The rule category, which is used by features such as category-specific maintenance windows. enum: - management - observability - securitySolution type: string default_action_group_id: description: The default identifier for the rule type group. type: string does_set_recovery_context: description: Indicates whether the rule passes context variables to its recovery action. type: boolean enabled_in_license: description: Indicates whether the rule type is enabled or disabled based on the subscription. type: boolean has_alerts_mappings: description: Indicates whether the rule type has custom mappings for the alert data. type: boolean has_fields_for_a_a_d: type: boolean id: description: The unique identifier for the rule type. type: string is_exportable: description: Indicates whether the rule type is exportable in **Stack Management > Saved Objects**. type: boolean minimum_license_required: description: The subscriptions required to use the rule type. example: basic type: string name: description: The descriptive name of the rule type. type: string producer: description: An identifier for the application that produces this rule type. example: stackAlerts type: string recovery_action_group: description: An action group to use when an alert goes from an active state to an inactive one. type: object properties: id: type: string name: type: string rule_task_timeout: example: 5m type: string type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Get the rule types tags: - alerting /api/alerting/rule/{id}: delete: operationId: delete-alerting-rule-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Delete a rule tags: - alerting get: operationId: get-alerting-rule-id parameters: - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: {} type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Get rule details tags: - alerting post: operationId: post-alerting-rule-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. If it is omitted, an ID is randomly generated. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string enabled: default: true description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string rule_type_id: description: The rule type identifier. type: string schedule: additionalProperties: false description: The check interval, which specifies how frequently the rule conditions are checked. type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] description: The tags for the rule. items: type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string params: additionalProperties: {} default: {} description: The parameters for the rule. anyOf: - $ref: '#/components/schemas/params_property_apm_anomaly' - $ref: '#/components/schemas/params_property_apm_error_count' - $ref: '#/components/schemas/params_property_apm_transaction_duration' - $ref: '#/components/schemas/params_property_apm_transaction_error_rate' - $ref: '#/components/schemas/params_es_query_dsl_rule' - $ref: '#/components/schemas/params_es_query_esql_rule' - $ref: '#/components/schemas/params_es_query_kql_rule' - $ref: '#/components/schemas/params_index_threshold_rule' - $ref: '#/components/schemas/params_property_infra_inventory' - $ref: '#/components/schemas/params_property_log_threshold' - $ref: '#/components/schemas/params_property_infra_metric_threshold' - $ref: '#/components/schemas/params_property_slo_burn_rate' - $ref: '#/components/schemas/params_property_synthetics_uptime_tls' - $ref: '#/components/schemas/params_property_synthetics_monitor_status' required: - name - rule_type_id - consumer - schedule examples: createEsQueryEsqlRuleRequest: $ref: '#/components/examples/create_es_query_esql_rule_request' createEsQueryRuleRequest: $ref: '#/components/examples/create_es_query_rule_request' createEsQueryKqlRuleRequest: $ref: '#/components/examples/create_es_query_kql_rule_request' createIndexThresholdRuleRequest: $ref: '#/components/examples/create_index_threshold_rule_request' createTrackingContainmentRuleRequest: $ref: '#/components/examples/create_tracking_containment_rule_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: {} type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision examples: createEsQueryEsqlRuleResponse: $ref: '#/components/examples/create_es_query_esql_rule_response' createEsQueryRuleResponse: $ref: '#/components/examples/create_es_query_rule_response' createEsQueryKqlRuleResponse: $ref: '#/components/examples/create_es_query_kql_rule_response' createIndexThresholdRuleResponse: $ref: '#/components/examples/create_index_threshold_rule_response' createTrackingContainmentRuleResponse: $ref: '#/components/examples/create_tracking_containment_rule_response' description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '409': description: Indicates that the rule id is already in use. summary: Create a rule tags: - alerting put: operationId: put-alerting-rule-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: actions: default: [] items: additionalProperties: false description: An action that runs under defined conditions. type: object properties: alerts_filter: additionalProperties: false type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} default: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold name: description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} default: {} description: The parameters for the rule. type: object schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval tags: default: [] items: description: The tags for the rule. type: string type: array throttle: description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - name - schedule examples: updateRuleRequest: $ref: '#/components/examples/update_rule_request' responses: '200': content: application/json: schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: {} type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision examples: updateRuleResponse: $ref: '#/components/examples/update_rule_response' description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. '409': description: Indicates that the rule has already been updated by another user. summary: Update a rule tags: - alerting /api/alerting/rule/{id}/_disable: post: operationId: post-alerting-rule-id-disable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false nullable: true type: object properties: untrack: description: Defines whether this rule's alerts should be untracked. type: boolean x-oas-optional: true responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Disable a rule tags: - alerting /api/alerting/rule/{id}/_enable: post: operationId: post-alerting-rule-id-enable parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Enable a rule tags: - alerting /api/alerting/rule/{id}/_mute_all: post: operationId: post-alerting-rule-id-mute-all parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Mute all alerts tags: - alerting /api/alerting/rule/{id}/_unmute_all: post: operationId: post-alerting-rule-id-unmute-all parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. summary: Unmute all alerts tags: - alerting /api/alerting/rule/{id}/_update_api_key: post: operationId: post-alerting-rule-id-update-api-key parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule with the given ID does not exist. '409': description: Indicates that the rule has already been updated by another user. summary: Update the API key for a rule tags: - alerting /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: post: operationId: post-alerting-rule-rule-id-alert-alert-id-mute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: rule_id required: true schema: type: string - description: The identifier for the alert. in: path name: alert_id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule or alert with the given ID does not exist. summary: Mute an alert tags: - alerting /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: post: operationId: post-alerting-rule-rule-id-alert-alert-id-unmute parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The identifier for the rule. in: path name: rule_id required: true schema: type: string - description: The identifier for the alert. in: path name: alert_id required: true schema: type: string responses: '204': description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. '404': description: Indicates a rule or alert with the given ID does not exist. summary: Unmute an alert tags: - alerting /api/alerting/rules/_find: get: operationId: get-alerting-rules-find parameters: - description: The number of rules to return per page. in: query name: per_page required: false schema: default: 10 minimum: 0 type: number - description: The page number to return. in: query name: page required: false schema: default: 1 minimum: 1 type: number - description: An Elasticsearch simple_query_string query that filters the objects in the response. in: query name: search required: false schema: type: string - description: The default operator to use for the simple_query_string. in: query name: default_search_operator required: false schema: default: OR enum: - OR - AND type: string - description: The fields to perform the simple_query_string parsed query against. in: query name: search_fields required: false schema: anyOf: - items: type: string type: array - type: string - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. in: query name: sort_field required: false schema: type: string - description: Determines the sort order. in: query name: sort_order required: false schema: enum: - asc - desc type: string - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. in: query name: has_reference required: false schema: additionalProperties: false nullable: true type: object properties: id: type: string type: type: string required: - type - id - in: query name: fields required: false schema: items: description: The fields to return in the `attributes` key of the response. type: string type: array - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' in: query name: filter required: false schema: type: string - in: query name: filter_consumers required: false schema: items: description: List of consumers to filter. type: string type: array responses: '200': content: application/json: schema: additionalProperties: false type: object properties: actions: items: additionalProperties: false type: object properties: alerts_filter: additionalProperties: false description: Defines a period that limits whether the action runs. type: object properties: query: additionalProperties: false type: object properties: dsl: description: A filter written in Elasticsearch Query Domain Specific Language (DSL). type: string filters: description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. items: additionalProperties: false type: object properties: $state: additionalProperties: false type: object properties: store: description: A filter can be either specific to an application context or applied globally. enum: - appState - globalState type: string required: - store meta: additionalProperties: {} type: object query: additionalProperties: {} type: object required: - meta type: array kql: description: A filter written in Kibana Query Language (KQL). type: string required: - kql - filters timeframe: additionalProperties: false type: object properties: days: description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. items: enum: - 1 - 2 - 3 - 4 - 5 - 6 - 7 type: integer type: array hours: additionalProperties: false type: object properties: end: description: The end of the time frame in 24-hour notation (`hh:mm`). type: string start: description: The start of the time frame in 24-hour notation (`hh:mm`). type: string required: - start - end timezone: description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. type: string required: - days - hours - timezone connector_type_id: description: The type of connector. This property appears in responses but cannot be set in requests. type: string frequency: additionalProperties: false type: object properties: notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string summary: description: Indicates whether the action is a summary. type: boolean throttle: description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string required: - summary - notify_when - throttle group: description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. type: string id: description: The identifier for the connector saved object. type: string params: additionalProperties: {} description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. type: object use_alert_data_for_template: description: Indicates whether to use alert data as a template. type: boolean uuid: description: A universally unique identifier (UUID) for the action. type: string required: - id - connector_type_id - params type: array active_snoozes: items: description: List of active snoozes for the rule. type: string type: array alert_delay: additionalProperties: false description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. type: object properties: active: description: The number of consecutive runs that must meet the rule conditions. type: number required: - active api_key_created_by_user: description: Indicates whether the API key that is associated with the rule was created by the user. nullable: true type: boolean api_key_owner: description: The owner of the API key that is associated with the rule and used to run background tasks. nullable: true type: string consumer: description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' type: string created_at: description: The date and time that the rule was created. type: string created_by: description: The identifier for the user that created the rule. nullable: true type: string enabled: description: Indicates whether you want to run the rule on an interval basis after it is created. type: boolean execution_status: additionalProperties: false type: object properties: error: additionalProperties: false type: object properties: message: description: Error message. type: string reason: description: Reason for error. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate type: string required: - reason - message last_duration: description: Duration of last execution of the rule. type: number last_execution_date: description: The date and time when rule was executed last. type: string status: description: Status of rule execution. enum: - ok - active - error - warning - pending - unknown type: string warning: additionalProperties: false type: object properties: message: description: Warning message. type: string reason: description: Reason for warning. enum: - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution type: string required: - reason - message required: - status - last_execution_date flapping: additionalProperties: false description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. nullable: true type: object properties: look_back_window: description: The minimum number of runs in which the threshold must be met. maximum: 20 minimum: 2 type: number status_change_threshold: description: The minimum number of times an alert must switch states in the look back window. maximum: 20 minimum: 2 type: number required: - look_back_window - status_change_threshold id: description: The identifier for the rule. type: string is_snoozed_until: description: The date when the rule will no longer be snoozed. nullable: true type: string last_run: additionalProperties: false nullable: true type: object properties: alerts_count: additionalProperties: false type: object properties: active: description: Number of active alerts during last run. nullable: true type: number ignored: description: Number of ignored alerts during last run. nullable: true type: number new: description: Number of new alerts during last run. nullable: true type: number recovered: description: Number of recovered alerts during last run. nullable: true type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string outcome_msg: items: description: Outcome message generated during last rule run. type: string nullable: true type: array outcome_order: description: Order of the outcome. type: number warning: description: Warning of last rule execution. enum: - read - decrypt - execute - unknown - license - timeout - disabled - validate - maxExecutableActions - maxAlerts - maxQueuedActions - ruleExecution nullable: true type: string required: - outcome - alerts_count mapped_params: additionalProperties: {} type: object monitoring: additionalProperties: false description: Monitoring details of the rule. type: object properties: run: additionalProperties: false description: Rule run details. type: object properties: calculated_metrics: additionalProperties: false description: Calculation of different percentiles and success ratio. type: object properties: p50: type: number p95: type: number p99: type: number success_ratio: type: number required: - success_ratio history: description: History of the rule run. items: additionalProperties: false type: object properties: duration: description: Duration of the rule run. type: number outcome: description: Outcome of last run of the rule. Value could be succeeded, warning or failed. enum: - succeeded - warning - failed type: string success: description: Indicates whether the rule run was successful. type: boolean timestamp: description: Time of rule run. type: number required: - success - timestamp type: array last_run: additionalProperties: false type: object properties: metrics: additionalProperties: false type: object properties: duration: description: Duration of most recent rule run. type: number gap_duration_s: description: Duration in seconds of rule run gap. nullable: true type: number gap_range: additionalProperties: false nullable: true type: object properties: gte: description: End of the gap range. type: string lte: description: Start of the gap range. type: string required: - lte - gte total_alerts_created: description: Total number of alerts created during last rule run. nullable: true type: number total_alerts_detected: description: Total number of alerts detected during last rule run. nullable: true type: number total_indexing_duration_ms: description: Total time spent indexing documents during last rule run in milliseconds. nullable: true type: number total_search_duration_ms: description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. nullable: true type: number timestamp: description: Time of the most recent rule run. type: string required: - timestamp - metrics required: - history - calculated_metrics - last_run required: - run mute_all: description: Indicates whether all alerts are muted. type: boolean muted_alert_ids: items: description: 'List of identifiers of muted alerts. ' type: string type: array name: description: ' The name of the rule.' type: string next_run: description: Date and time of the next run of the rule. nullable: true type: string notify_when: description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' enum: - onActionGroupChange - onActiveAlert - onThrottleInterval nullable: true type: string params: additionalProperties: {} description: The parameters for the rule. type: object revision: description: The rule revision number. type: number rule_type_id: description: The rule type identifier. type: string running: description: Indicates whether the rule is running. nullable: true type: boolean schedule: additionalProperties: false type: object properties: interval: description: The interval is specified in seconds, minutes, hours, or days. type: string required: - interval scheduled_task_id: description: Identifier of the scheduled task. type: string snooze_schedule: items: additionalProperties: false type: object properties: duration: description: Duration of the rule snooze schedule. type: number id: description: Identifier of the rule snooze schedule. type: string rRule: additionalProperties: false type: object properties: byhour: items: description: Indicates hours of the day to recur. type: number nullable: true type: array byminute: items: description: Indicates minutes of the hour to recur. type: number nullable: true type: array bymonth: items: description: Indicates months of the year that this rule should recur. type: number nullable: true type: array bymonthday: items: description: Indicates the days of the month to recur. type: number nullable: true type: array bysecond: items: description: Indicates seconds of the day to recur. type: number nullable: true type: array bysetpos: items: description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. type: number nullable: true type: array byweekday: items: anyOf: - type: string - type: number description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. nullable: true type: array byweekno: items: description: Indicates number of the week hours to recur. type: number nullable: true type: array byyearday: items: description: Indicates the days of the year that this rule should recur. type: number nullable: true type: array count: description: Number of times the rule should recur until it stops. type: number dtstart: description: Rule start date in Coordinated Universal Time (UTC). type: string freq: description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. enum: - 0 - 1 - 2 - 3 - 4 - 5 - 6 type: integer interval: description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. type: number tzid: description: Indicates timezone abbreviation. type: string until: description: Recur the rule until this date. type: string wkst: description: Indicates the start of week, defaults to Monday. enum: - MO - TU - WE - TH - FR - SA - SU type: string required: - dtstart - tzid skipRecurrences: items: description: Skips recurrence of rule on this date. type: string type: array required: - duration - rRule type: array tags: items: description: The tags for the rule. type: string type: array throttle: deprecated: true description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' nullable: true type: string updated_at: description: The date and time that the rule was updated most recently. type: string updated_by: description: The identifier for the user that updated this rule most recently. nullable: true type: string view_in_app_relative_url: description: Relative URL to view rule in the app. nullable: true type: string required: - id - enabled - name - tags - rule_type_id - consumer - schedule - actions - params - created_by - updated_by - created_at - updated_at - api_key_owner - mute_all - muted_alert_ids - execution_status - revision examples: findRulesResponse: $ref: '#/components/examples/find_rules_response' findConditionalActionRulesResponse: $ref: '#/components/examples/find_rules_response_conditional_action' description: Indicates a successful call. '400': description: Indicates an invalid schema or parameters. '403': description: Indicates that this call is forbidden. summary: Get information about rules tags: - alerting /api/alerts/alert/{alertId}: delete: deprecated: true description: | Deprecated in 7.13.0. Use the delete rule API instead. WARNING: After you delete an alert, you cannot recover it. operationId: legaryDeleteAlert parameters: - $ref: '#/components/parameters/Alerting_kbn_xsrf' - description: The identifier for the alert. in: path name: alertId required: true schema: example: 41893910-6bca-11eb-9e0d-85d233e3ee35 type: string responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Delete an alert tags: - alerting get: deprecated: true description: Deprecated in 7.13.0. Use the get rule API instead. operationId: legacyGetAlert parameters: - description: The identifier for the alert. in: path name: alertId required: true schema: example: 41893910-6bca-11eb-9e0d-85d233e3ee35 type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Alerting_alert_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Get an alert by identifier tags: - alerting post: deprecated: true description: Deprecated in 7.13.0. Use the create rule API instead. operationId: legacyCreateAlert parameters: - $ref: '#/components/parameters/Alerting_kbn_xsrf' - description: An UUID v1 or v4 identifier for the alert. If this parameter is omitted, the identifier is randomly generated. in: path name: alertId required: true schema: example: 41893910-6bca-11eb-9e0d-85d233e3ee35 type: string requestBody: content: application/json: schema: title: Legacy create alert request properties type: object properties: actions: items: type: object properties: actionTypeId: description: The identifier for the action type. type: string group: description: | Grouping actions is recommended for escalations for different types of alert instances. If you don't need this functionality, set it to `default`. type: string id: description: The ID of the action saved object. type: string params: description: | The map to the `params` that the action type will receive. `params` are handled as Mustache templates and passed a default set of context. type: object required: - actionTypeId - group - id - params type: array alertTypeId: description: The ID of the alert type that you want to call when the alert is scheduled to run. type: string consumer: description: The name of the application that owns the alert. This name has to match the Kibana feature name, as that dictates the required role-based access control privileges. type: string enabled: description: Indicates if you want to run the alert on an interval basis after it is created. type: boolean name: description: A name to reference and search. type: string notifyWhen: description: The condition for throttling the notification. enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string params: description: The parameters to pass to the alert type executor `params` value. This will also validate against the alert type params validator, if defined. type: object schedule: description: | The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule. type: object properties: interval: description: The interval format specifies the interval in seconds, minutes, hours or days at which the alert should run. example: 10s type: string tags: description: A list of keywords to reference and search. items: type: string type: array throttle: description: | How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of `10m` or `1h` will prevent it from sending 90 notifications during this period. type: string required: - alertTypeId - consumer - name - notifyWhen - params - schedule required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Alerting_alert_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Create an alert tags: - alerting put: deprecated: true description: Deprecated in 7.13.0. Use the update rule API instead. operationId: legacyUpdateAlert parameters: - $ref: '#/components/parameters/Alerting_kbn_xsrf' - description: The identifier for the alert. in: path name: alertId required: true schema: example: 41893910-6bca-11eb-9e0d-85d233e3ee35 type: string requestBody: content: application/json: schema: title: Legacy update alert request properties type: object properties: actions: items: type: object properties: actionTypeId: description: The identifier for the action type. type: string group: description: | Grouping actions is recommended for escalations for different types of alert instances. If you don't need this functionality, set it to `default`. type: string id: description: The ID of the action saved object. type: string params: description: | The map to the `params` that the action type will receive. `params` are handled as Mustache templates and passed a default set of context. type: object required: - actionTypeId - group - id - params type: array name: description: A name to reference and search. type: string notifyWhen: description: The condition for throttling the notification. enum: - onActionGroupChange - onActiveAlert - onThrottleInterval type: string params: description: The parameters to pass to the alert type executor `params` value. This will also validate against the alert type params validator, if defined. type: object schedule: description: | The schedule specifying when this alert should be run. A schedule is structured such that the key specifies the format you wish to use and its value specifies the schedule. type: object properties: interval: description: The interval format specifies the interval in seconds, minutes, hours or days at which the alert should run. example: 1d type: string tags: description: A list of keywords to reference and search. items: type: string type: array throttle: description: | How often this alert should fire the same actions. This will prevent the alert from sending out the same notification over and over. For example, if an alert with a schedule of 1 minute stays in a triggered state for 90 minutes, setting a throttle of `10m` or `1h` will prevent it from sending 90 notifications during this period. type: string required: - name - notifyWhen - params - schedule required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Alerting_alert_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Update an alert tags: - alerting /api/alerts/alert/{alertId}/_disable: post: deprecated: true description: Deprecated in 7.13.0. Use the disable rule API instead. operationId: legacyDisableAlert parameters: - $ref: '#/components/parameters/Alerting_kbn_xsrf' - description: The identifier for the alert. in: path name: alertId required: true schema: example: 41893910-6bca-11eb-9e0d-85d233e3ee35 type: string responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Disable an alert tags: - alerting /api/alerts/alert/{alertId}/_enable: post: deprecated: true description: Deprecated in 7.13.0. Use the enable rule API instead. operationId: legacyEnableAlert parameters: - $ref: '#/components/parameters/Alerting_kbn_xsrf' - description: The identifier for the alert. in: path name: alertId required: true schema: example: 41893910-6bca-11eb-9e0d-85d233e3ee35 type: string responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Enable an alert tags: - alerting /api/alerts/alert/{alertId}/_mute_all: post: deprecated: true description: Deprecated in 7.13.0. Use the mute all alerts API instead. operationId: legacyMuteAllAlertInstances parameters: - $ref: '#/components/parameters/Alerting_kbn_xsrf' - description: The identifier for the alert. in: path name: alertId required: true schema: example: 41893910-6bca-11eb-9e0d-85d233e3ee35 type: string responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Mute all alert instances tags: - alerting /api/alerts/alert/{alertId}/_unmute_all: post: deprecated: true description: Deprecated in 7.13.0. Use the unmute all alerts API instead. operationId: legacyUnmuteAllAlertInstances parameters: - $ref: '#/components/parameters/Alerting_kbn_xsrf' - description: The identifier for the alert. in: path name: alertId required: true schema: example: 41893910-6bca-11eb-9e0d-85d233e3ee35 type: string responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Unmute all alert instances tags: - alerting /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mute: post: deprecated: true description: Deprecated in 7.13.0. Use the mute alert API instead. operationId: legacyMuteAlertInstance parameters: - $ref: '#/components/parameters/Alerting_kbn_xsrf' - description: An identifier for the alert. in: path name: alertId required: true schema: example: 41893910-6bca-11eb-9e0d-85d233e3ee35 type: string - description: An identifier for the alert instance. in: path name: alertInstanceId required: true schema: example: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 type: string responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Mute an alert instance tags: - alerting /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute: post: deprecated: true description: Deprecated in 7.13.0. Use the unmute alert API instead. operationId: legacyUnmuteAlertInstance parameters: - $ref: '#/components/parameters/Alerting_kbn_xsrf' - description: An identifier for the alert. in: path name: alertId required: true schema: example: 41893910-6bca-11eb-9e0d-85d233e3ee35 type: string - description: An identifier for the alert instance. in: path name: alertInstanceId required: true schema: example: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 type: string responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Unmute an alert instance tags: - alerting /api/alerts/alerts/_find: get: deprecated: true description: | Deprecated in 7.13.0. Use the find rules API instead. NOTE: Alert `params` are stored as a flattened field type and analyzed as keywords. As alerts change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data. operationId: legacyFindAlerts parameters: - description: The default operator to use for the `simple_query_string`. example: OR in: query name: default_search_operator schema: default: OR type: string - description: The fields to return in the `attributes` key of the response. in: query name: fields schema: items: type: string type: array - description: | A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`. in: query name: filter schema: type: string - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. in: query name: has_reference schema: type: object properties: id: type: string type: type: string - description: The page number to return. example: 1 in: query name: page schema: default: 1 type: integer - description: The number of alerts to return per page. example: 20 in: query name: per_page schema: default: 20 type: integer - description: An Elasticsearch `simple_query_string` query that filters the alerts in the response. in: query name: search schema: type: string - description: The fields to perform the `simple_query_string` parsed query against. in: query name: search_fields schema: oneOf: - type: string - items: type: string type: array - description: | Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. in: query name: sort_field schema: type: string - description: Determines the sort order. example: asc in: query name: sort_order schema: default: desc enum: - asc - desc type: string responses: '200': content: application/json: schema: type: object properties: data: items: $ref: '#/components/schemas/Alerting_alert_response_properties' type: array page: type: integer perPage: type: integer total: type: integer description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Get a paginated set of alerts tags: - alerting /api/alerts/alerts/_health: get: deprecated: true description: Deprecated in 7.13.0. Use the get alerting framework health API instead. operationId: legacyGetAlertingHealth responses: '200': content: application/json: schema: type: object properties: alertingFrameworkHealth: description: | Three substates identify the health of the alerting framework: `decryptionHealth`, `executionHealth`, and `readHealth`. type: object properties: decryptionHealth: description: The timestamp and status of the alert decryption. type: object properties: status: enum: - error - ok - warn example: ok type: string timestamp: example: '2023-01-13T01:28:00.280Z' format: date-time type: string executionHealth: description: The timestamp and status of the alert execution. type: object properties: status: enum: - error - ok - warn example: ok type: string timestamp: example: '2023-01-13T01:28:00.280Z' format: date-time type: string readHealth: description: The timestamp and status of the alert reading events. type: object properties: status: enum: - error - ok - warn example: ok type: string timestamp: example: '2023-01-13T01:28:00.280Z' format: date-time type: string hasPermanentEncryptionKey: description: If `false`, the encrypted saved object plugin does not have a permanent encryption key. example: true type: boolean isSufficientlySecure: description: If `false`, security is enabled but TLS is not. example: true type: boolean description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Get the alerting framework health tags: - alerting /api/alerts/alerts/list_alert_types: get: deprecated: true description: Deprecated in 7.13.0. Use the get rule types API instead. operationId: legacyGetAlertTypes responses: '200': content: application/json: schema: items: type: object properties: actionGroups: description: | An explicit list of groups for which the alert type can schedule actions, each with the action group's unique ID and human readable name. Alert actions validation uses this configuration to ensure that groups are valid. items: type: object properties: id: type: string name: type: string type: array actionVariables: description: | A list of action variables that the alert type makes available via context and state in action parameter templates, and a short human readable description. The Alert UI will use this information to prompt users for these variables in action parameter editors. type: object properties: context: items: type: object properties: description: type: string name: type: string type: array params: items: type: object properties: description: type: string name: type: string type: array state: items: type: object properties: description: type: string name: type: string type: array authorizedConsumers: description: The list of the plugins IDs that have access to the alert type. type: object defaultActionGroupId: description: The default identifier for the alert type group. type: string enabledInLicense: description: Indicates whether the rule type is enabled based on the subscription. type: boolean id: description: The unique identifier for the alert type. type: string isExportable: description: Indicates whether the alert type is exportable in Saved Objects Management UI. type: boolean minimumLicenseRequired: description: The subscriptions required to use the alert type. type: string name: description: The descriptive name of the alert type. type: string producer: description: An identifier for the application that produces this alert type. type: string recoveryActionGroup: description: | An action group to use when an alert instance goes from an active state to an inactive one. If it is not specified, the default recovered action group is used. type: object properties: id: type: string name: type: string type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Alerting_401_response' description: Authorization information is missing or invalid. summary: Get the alert types tags: - alerting /api/apm/agent_keys: post: description: Create a new agent key for APM. operationId: createAgentKey parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: schema: $ref: '#/components/schemas/APM_UI_agent_keys_object' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_agent_keys_response' description: Agent key created successfully '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response summary: Create an APM agent key tags: - APM agent keys /api/apm/fleet/apm_server_schema: post: operationId: saveApmServerSchema parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: schema: type: object properties: schema: additionalProperties: true description: Schema object example: foo: bar type: object required: true responses: '200': content: application/json: schema: additionalProperties: false type: object description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Save APM server schema tags: - APM server schema /api/apm/services/{serviceName}/annotation: post: description: Create a new annotation for a specific service. operationId: createAnnotation parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - description: The name of the service in: path name: serviceName required: true schema: type: string requestBody: content: application/json: schema: $ref: '#/components/schemas/APM_UI_create_annotation_object' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_create_annotation_response' description: Annotation created successfully '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Create a service annotation tags: - APM annotations /api/apm/services/{serviceName}/annotation/search: get: description: Search for annotations related to a specific service. operationId: getAnnotation parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: The name of the service in: path name: serviceName required: true schema: type: string - description: The environment to filter annotations by in: query name: environment required: false schema: type: string - description: The start date for the search in: query name: start required: false schema: type: string - description: The end date for the search in: query name: end required: false schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_annotation_search_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response summary: Search for annotations tags: - APM annotations /api/apm/settings/agent-configuration: delete: operationId: deleteAgentConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: schema: $ref: '#/components/schemas/APM_UI_service_object' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Delete agent configuration tags: - APM agent configuration get: operationId: getAgentConfigurations parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_agent_configurations_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get a list of agent configurations tags: - APM agent configuration put: operationId: createUpdateAgentConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - description: If the config exists ?overwrite=true is required in: query name: overwrite schema: type: boolean requestBody: content: application/json: schema: $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' required: true responses: '200': content: application/json: schema: additionalProperties: false type: object description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Create or update agent configuration tags: - APM agent configuration /api/apm/settings/agent-configuration/agent_name: get: description: Retrieve `agentName` for a service. operationId: getAgentNameForService parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: The name of the service example: node in: query name: serviceName required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_service_agent_name_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get agent name for service tags: - APM agent configuration /api/apm/settings/agent-configuration/environments: get: operationId: getEnvironmentsForService parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: The name of the service in: query name: serviceName schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_service_environments_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get environments for service tags: - APM agent configuration /api/apm/settings/agent-configuration/search: post: description: | This endpoint allows to search for single agent configuration and update 'applied_by_agent' field. operationId: searchSingleConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: application/json: schema: $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Lookup single agent configuration tags: - APM agent configuration /api/apm/settings/agent-configuration/view: get: operationId: getSingleAgentConfiguration parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: Service name example: node in: query name: name schema: type: string - description: Service environment example: prod in: query name: environment schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/APM_UI_404_response' description: Not found response summary: Get single agent configuration tags: - APM agent configuration /api/apm/sourcemaps: get: description: Returns an array of Fleet artifacts, including source map uploads. operationId: getSourceMaps parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - description: Page number in: query name: page schema: type: number - description: Number of records per page in: query name: perPage schema: type: number responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_source_maps_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response '501': content: application/json: schema: $ref: '#/components/schemas/APM_UI_501_response' description: Not Implemented response summary: Get source maps tags: - APM sourcemaps post: description: Upload a source map for a specific service and version. operationId: uploadSourceMap parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' requestBody: content: multipart/form-data: schema: $ref: '#/components/schemas/APM_UI_upload_source_map_object' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/APM_UI_upload_source_maps_response' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response '501': content: application/json: schema: $ref: '#/components/schemas/APM_UI_501_response' description: Not Implemented response summary: Upload source map tags: - APM sourcemaps /api/apm/sourcemaps/{id}: delete: description: Delete a previously uploaded source map. operationId: deleteSourceMap parameters: - $ref: '#/components/parameters/APM_UI_elastic_api_version' - $ref: '#/components/parameters/APM_UI_kbn_xsrf' - description: Source map identifier in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/APM_UI_400_response' description: Bad Request response '401': content: application/json: schema: $ref: '#/components/schemas/APM_UI_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/APM_UI_403_response' description: Forbidden response '500': content: application/json: schema: $ref: '#/components/schemas/APM_UI_500_response' description: Internal Server Error response '501': content: application/json: schema: $ref: '#/components/schemas/APM_UI_501_response' description: Not Implemented response summary: Delete source map tags: - APM sourcemaps /api/asset_criticality: delete: description: Delete the asset criticality record for a specific entity. operationId: DeleteAssetCriticalityRecord parameters: - description: The ID value of the asset. example: my_host in: query name: id_value required: true schema: type: string - description: The field representing the ID. example: host.name in: query name: id_field required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - description: If 'wait_for' the request will wait for the index refresh. in: query name: refresh required: false schema: enum: - wait_for type: string responses: '200': content: application/json: schema: type: object properties: deleted: description: True if the record was deleted or false if the record did not exist. type: boolean record: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' description: The deleted record if it existed. required: - deleted description: Successful response '400': description: Invalid request summary: Delete an asset criticality record tags: - Security Entity Analytics API get: description: Get the asset criticality record for a specific entity. operationId: GetAssetCriticalityRecord parameters: - description: The ID value of the asset. example: my_host in: query name: id_value required: true schema: type: string - description: The field representing the ID. example: host.name in: query name: id_field required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' description: Successful response '400': description: Invalid request '404': description: Criticality record not found summary: Get an asset criticality record tags: - Security Entity Analytics API post: description: | Create or update an asset criticality record for a specific entity. If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. operationId: CreateAssetCriticalityRecord requestBody: content: application/json: schema: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' - type: object properties: refresh: description: If 'wait_for' the request will wait for the index refresh. enum: - wait_for type: string example: criticality_level: high_impact id_field: host.name id_value: my_host required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' description: Successful response '400': description: Invalid request summary: Upsert an asset criticality record tags: - Security Entity Analytics API /api/asset_criticality/bulk: post: description: | Bulk upsert up to 1000 asset criticality records. If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. operationId: BulkUpsertAssetCriticalityRecords requestBody: content: application/json: schema: example: records: - criticality_level: low_impact id_field: host.name id_value: host-1 - criticality_level: medium_impact id_field: host.name id_value: host-2 type: object properties: records: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' maxItems: 1000 minItems: 1 type: array required: - records responses: '200': content: application/json: schema: example: errors: - index: 0 message: Invalid ID field stats: failed: 1 successful: 1 total: 2 type: object properties: errors: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' type: array stats: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' required: - errors - stats description: Bulk upload successful '413': description: File too large summary: Bulk upsert asset criticality records tags: - Security Entity Analytics API /api/asset_criticality/list: get: description: List asset criticality records, paging, sorting and filtering as needed. operationId: FindAssetCriticalityRecords parameters: - description: The field to sort by. in: query name: sort_field required: false schema: enum: - id_value - id_field - criticality_level - \@timestamp type: string - description: The order to sort by. in: query name: sort_direction required: false schema: enum: - asc - desc type: string - description: The page number to return. in: query name: page required: false schema: minimum: 1 type: integer - description: The number of records to return per page. in: query name: per_page required: false schema: maximum: 1000 minimum: 1 type: integer - description: The kuery to filter by. in: query name: kuery required: false schema: type: string responses: '200': content: application/json: schema: example: page: 1 per_page: 10 records: - '@timestamp': '2024-08-02T14:40:35.705Z' asset: criticality: medium_impact criticality_level: medium_impact host: asset: criticality: medium_impact name: my_other_host id_field: host.name id_value: my_other_host - '@timestamp': '2024-08-02T11:15:34.290Z' asset: criticality: high_impact criticality_level: high_impact host: asset: criticality: high_impact name: my_host id_field: host.name id_value: my_host total: 2 type: object properties: page: minimum: 1 type: integer per_page: maximum: 1000 minimum: 1 type: integer records: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' type: array total: minimum: 0 type: integer required: - records - page - per_page - total description: Successfully retrieved asset criticality records summary: List asset criticality records tags: - Security Entity Analytics API /api/cases: delete: description: | You must have `read` or `all` privileges and the `delete` sub-feature privilege for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. operationId: deleteCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_ids' responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Delete cases tags: - cases patch: description: | You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. operationId: updateCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' requestBody: content: application/json: examples: updateCaseRequest: $ref: '#/components/examples/Cases_update_case_request' schema: $ref: '#/components/schemas/Cases_update_case_request' responses: '200': content: application/json: examples: updateCaseResponse: $ref: '#/components/examples/Cases_update_case_response' schema: items: $ref: '#/components/schemas/Cases_case_response_properties' type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Update cases tags: - cases post: description: | You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. operationId: createCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' requestBody: content: application/json: examples: createCaseRequest: $ref: '#/components/examples/Cases_create_case_request' schema: $ref: '#/components/schemas/Cases_create_case_request' required: true responses: '200': content: application/json: examples: createCaseResponse: $ref: '#/components/examples/Cases_create_case_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Create a case tags: - cases /api/cases/_find: get: description: | You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: findCasesDefaultSpace parameters: - $ref: '#/components/parameters/Cases_assignees_filter' - $ref: '#/components/parameters/Cases_category' - $ref: '#/components/parameters/Cases_defaultSearchOperator' - $ref: '#/components/parameters/Cases_from' - $ref: '#/components/parameters/Cases_owner_filter' - $ref: '#/components/parameters/Cases_page_index' - $ref: '#/components/parameters/Cases_page_size' - $ref: '#/components/parameters/Cases_reporters' - $ref: '#/components/parameters/Cases_search' - $ref: '#/components/parameters/Cases_searchFields' - $ref: '#/components/parameters/Cases_severity' - $ref: '#/components/parameters/Cases_sortField' - $ref: '#/components/parameters/Cases_sort_order' - $ref: '#/components/parameters/Cases_status' - $ref: '#/components/parameters/Cases_tags' - $ref: '#/components/parameters/Cases_to' responses: '200': content: application/json: examples: findCaseResponse: $ref: '#/components/examples/Cases_find_case_response' schema: type: object properties: cases: items: $ref: '#/components/schemas/Cases_case_response_properties' maxItems: 10000 type: array count_closed_cases: type: integer count_in_progress_cases: type: integer count_open_cases: type: integer page: type: integer per_page: type: integer total: type: integer description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Search cases tags: - cases /api/cases/{caseId}: get: description: | You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. operationId: getCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_includeComments' responses: '200': content: application/json: examples: getDefaultCaseResponse: $ref: '#/components/examples/Cases_get_case_response' getDefaultObservabilityCaseReponse: $ref: '#/components/examples/Cases_get_case_observability_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get case information tags: - cases /api/cases/{caseId}/alerts: get: description: | You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: getCaseAlertsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' responses: '200': content: application/json: examples: getCaseAlertsResponse: $ref: '#/components/examples/Cases_get_case_alerts_response' schema: items: $ref: '#/components/schemas/Cases_alert_response_properties' type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get all alerts for a case tags: - cases x-state: Technical preview /api/cases/{caseId}/comments: delete: description: | Deletes all comments and alerts from a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. operationId: deleteCaseCommentsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Delete all case comments and alerts tags: - cases get: deprecated: true description: | Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; instead, use the get case comment API, which requires a comment identifier in the path. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. operationId: getAllCaseCommentsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get all case comments tags: - cases patch: description: | You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment. operationId: updateCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' requestBody: content: application/json: examples: updateCaseCommentRequest: $ref: '#/components/examples/Cases_update_comment_request' schema: $ref: '#/components/schemas/Cases_update_case_comment_request' required: true responses: '200': content: application/json: examples: updateCaseCommentResponse: $ref: '#/components/examples/Cases_update_comment_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Update a case comment or alert tags: - cases post: description: | You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts. operationId: addCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' requestBody: content: application/json: examples: createCaseCommentRequest: $ref: '#/components/examples/Cases_add_comment_request' schema: $ref: '#/components/schemas/Cases_add_case_comment_request' required: true responses: '200': content: application/json: examples: createCaseCommentResponse: $ref: '#/components/examples/Cases_add_comment_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Add a case comment or alert tags: - cases /api/cases/{caseId}/comments/_find: get: description: | Retrieves a paginated list of comments for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. operationId: findCaseCommentsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_page_index' - $ref: '#/components/parameters/Cases_page_size' - $ref: '#/components/parameters/Cases_sort_order' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Find case comments and alerts tags: - cases /api/cases/{caseId}/comments/{commentId}: delete: description: | You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. operationId: deleteCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_comment_id' responses: '204': description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Delete a case comment or alert tags: - cases get: description: | You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. operationId: getCaseCommentDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_comment_id' responses: '200': content: application/json: examples: getCaseCommentResponse: $ref: '#/components/examples/Cases_get_comment_response' schema: oneOf: - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - $ref: '#/components/schemas/Cases_user_comment_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get a case comment or alert tags: - cases /api/cases/{caseId}/connector/{connectorId}/_push: post: description: | You must have `all` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. You must also have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're pushing. operationId: pushCaseDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_connector_id' - $ref: '#/components/parameters/Cases_kbn_xsrf' requestBody: content: application/json: schema: nullable: true type: object responses: '200': content: application/json: examples: pushCaseResponse: $ref: '#/components/examples/Cases_push_case_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Push a case to an external service tags: - cases /api/cases/{caseId}/files: post: description: | Attach a file to a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include: - The `Content-Type: multipart/form-data` HTTP header. - The location of the file that is being uploaded. operationId: addCaseFileDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_case_id' requestBody: content: multipart/form-data: schema: $ref: '#/components/schemas/Cases_add_case_file_request' required: true responses: '200': content: application/json: examples: addCaseFileResponse: $ref: '#/components/examples/Cases_add_comment_response' schema: $ref: '#/components/schemas/Cases_case_response_properties' description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Attach a file to a case tags: - cases /api/cases/{caseId}/user_actions: get: deprecated: true description: | Returns all user activity for a case. Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find user actions API instead. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. operationId: getCaseActivityDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' responses: '200': content: application/json: schema: items: $ref: '#/components/schemas/Cases_user_actions_response_properties' type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get case activity tags: - cases /api/cases/{caseId}/user_actions/_find: get: description: | Retrives a paginated list of user activity for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. operationId: findCaseActivityDefaultSpace parameters: - $ref: '#/components/parameters/Cases_case_id' - $ref: '#/components/parameters/Cases_page_index' - $ref: '#/components/parameters/Cases_page_size' - $ref: '#/components/parameters/Cases_sort_order' - $ref: '#/components/parameters/Cases_user_action_types' responses: '200': content: application/json: examples: findCaseActivityResponse: $ref: '#/components/examples/Cases_find_case_activity_response' schema: type: object properties: page: type: integer perPage: type: integer total: type: integer userActions: items: $ref: '#/components/schemas/Cases_user_actions_find_response_properties' maxItems: 10000 type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Find case activity tags: - cases /api/cases/alerts/{alertId}: get: description: | You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: getCasesByAlertDefaultSpace parameters: - $ref: '#/components/parameters/Cases_alert_id' - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: schema: example: - id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 title: security_case items: type: object properties: id: description: The case identifier. type: string title: description: The case title. type: string maxItems: 10000 type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get cases for an alert tags: - cases x-state: Technical preview /api/cases/configure: get: description: | Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the cases were created. operationId: getCaseConfigurationDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: examples: getConfigurationResponse: $ref: '#/components/examples/Cases_get_case_configuration_response' schema: items: type: object properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' created_at: example: '2022-06-01T17:07:17.767Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username customFields: description: Custom fields configuration details. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean type: array error: example: null nullable: true type: string id: example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 type: string mappings: items: type: object properties: action_type: example: overwrite type: string source: example: title type: string target: example: summary type: string type: array owner: $ref: '#/components/schemas/Cases_owner' templates: $ref: '#/components/schemas/Cases_templates' updated_at: example: '2022-06-01T19:58:48.169Z' format: date-time nullable: true type: string updated_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username version: example: WzIwNzMsMV0= type: string type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get case settings tags: - cases post: description: | Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where you are creating cases. operationId: setCaseConfigurationDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' requestBody: content: application/json: examples: setCaseConfigRequest: $ref: '#/components/examples/Cases_set_case_configuration_request' schema: $ref: '#/components/schemas/Cases_set_case_configuration_request' responses: '200': content: application/json: examples: setCaseConfigResponse: $ref: '#/components/examples/Cases_set_case_configuration_response' schema: type: object properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' created_at: example: '2022-06-01T17:07:17.767Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username customFields: description: Custom fields configuration details. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean type: array error: example: null nullable: true type: string id: example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 type: string mappings: items: type: object properties: action_type: example: overwrite type: string source: example: title type: string target: example: summary type: string type: array owner: $ref: '#/components/schemas/Cases_owner' templates: $ref: '#/components/schemas/Cases_templates' updated_at: example: '2022-06-01T19:58:48.169Z' format: date-time nullable: true type: string updated_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username version: example: WzIwNzMsMV0= type: string description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Add case settings tags: - cases /api/cases/configure/{configurationId}: patch: description: | Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the case was created. operationId: updateCaseConfigurationDefaultSpace parameters: - $ref: '#/components/parameters/Cases_kbn_xsrf' - $ref: '#/components/parameters/Cases_configuration_id' requestBody: content: application/json: examples: updateCaseConfigurationRequest: $ref: '#/components/examples/Cases_update_case_configuration_request' schema: $ref: '#/components/schemas/Cases_update_case_configuration_request' responses: '200': content: application/json: examples: updateCaseConfigurationResponse: $ref: '#/components/examples/Cases_update_case_configuration_response' schema: type: object properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' created_at: example: '2022-06-01T17:07:17.767Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username customFields: description: Custom fields configuration details. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean type: array error: example: null nullable: true type: string id: example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 type: string mappings: items: type: object properties: action_type: example: overwrite type: string source: example: title type: string target: example: summary type: string type: array owner: $ref: '#/components/schemas/Cases_owner' templates: $ref: '#/components/schemas/Cases_templates' updated_at: example: '2022-06-01T19:58:48.169Z' format: date-time nullable: true type: string updated_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username version: example: WzIwNzMsMV0= type: string description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Update case settings tags: - cases /api/cases/configure/connectors/_find: get: description: | Get information about connectors that are supported for use in cases. You must have `read` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. operationId: findCaseConnectorsDefaultSpace responses: '200': content: application/json: examples: findConnectorResponse: $ref: '#/components/examples/Cases_find_connector_response' schema: items: type: object properties: actionTypeId: $ref: '#/components/schemas/Cases_connector_types' config: additionalProperties: true type: object properties: apiUrl: type: string projectKey: type: string id: type: string isDeprecated: type: boolean isMissingSecrets: type: boolean isPreconfigured: type: boolean name: type: string referencedByCount: type: integer maxItems: 1000 type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get case connectors tags: - cases /api/cases/reporters: get: description: | Returns information about the users who opened cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged. operationId: getCaseReportersDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: examples: getReportersResponse: $ref: '#/components/examples/Cases_get_reporters_response' schema: items: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username maxItems: 10000 type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get case creators tags: - cases /api/cases/status: get: deprecated: true description: | Returns the number of cases that are open, closed, and in progress. Deprecated in 8.1.0. This API is deprecated and will be removed in a future release; use the find cases API instead. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: getCaseStatusDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: schema: type: object properties: count_closed_cases: type: integer count_in_progress_cases: type: integer count_open_cases: type: integer description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get case status summary tags: - cases /api/cases/tags: get: description: | Aggregates and returns a list of case tags. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. operationId: getCaseTagsDefaultSpace parameters: - $ref: '#/components/parameters/Cases_owner_filter' responses: '200': content: application/json: examples: getTagsResponse: $ref: '#/components/examples/Cases_get_tags_response' schema: items: type: string maxItems: 10000 type: array description: Indicates a successful call. '401': content: application/json: schema: $ref: '#/components/schemas/Cases_4xx_response' description: Authorization information is missing or invalid. summary: Get case tags tags: - cases /api/dashboards/dashboard: get: description: This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. operationId: get-dashboards-dashboard parameters: - description: The page number to return. Default is "1". in: query name: page required: false schema: default: 1 minimum: 1 type: number - description: The number of dashboards to display on each page (max 1000). Default is "20". in: query name: perPage required: false schema: maximum: 1000 minimum: 1 type: number responses: '200': content: application/json: schema: additionalProperties: false type: object properties: items: items: additionalProperties: true type: object properties: attributes: additionalProperties: false type: object properties: description: default: '' description: A short description. type: string timeRestore: default: false description: Whether to restore time upon viewing this dashboard type: boolean title: description: A human-readable title for the dashboard type: string required: - title createdAt: type: string createdBy: type: string error: additionalProperties: false type: object properties: error: type: string message: type: string metadata: additionalProperties: true type: object properties: {} statusCode: type: number required: - error - message - statusCode id: type: string managed: type: boolean namespaces: items: type: string type: array originId: type: string references: items: additionalProperties: false type: object properties: id: type: string name: type: string type: type: string required: - name - type - id type: array type: type: string updatedAt: type: string updatedBy: type: string version: type: string required: - id - type - attributes - references type: array total: type: number required: - items - total summary: Get a list of dashboards tags: - Dashboards x-state: Technical Preview /api/dashboards/dashboard/{id}: delete: description: This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. operationId: delete-dashboards-dashboard-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: A unique identifier for the dashboard. in: path name: id required: true schema: type: string responses: {} summary: Delete a dashboard tags: - Dashboards x-state: Technical Preview get: description: This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. operationId: get-dashboards-dashboard-id parameters: - description: A unique identifier for the dashboard. in: path name: id required: true schema: type: string responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: attributes: additionalProperties: false type: object properties: controlGroupInput: additionalProperties: false type: object properties: autoApplySelections: default: true description: Show apply selections button in controls. type: boolean chainingSystem: default: HIERARCHICAL description: The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE". enum: - NONE - HIERARCHICAL type: string controls: default: [] description: An array of control panels and their state in the control group. items: additionalProperties: true type: object properties: controlConfig: additionalProperties: {} type: object grow: default: false description: Expand width of the control panel to fit available space. type: boolean id: description: The unique ID of the control. type: string order: description: The order of the control panel in the control group. type: number type: description: The type of the control panel. type: string width: default: medium description: Minimum width of the control panel in the control group. enum: - small - medium - large type: string required: - type - order type: array enhancements: additionalProperties: {} type: object ignoreParentSettings: additionalProperties: false type: object properties: ignoreFilters: default: false description: Ignore global filters in controls. type: boolean ignoreQuery: default: false description: Ignore the global query bar in controls. type: boolean ignoreTimerange: default: false description: Ignore the global time range in controls. type: boolean ignoreValidations: default: false description: Ignore validations in controls. type: boolean labelPosition: default: oneLine description: Position of the labels for controls. For example, "oneLine", "twoLine". enum: - oneLine - twoLine type: string required: - ignoreParentSettings description: default: '' description: A short description. type: string kibanaSavedObjectMeta: additionalProperties: false default: {} description: A container for various metadata type: object properties: searchSource: additionalProperties: true type: object properties: filter: items: additionalProperties: false description: A filter for the search source. type: object properties: $state: additionalProperties: false type: object properties: store: description: Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState'). enum: - appState - globalState type: string required: - store meta: additionalProperties: true type: object properties: alias: nullable: true type: string controlledBy: type: string disabled: type: boolean field: type: string group: type: string index: type: string isMultiIndex: type: boolean key: type: string negate: type: boolean params: {} type: type: string value: type: string required: - params query: additionalProperties: {} type: object required: - meta type: array query: additionalProperties: false type: object properties: language: description: The query language such as KQL or Lucene. type: string query: anyOf: - description: A text-based query such as Kibana Query Language (KQL) or Lucene query language. type: string - additionalProperties: {} type: object required: - query - language sort: items: additionalProperties: anyOf: - enum: - asc - desc type: string - additionalProperties: false type: object properties: format: type: string order: enum: - asc - desc type: string required: - order - additionalProperties: false type: object properties: numeric_type: enum: - double - long - date - date_nanos type: string order: enum: - asc - desc type: string required: - order type: object type: array type: type: string options: additionalProperties: false type: object properties: hidePanelTitles: default: false description: Hide the panel titles in the dashboard. type: boolean syncColors: default: true description: Synchronize colors between related panels in the dashboard. type: boolean syncCursor: default: true description: Synchronize cursor position between related panels in the dashboard. type: boolean syncTooltips: default: true description: Synchronize tooltips between related panels in the dashboard. type: boolean useMargins: default: true description: Show margins between panels in the dashboard layout. type: boolean panels: default: [] items: additionalProperties: false type: object properties: gridData: additionalProperties: false type: object properties: h: default: 15 description: The height of the panel in grid units minimum: 1 type: number i: type: string w: default: 24 description: The width of the panel in grid units maximum: 48 minimum: 1 type: number x: description: The x coordinate of the panel in grid units type: number 'y': description: The y coordinate of the panel in grid units type: number required: - x - 'y' - i id: description: The saved object id for by reference panels type: string panelConfig: additionalProperties: true type: object properties: description: description: The description of the panel type: string enhancements: additionalProperties: {} type: object hidePanelTitles: description: Set to true to hide the panel title in its container. type: boolean savedObjectId: description: The unique id of the library item to construct the embeddable. type: string title: description: The title of the panel type: string version: description: The version of the embeddable in the panel. type: string panelIndex: type: string panelRefName: type: string title: description: The title of the panel type: string type: description: The embeddable type type: string version: deprecated: true description: The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type). type: string required: - panelConfig - type - gridData - panelIndex type: array refreshInterval: additionalProperties: false description: A container for various refresh interval settings type: object properties: display: deprecated: true description: A human-readable string indicating the refresh frequency. No longer used. type: string pause: description: Whether the refresh interval is set to be paused while viewing the dashboard. type: boolean section: deprecated: true description: No longer used. type: number value: description: A numeric value indicating refresh frequency in milliseconds. type: number required: - pause - value timeFrom: description: An ISO string indicating when to restore time from type: string timeRestore: default: false description: Whether to restore time upon viewing this dashboard type: boolean timeTo: description: An ISO string indicating when to restore time from type: string title: description: A human-readable title for the dashboard type: string version: deprecated: true type: number required: - title - options createdAt: type: string createdBy: type: string error: additionalProperties: false type: object properties: error: type: string message: type: string metadata: additionalProperties: true type: object properties: {} statusCode: type: number required: - error - message - statusCode id: type: string managed: type: boolean namespaces: items: type: string type: array originId: type: string references: items: additionalProperties: false type: object properties: id: type: string name: type: string type: type: string required: - name - type - id type: array type: type: string updatedAt: type: string updatedBy: type: string version: type: string required: - id - type - attributes - references meta: additionalProperties: false type: object properties: aliasPurpose: enum: - savedObjectConversion - savedObjectImport type: string aliasTargetId: type: string outcome: enum: - exactMatch - aliasMatch - conflict type: string required: - outcome required: - item - meta summary: Get a dashboard tags: - Dashboards x-state: Technical Preview post: description: This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. operationId: post-dashboards-dashboard-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: A unique identifier for the dashboard. in: path name: id required: false schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: controlGroupInput: additionalProperties: false type: object properties: autoApplySelections: default: true description: Show apply selections button in controls. type: boolean chainingSystem: default: HIERARCHICAL description: The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE". enum: - NONE - HIERARCHICAL type: string controls: default: [] description: An array of control panels and their state in the control group. items: additionalProperties: true type: object properties: controlConfig: additionalProperties: {} type: object grow: default: false description: Expand width of the control panel to fit available space. type: boolean id: description: The unique ID of the control. type: string order: description: The order of the control panel in the control group. type: number type: description: The type of the control panel. type: string width: default: medium description: Minimum width of the control panel in the control group. enum: - small - medium - large type: string required: - type - order type: array enhancements: additionalProperties: {} type: object ignoreParentSettings: additionalProperties: false type: object properties: ignoreFilters: default: false description: Ignore global filters in controls. type: boolean ignoreQuery: default: false description: Ignore the global query bar in controls. type: boolean ignoreTimerange: default: false description: Ignore the global time range in controls. type: boolean ignoreValidations: default: false description: Ignore validations in controls. type: boolean labelPosition: default: oneLine description: Position of the labels for controls. For example, "oneLine", "twoLine". enum: - oneLine - twoLine type: string required: - ignoreParentSettings description: default: '' description: A short description. type: string kibanaSavedObjectMeta: additionalProperties: false default: {} description: A container for various metadata type: object properties: searchSource: additionalProperties: true type: object properties: filter: items: additionalProperties: false description: A filter for the search source. type: object properties: $state: additionalProperties: false type: object properties: store: description: Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState'). enum: - appState - globalState type: string required: - store meta: additionalProperties: true type: object properties: alias: nullable: true type: string controlledBy: type: string disabled: type: boolean field: type: string group: type: string index: type: string isMultiIndex: type: boolean key: type: string negate: type: boolean params: {} type: type: string value: type: string required: - params query: additionalProperties: {} type: object required: - meta type: array query: additionalProperties: false type: object properties: language: description: The query language such as KQL or Lucene. type: string query: anyOf: - description: A text-based query such as Kibana Query Language (KQL) or Lucene query language. type: string - additionalProperties: {} type: object required: - query - language sort: items: additionalProperties: anyOf: - enum: - asc - desc type: string - additionalProperties: false type: object properties: format: type: string order: enum: - asc - desc type: string required: - order - additionalProperties: false type: object properties: numeric_type: enum: - double - long - date - date_nanos type: string order: enum: - asc - desc type: string required: - order type: object type: array type: type: string options: additionalProperties: false type: object properties: hidePanelTitles: default: false description: Hide the panel titles in the dashboard. type: boolean syncColors: default: true description: Synchronize colors between related panels in the dashboard. type: boolean syncCursor: default: true description: Synchronize cursor position between related panels in the dashboard. type: boolean syncTooltips: default: true description: Synchronize tooltips between related panels in the dashboard. type: boolean useMargins: default: true description: Show margins between panels in the dashboard layout. type: boolean panels: default: [] items: additionalProperties: false type: object properties: gridData: additionalProperties: false type: object properties: h: default: 15 description: The height of the panel in grid units minimum: 1 type: number i: description: The unique identifier of the panel type: string w: default: 24 description: The width of the panel in grid units maximum: 48 minimum: 1 type: number x: description: The x coordinate of the panel in grid units type: number 'y': description: The y coordinate of the panel in grid units type: number required: - x - 'y' id: description: The saved object id for by reference panels type: string panelConfig: additionalProperties: true type: object properties: description: description: The description of the panel type: string enhancements: additionalProperties: {} type: object hidePanelTitles: description: Set to true to hide the panel title in its container. type: boolean savedObjectId: description: The unique id of the library item to construct the embeddable. type: string title: description: The title of the panel type: string version: description: The version of the embeddable in the panel. type: string panelIndex: description: The unique ID of the panel. type: string panelRefName: type: string title: description: The title of the panel type: string type: description: The embeddable type type: string version: deprecated: true description: The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type). type: string required: - panelConfig - type - gridData type: array refreshInterval: additionalProperties: false description: A container for various refresh interval settings type: object properties: display: deprecated: true description: A human-readable string indicating the refresh frequency. No longer used. type: string pause: description: Whether the refresh interval is set to be paused while viewing the dashboard. type: boolean section: deprecated: true description: No longer used. type: number value: description: A numeric value indicating refresh frequency in milliseconds. type: number required: - pause - value timeFrom: description: An ISO string indicating when to restore time from type: string timeRestore: default: false description: Whether to restore time upon viewing this dashboard type: boolean timeTo: description: An ISO string indicating when to restore time from type: string title: description: A human-readable title for the dashboard type: string version: deprecated: true type: number required: - title - options references: items: additionalProperties: false type: object properties: id: type: string name: type: string type: type: string required: - name - type - id type: array spaces: items: type: string type: array required: - attributes responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: attributes: additionalProperties: false type: object properties: controlGroupInput: additionalProperties: false type: object properties: autoApplySelections: default: true description: Show apply selections button in controls. type: boolean chainingSystem: default: HIERARCHICAL description: The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE". enum: - NONE - HIERARCHICAL type: string controls: default: [] description: An array of control panels and their state in the control group. items: additionalProperties: true type: object properties: controlConfig: additionalProperties: {} type: object grow: default: false description: Expand width of the control panel to fit available space. type: boolean id: description: The unique ID of the control. type: string order: description: The order of the control panel in the control group. type: number type: description: The type of the control panel. type: string width: default: medium description: Minimum width of the control panel in the control group. enum: - small - medium - large type: string required: - type - order type: array enhancements: additionalProperties: {} type: object ignoreParentSettings: additionalProperties: false type: object properties: ignoreFilters: default: false description: Ignore global filters in controls. type: boolean ignoreQuery: default: false description: Ignore the global query bar in controls. type: boolean ignoreTimerange: default: false description: Ignore the global time range in controls. type: boolean ignoreValidations: default: false description: Ignore validations in controls. type: boolean labelPosition: default: oneLine description: Position of the labels for controls. For example, "oneLine", "twoLine". enum: - oneLine - twoLine type: string required: - ignoreParentSettings description: default: '' description: A short description. type: string kibanaSavedObjectMeta: additionalProperties: false default: {} description: A container for various metadata type: object properties: searchSource: additionalProperties: true type: object properties: filter: items: additionalProperties: false description: A filter for the search source. type: object properties: $state: additionalProperties: false type: object properties: store: description: Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState'). enum: - appState - globalState type: string required: - store meta: additionalProperties: true type: object properties: alias: nullable: true type: string controlledBy: type: string disabled: type: boolean field: type: string group: type: string index: type: string isMultiIndex: type: boolean key: type: string negate: type: boolean params: {} type: type: string value: type: string required: - params query: additionalProperties: {} type: object required: - meta type: array query: additionalProperties: false type: object properties: language: description: The query language such as KQL or Lucene. type: string query: anyOf: - description: A text-based query such as Kibana Query Language (KQL) or Lucene query language. type: string - additionalProperties: {} type: object required: - query - language sort: items: additionalProperties: anyOf: - enum: - asc - desc type: string - additionalProperties: false type: object properties: format: type: string order: enum: - asc - desc type: string required: - order - additionalProperties: false type: object properties: numeric_type: enum: - double - long - date - date_nanos type: string order: enum: - asc - desc type: string required: - order type: object type: array type: type: string options: additionalProperties: false type: object properties: hidePanelTitles: default: false description: Hide the panel titles in the dashboard. type: boolean syncColors: default: true description: Synchronize colors between related panels in the dashboard. type: boolean syncCursor: default: true description: Synchronize cursor position between related panels in the dashboard. type: boolean syncTooltips: default: true description: Synchronize tooltips between related panels in the dashboard. type: boolean useMargins: default: true description: Show margins between panels in the dashboard layout. type: boolean panels: default: [] items: additionalProperties: false type: object properties: gridData: additionalProperties: false type: object properties: h: default: 15 description: The height of the panel in grid units minimum: 1 type: number i: type: string w: default: 24 description: The width of the panel in grid units maximum: 48 minimum: 1 type: number x: description: The x coordinate of the panel in grid units type: number 'y': description: The y coordinate of the panel in grid units type: number required: - x - 'y' - i id: description: The saved object id for by reference panels type: string panelConfig: additionalProperties: true type: object properties: description: description: The description of the panel type: string enhancements: additionalProperties: {} type: object hidePanelTitles: description: Set to true to hide the panel title in its container. type: boolean savedObjectId: description: The unique id of the library item to construct the embeddable. type: string title: description: The title of the panel type: string version: description: The version of the embeddable in the panel. type: string panelIndex: type: string panelRefName: type: string title: description: The title of the panel type: string type: description: The embeddable type type: string version: deprecated: true description: The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type). type: string required: - panelConfig - type - gridData - panelIndex type: array refreshInterval: additionalProperties: false description: A container for various refresh interval settings type: object properties: display: deprecated: true description: A human-readable string indicating the refresh frequency. No longer used. type: string pause: description: Whether the refresh interval is set to be paused while viewing the dashboard. type: boolean section: deprecated: true description: No longer used. type: number value: description: A numeric value indicating refresh frequency in milliseconds. type: number required: - pause - value timeFrom: description: An ISO string indicating when to restore time from type: string timeRestore: default: false description: Whether to restore time upon viewing this dashboard type: boolean timeTo: description: An ISO string indicating when to restore time from type: string title: description: A human-readable title for the dashboard type: string version: deprecated: true type: number required: - title - options createdAt: type: string createdBy: type: string error: additionalProperties: false type: object properties: error: type: string message: type: string metadata: additionalProperties: true type: object properties: {} statusCode: type: number required: - error - message - statusCode id: type: string managed: type: boolean namespaces: items: type: string type: array originId: type: string references: items: additionalProperties: false type: object properties: id: type: string name: type: string type: type: string required: - name - type - id type: array type: type: string updatedAt: type: string updatedBy: type: string version: type: string required: - id - type - attributes - references required: - item summary: Create a dashboard tags: - Dashboards x-state: Technical Preview put: description: This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. operationId: put-dashboards-dashboard-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: A unique identifier for the dashboard. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: attributes: additionalProperties: false type: object properties: controlGroupInput: additionalProperties: false type: object properties: autoApplySelections: default: true description: Show apply selections button in controls. type: boolean chainingSystem: default: HIERARCHICAL description: The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE". enum: - NONE - HIERARCHICAL type: string controls: default: [] description: An array of control panels and their state in the control group. items: additionalProperties: true type: object properties: controlConfig: additionalProperties: {} type: object grow: default: false description: Expand width of the control panel to fit available space. type: boolean id: description: The unique ID of the control. type: string order: description: The order of the control panel in the control group. type: number type: description: The type of the control panel. type: string width: default: medium description: Minimum width of the control panel in the control group. enum: - small - medium - large type: string required: - type - order type: array enhancements: additionalProperties: {} type: object ignoreParentSettings: additionalProperties: false type: object properties: ignoreFilters: default: false description: Ignore global filters in controls. type: boolean ignoreQuery: default: false description: Ignore the global query bar in controls. type: boolean ignoreTimerange: default: false description: Ignore the global time range in controls. type: boolean ignoreValidations: default: false description: Ignore validations in controls. type: boolean labelPosition: default: oneLine description: Position of the labels for controls. For example, "oneLine", "twoLine". enum: - oneLine - twoLine type: string required: - ignoreParentSettings description: default: '' description: A short description. type: string kibanaSavedObjectMeta: additionalProperties: false default: {} description: A container for various metadata type: object properties: searchSource: additionalProperties: true type: object properties: filter: items: additionalProperties: false description: A filter for the search source. type: object properties: $state: additionalProperties: false type: object properties: store: description: Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState'). enum: - appState - globalState type: string required: - store meta: additionalProperties: true type: object properties: alias: nullable: true type: string controlledBy: type: string disabled: type: boolean field: type: string group: type: string index: type: string isMultiIndex: type: boolean key: type: string negate: type: boolean params: {} type: type: string value: type: string required: - params query: additionalProperties: {} type: object required: - meta type: array query: additionalProperties: false type: object properties: language: description: The query language such as KQL or Lucene. type: string query: anyOf: - description: A text-based query such as Kibana Query Language (KQL) or Lucene query language. type: string - additionalProperties: {} type: object required: - query - language sort: items: additionalProperties: anyOf: - enum: - asc - desc type: string - additionalProperties: false type: object properties: format: type: string order: enum: - asc - desc type: string required: - order - additionalProperties: false type: object properties: numeric_type: enum: - double - long - date - date_nanos type: string order: enum: - asc - desc type: string required: - order type: object type: array type: type: string options: additionalProperties: false type: object properties: hidePanelTitles: default: false description: Hide the panel titles in the dashboard. type: boolean syncColors: default: true description: Synchronize colors between related panels in the dashboard. type: boolean syncCursor: default: true description: Synchronize cursor position between related panels in the dashboard. type: boolean syncTooltips: default: true description: Synchronize tooltips between related panels in the dashboard. type: boolean useMargins: default: true description: Show margins between panels in the dashboard layout. type: boolean panels: default: [] items: additionalProperties: false type: object properties: gridData: additionalProperties: false type: object properties: h: default: 15 description: The height of the panel in grid units minimum: 1 type: number i: description: The unique identifier of the panel type: string w: default: 24 description: The width of the panel in grid units maximum: 48 minimum: 1 type: number x: description: The x coordinate of the panel in grid units type: number 'y': description: The y coordinate of the panel in grid units type: number required: - x - 'y' id: description: The saved object id for by reference panels type: string panelConfig: additionalProperties: true type: object properties: description: description: The description of the panel type: string enhancements: additionalProperties: {} type: object hidePanelTitles: description: Set to true to hide the panel title in its container. type: boolean savedObjectId: description: The unique id of the library item to construct the embeddable. type: string title: description: The title of the panel type: string version: description: The version of the embeddable in the panel. type: string panelIndex: description: The unique ID of the panel. type: string panelRefName: type: string title: description: The title of the panel type: string type: description: The embeddable type type: string version: deprecated: true description: The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type). type: string required: - panelConfig - type - gridData type: array refreshInterval: additionalProperties: false description: A container for various refresh interval settings type: object properties: display: deprecated: true description: A human-readable string indicating the refresh frequency. No longer used. type: string pause: description: Whether the refresh interval is set to be paused while viewing the dashboard. type: boolean section: deprecated: true description: No longer used. type: number value: description: A numeric value indicating refresh frequency in milliseconds. type: number required: - pause - value timeFrom: description: An ISO string indicating when to restore time from type: string timeRestore: default: false description: Whether to restore time upon viewing this dashboard type: boolean timeTo: description: An ISO string indicating when to restore time from type: string title: description: A human-readable title for the dashboard type: string version: deprecated: true type: number required: - title - options references: items: additionalProperties: false type: object properties: id: type: string name: type: string type: type: string required: - name - type - id type: array required: - attributes responses: '200': content: application/json: schema: additionalProperties: false type: object properties: item: additionalProperties: true type: object properties: attributes: additionalProperties: false type: object properties: controlGroupInput: additionalProperties: false type: object properties: autoApplySelections: default: true description: Show apply selections button in controls. type: boolean chainingSystem: default: HIERARCHICAL description: The chaining strategy for multiple controls. For example, "HIERARCHICAL" or "NONE". enum: - NONE - HIERARCHICAL type: string controls: default: [] description: An array of control panels and their state in the control group. items: additionalProperties: true type: object properties: controlConfig: additionalProperties: {} type: object grow: default: false description: Expand width of the control panel to fit available space. type: boolean id: description: The unique ID of the control. type: string order: description: The order of the control panel in the control group. type: number type: description: The type of the control panel. type: string width: default: medium description: Minimum width of the control panel in the control group. enum: - small - medium - large type: string required: - type - order type: array enhancements: additionalProperties: {} type: object ignoreParentSettings: additionalProperties: false type: object properties: ignoreFilters: default: false description: Ignore global filters in controls. type: boolean ignoreQuery: default: false description: Ignore the global query bar in controls. type: boolean ignoreTimerange: default: false description: Ignore the global time range in controls. type: boolean ignoreValidations: default: false description: Ignore validations in controls. type: boolean labelPosition: default: oneLine description: Position of the labels for controls. For example, "oneLine", "twoLine". enum: - oneLine - twoLine type: string required: - ignoreParentSettings description: default: '' description: A short description. type: string kibanaSavedObjectMeta: additionalProperties: false default: {} description: A container for various metadata type: object properties: searchSource: additionalProperties: true type: object properties: filter: items: additionalProperties: false description: A filter for the search source. type: object properties: $state: additionalProperties: false type: object properties: store: description: Denote whether a filter is specific to an application's context (e.g. 'appState') or whether it should be applied globally (e.g. 'globalState'). enum: - appState - globalState type: string required: - store meta: additionalProperties: true type: object properties: alias: nullable: true type: string controlledBy: type: string disabled: type: boolean field: type: string group: type: string index: type: string isMultiIndex: type: boolean key: type: string negate: type: boolean params: {} type: type: string value: type: string required: - params query: additionalProperties: {} type: object required: - meta type: array query: additionalProperties: false type: object properties: language: description: The query language such as KQL or Lucene. type: string query: anyOf: - description: A text-based query such as Kibana Query Language (KQL) or Lucene query language. type: string - additionalProperties: {} type: object required: - query - language sort: items: additionalProperties: anyOf: - enum: - asc - desc type: string - additionalProperties: false type: object properties: format: type: string order: enum: - asc - desc type: string required: - order - additionalProperties: false type: object properties: numeric_type: enum: - double - long - date - date_nanos type: string order: enum: - asc - desc type: string required: - order type: object type: array type: type: string options: additionalProperties: false type: object properties: hidePanelTitles: default: false description: Hide the panel titles in the dashboard. type: boolean syncColors: default: true description: Synchronize colors between related panels in the dashboard. type: boolean syncCursor: default: true description: Synchronize cursor position between related panels in the dashboard. type: boolean syncTooltips: default: true description: Synchronize tooltips between related panels in the dashboard. type: boolean useMargins: default: true description: Show margins between panels in the dashboard layout. type: boolean panels: default: [] items: additionalProperties: false type: object properties: gridData: additionalProperties: false type: object properties: h: default: 15 description: The height of the panel in grid units minimum: 1 type: number i: type: string w: default: 24 description: The width of the panel in grid units maximum: 48 minimum: 1 type: number x: description: The x coordinate of the panel in grid units type: number 'y': description: The y coordinate of the panel in grid units type: number required: - x - 'y' - i id: description: The saved object id for by reference panels type: string panelConfig: additionalProperties: true type: object properties: description: description: The description of the panel type: string enhancements: additionalProperties: {} type: object hidePanelTitles: description: Set to true to hide the panel title in its container. type: boolean savedObjectId: description: The unique id of the library item to construct the embeddable. type: string title: description: The title of the panel type: string version: description: The version of the embeddable in the panel. type: string panelIndex: type: string panelRefName: type: string title: description: The title of the panel type: string type: description: The embeddable type type: string version: deprecated: true description: The version was used to store Kibana version information from versions 7.3.0 -> 8.11.0. As of version 8.11.0, the versioning information is now per-embeddable-type and is stored on the embeddable's input. (panelConfig in this type). type: string required: - panelConfig - type - gridData - panelIndex type: array refreshInterval: additionalProperties: false description: A container for various refresh interval settings type: object properties: display: deprecated: true description: A human-readable string indicating the refresh frequency. No longer used. type: string pause: description: Whether the refresh interval is set to be paused while viewing the dashboard. type: boolean section: deprecated: true description: No longer used. type: number value: description: A numeric value indicating refresh frequency in milliseconds. type: number required: - pause - value timeFrom: description: An ISO string indicating when to restore time from type: string timeRestore: default: false description: Whether to restore time upon viewing this dashboard type: boolean timeTo: description: An ISO string indicating when to restore time from type: string title: description: A human-readable title for the dashboard type: string version: deprecated: true type: number required: - title - options createdAt: type: string createdBy: type: string error: additionalProperties: false type: object properties: error: type: string message: type: string metadata: additionalProperties: true type: object properties: {} statusCode: type: number required: - error - message - statusCode id: type: string managed: type: boolean namespaces: items: type: string type: array originId: type: string references: items: additionalProperties: false type: object properties: id: type: string name: type: string type: type: string required: - name - type - id type: array type: type: string updatedAt: type: string updatedBy: type: string version: type: string required: - id - type - attributes - references required: - item summary: Update an existing dashboard tags: - Dashboards x-state: Technical Preview /api/data_views: get: operationId: getAllDataViewsDefault responses: '200': content: application/json: examples: getAllDataViewsResponse: $ref: '#/components/examples/Data_views_get_data_views_response' schema: type: object properties: data_view: items: type: object properties: id: type: string name: type: string namespaces: items: type: string type: array title: type: string typeMeta: type: object type: array description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Get all data views tags: - data views /api/data_views/data_view: post: operationId: createDataViewDefaultw parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: createDataViewRequest: $ref: '#/components/examples/Data_views_create_data_view_request' schema: $ref: '#/components/schemas/Data_views_create_data_view_request_object' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Create a data view tags: - data views /api/data_views/data_view/{viewId}: delete: description: | WARNING: When you delete a data view, it cannot be recovered. operationId: deleteDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' responses: '204': description: Indicates a successful call. '404': content: application/json: schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Delete a data view tags: - data views get: operationId: getDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_view_id' responses: '200': content: application/json: examples: getDataViewResponse: $ref: '#/components/examples/Data_views_get_data_view_response' schema: $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. '404': content: application/json: schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Get a data view tags: - data views post: operationId: updateDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: updateDataViewRequest: $ref: '#/components/examples/Data_views_update_data_view_request' schema: $ref: '#/components/schemas/Data_views_update_data_view_request_object' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Update a data view tags: - data views /api/data_views/data_view/{viewId}/fields: post: description: | Update fields presentation metadata such as count, customLabel, customDescription, and format. operationId: updateFieldsMetadataDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: updateFieldsMetadataRequest: $ref: '#/components/examples/Data_views_update_field_metadata_request' schema: type: object properties: fields: description: The field object. type: object required: - fields required: true responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Update data view fields metadata tags: - data views /api/data_views/data_view/{viewId}/runtime_field: post: operationId: createRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: createRuntimeFieldRequest: $ref: '#/components/examples/Data_views_create_runtime_field_request' schema: type: object properties: name: description: | The name for a runtime field. type: string runtimeField: description: | The runtime field definition object. type: object required: - name - runtimeField required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. summary: Create a runtime field tags: - data views put: operationId: createUpdateRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - description: | The ID of the data view fields you want to update. in: path name: viewId required: true schema: type: string requestBody: content: application/json: examples: updateRuntimeFieldRequest: $ref: '#/components/examples/Data_views_create_runtime_field_request' schema: type: object properties: name: description: | The name for a runtime field. type: string runtimeField: description: | The runtime field definition object. type: object required: - name - runtimeField required: true responses: '200': content: application/json: schema: type: object properties: data_view: type: object fields: items: type: object type: array description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Create or update a runtime field tags: - data views /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: delete: operationId: deleteRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_field_name' - $ref: '#/components/parameters/Data_views_view_id' responses: '200': description: Indicates a successful call. '404': content: application/json: schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Delete a runtime field from a data view tags: - data views get: operationId: getRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_field_name' - $ref: '#/components/parameters/Data_views_view_id' responses: '200': content: application/json: examples: getRuntimeFieldResponse: $ref: '#/components/examples/Data_views_get_runtime_field_response' schema: type: object properties: data_view: type: object fields: items: type: object type: array description: Indicates a successful call. '404': content: application/json: schema: $ref: '#/components/schemas/Data_views_404_response' description: Object is not found. summary: Get a runtime field tags: - data views post: operationId: updateRuntimeFieldDefault parameters: - $ref: '#/components/parameters/Data_views_field_name' - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: application/json: examples: updateRuntimeFieldRequest: $ref: '#/components/examples/Data_views_update_runtime_field_request' schema: type: object properties: runtimeField: description: | The runtime field definition object. You can update following fields: - `type` - `script` type: object required: - runtimeField required: true responses: '200': description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Update a runtime field tags: - data views /api/data_views/default: get: operationId: getDefaultDataViewDefault responses: '200': content: application/json: examples: getDefaultDataViewResponse: $ref: '#/components/examples/Data_views_get_default_data_view_response' schema: type: object properties: data_view_id: type: string description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Get the default data view tags: - data views post: operationId: setDefaultDatailViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: setDefaultDataViewRequest: $ref: '#/components/examples/Data_views_set_default_data_view_request' schema: type: object properties: data_view_id: description: | The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. nullable: true type: string force: default: false description: Update an existing default data view identifier. type: boolean required: - data_view_id required: true responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Data_views_400_response' description: Bad request summary: Set the default data view tags: - data views /api/data_views/swap_references: post: description: | Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended. operationId: swapDataViewsDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: swapDataViewRequest: $ref: '#/components/examples/Data_views_swap_data_view_request' schema: $ref: '#/components/schemas/Data_views_swap_data_view_request_object' required: true responses: '200': content: application/json: schema: type: object properties: deleteStatus: type: object properties: deletePerformed: type: boolean remainingRefs: type: integer result: items: type: object properties: id: description: A saved object identifier. type: string type: description: The saved object type. type: string type: array description: Indicates a successful call. summary: Swap saved object references tags: - data views /api/data_views/swap_references/_preview: post: description: | Preview the impact of swapping saved object references from one data view identifier to another. operationId: previewSwapDataViewsDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: application/json: examples: previewSwapDataViewRequest: $ref: '#/components/examples/Data_views_preview_swap_data_view_request' schema: $ref: '#/components/schemas/Data_views_swap_data_view_request_object' required: true responses: '200': content: application/json: schema: type: object properties: result: items: type: object properties: id: description: A saved object identifier. type: string type: description: The saved object type. type: string type: array description: Indicates a successful call. summary: Preview a saved object reference swap tags: - data views /api/detection_engine/index: delete: operationId: DeleteAlertsIndex responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not enough permissions response '404': content: application/json: schema: type: string description: Index does not exist response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Delete an alerts index tags: - Security Detections API get: operationId: ReadAlertsIndex responses: '200': content: application/json: examples: success: value: index_mapping_outdated: false name: .alerts-security.alerts-default schema: type: object properties: index_mapping_outdated: nullable: true type: boolean name: type: string required: - name - index_mapping_outdated description: Successful response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not enough permissions response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Reads the alert index name if it exists tags: - Security Detections API post: operationId: CreateAlertsIndex responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not enough permissions response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Create an alerts index tags: - Security Detections API /api/detection_engine/privileges: get: description: | Retrieves whether or not the user is authenticated, and the user's Kibana space and index privileges, which determine if the user can create an index for the Elastic Security alerts generated by detection engine rules. operationId: ReadPrivileges responses: '200': content: application/json: examples: success: value: application: {} cluster: all: true manage: true manage_api_key: true manage_index_templates: true manage_ml: true manage_own_api_key: true manage_pipeline: true manage_security: true manage_transform: true monitor: true monitor_ml: true monitor_transform: true has_all_requested: true has_encryption_key: true index: .alerts-security.alerts-default: all: true create: true create_doc: true create_index: true delete: true delete_index: true index: true maintenance: true manage: true monitor: true read: true view_index_metadata: true write: true is_authenticated: true username: elastic schema: type: object properties: has_encryption_key: type: boolean is_authenticated: type: boolean required: - is_authenticated - has_encryption_key description: Successful response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Returns user privileges for the Kibana space tags: - Security Detections API /api/detection_engine/rules: delete: description: | Delete a detection rule using the `rule_id` or `id` field. The URL query must include one of the following: * `id` - `DELETE /api/detection_engine/rules?id=<id>` * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=<rule_id>` The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. operationId: DeleteRule parameters: - description: The rule's `id` value. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - description: The rule's `rule_id` value. in: query name: rule_id required: false schema: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Delete a detection rule tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl \ --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" get: description: | Retrieve a detection rule using the `rule_id` or `id` field. The URL query must include one of the following: * `id` - `GET /api/detection_engine/rules?id=<id>` * `rule_id` - `GET /api/detection_engine/rules?rule_id=<rule_id>` The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. operationId: ReadRule parameters: - description: The rule's `id` value. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - description: The rule's `rule_id` value. in: query name: rule_id required: false schema: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' responses: '200': content: application/json: examples: example1: summary: Example response for a retrieved rule value: created_at: '2020-02-03T11:19:04.259Z' created_by: elastic description: Process started by MS Office program in user folder enabled: false execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: [] filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-4200s id: c41d170b-8ba6-4de6-b8ec-76440a35ace3 immutable: false interval: 1h language: kuery max_signals: 100 name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: process.name type: keyword - ecs: true name: process.parent.name type: keyword risk_score: 21 rule_id: process_started_by_ms_office_user_folder setup: '' severity: low tags: - child process - ms office threat: - framework: MITRE ATT&CK tactic: id: TA0001 name: Initial Access reference: https://attack.mitre.org/tactics/TA0001 technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193 to: now-300s type: query updated_at: '2020-02-03T11:19:04.462Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: | Indicates a successful call. > info > These fields are under development and their usage or schema may change: execution_summary. summary: Retrieve a detection rule tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl \ --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" patch: description: | Update specific fields of an existing detection rule using the `rule_id` or `id` field. The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: PatchRule requestBody: content: application/json: examples: example1: summary: Patch query rule value: id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 name: New name example2: summary: Patch EQL rule value: rule_id: process_started_by_ms_office_program_possible_payload threat: - framework: MITRE ATT&CK tactic: id: TA0001 name: Initial Access reference: https://attack.mitre.org/tactics/TA0001 technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193 example3: summary: Patch threshold rule value: id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' threshold: cardinality: [] field: [] value: 600 example4: summary: Patch new terms rule value: history_window_start: now-3d id: 569aac91-40dc-4807-a8ae-a2c8698089c4 new_terms_fields: - Endpoint.policy.applied.artifacts.global.identifiers.name example5: summary: Patch esql rule value: id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd query: | FROM logs-abc* | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) | KEEP event_rate example6: summary: Patch indicator match rule value: id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"false"' example7: summary: Patch machine learning rule value: anomaly_threshold: 50 id: 60b13926-289b-41b1-a537-197ef1fa5059 machine_learning_job_id: - auth_high_count_logon_events schema: $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' description: | > info > You cannot modify the `id` or `rule_id` values. required: true responses: '200': content: application/json: examples: example1: summary: Example response for an updated rule value: actions: [] created_at: '2020-04-07T14:51:09.755Z' created_by: elastic description: Updated description for the rule. enabled: false false_positives: [] filters: - query: null from: now-70m id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 immutable: false interval: 1h language: kuery max_signals: 100 name: Updated Rule Name query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 required_fields: - name: process.parent.name risk_score: 50 rule_id: process_started_by_ms_office_program setup: '' severity: low tags: - child process - ms office threat: [] to: now type: query updated_at: '2020-04-07T14:51:09.970Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Patch a detection rule tags: - Security Detections API post: description: | Create a new detection rule. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. You can create the following types of rules: * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. > info > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: ```json ... "job_id": "linux_anomalous_network_activity_ecs", "job_type": "anomaly_detector", "job_version": "7.7.0", "groups": [ "auditbeat", "process", "siem" ], ... ``` Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: * Slack * Email * PagerDuty * Webhook * Microsoft Teams * IBM Resilient * Jira * ServiceNow ITSM > info > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/guide/en/kibana/current/saved-objects-api-find.html) with `"type": "action"` in the request payload. For detailed information on Kibana actions and alerting, and additional API calls, see: * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) * [Alerting and Actions framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html) * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) operationId: CreateRule requestBody: content: application/json: examples: example1: description: Query rule that searches for processes started by MS Office summary: Query rule value: description: Process started by MS Office program - possible payload enabled: false filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-70m interval: 1h language: kuery name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE related_integrations: - package: o365 version: ^2.3.2 required_fields: - name: process.parent.name type: keyword risk_score: 50 rule_id: process_started_by_ms_office_program severity: low tags: - child process - ms office type: query example2: description: Threshold rule that detects multiple failed login attempts to a Windows host from the same external source IP address summary: Threshold rule value: description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. enabled: true exceptions_list: - id: int-ips namespace_type: single type: detection from: now-180s index: - winlogbeat-* interval: 2m name: Windows server prml-19 query: host.name:prml-19 and event.category:authentication and event.outcome:failure required_fields: - name: source.ip type: ip risk_score: 30 rule_id: liv-win-ser-logins severity: low severity_mapping: - field: source.geo.city_name operator: equals severity: low value: Manchester - field: source.geo.city_name operator: equals severity: medium value: London - field: source.geo.city_name operator: equals severity: high value: Birmingham - field: source.geo.city_name operator: equals severity: critical value: Wallingford tags: - Brute force threshold: field: source.ip value: 20 type: threshold example3: description: Machine learning rule that creates alerts, and sends Slack notifications, when the linux_anomalous_network_activity_ecs machine learning job discovers anomalies with a threshold of 70 or above. summary: Machine learning rule value: actions: - action_type_id: .slack group: default id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 params: message: 'Urgent: {{context.rule.description}}' anomaly_threshold: 70 description: Generates alerts when the job discovers anomalies over 70 enabled: true from: now-6m interval: 5m machine_learning_job_id: linux_anomalous_network_activity_ecs name: Anomalous Linux network activity note: Shut down the internet. risk_score: 70 rule_id: ml_linux_network_high_threshold setup: This rule requires data coming in from Elastic Defend. severity: high tags: - machine learning - Linux type: machine_learning example4: description: Event correlation rule that creates alerts when the Windows rundll32.exe process makes unusual network connections summary: EQL rule value: description: Unusual rundll32.exe network connection language: eql name: rundll32.exe network connection query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] required_fields: - name: event.type type: keyword - name: process.args type: keyword - name: process.args_count type: long - name: process.entity_id type: keyword - name: process.name type: keyword - name: process.pe.original_file_name type: keyword risk_score: 21 rule_id: eql-outbound-rundll32-connections severity: low tags: - EQL - Windows - rundll32.exe type: eql example5: description: | Indicator match rule that creates an alert when one of the following is true: The event's destination IP address and port number matches destination IP and port values in the threat_index index; The event's source IP address matches a host IP address value in the threat_index index. summary: Indicator match rule value: actions: [] description: Checks for bad IP addresses listed in the ip-threat-list index index: - packetbeat-* name: Bad IP threat match query: destination.ip:* or host.ip:* required_fields: - name: destination.ip type: ip - name: destination.port type: long - name: host.ip type: ip risk_score: 50 severity: medium threat_index: - ip-threat-list threat_mapping: - entries: - field: destination.ip type: mapping value: destination.ip - field: destination.port type: mapping value: destination.port - entries: - field: source.ip type: mapping value: host.ip threat_query: '*:*' type: threat_match example6: description: New terms rule that creates alerts a new IP address is detected for a user summary: New terms rule value: description: Detects a user associated with a new IP address history_window_start: now-30d index: - auditbeat* language: kuery name: New User IP Detected new_terms_fields: - user.id - source.ip query: '*' required_fields: - name: user.id type: keyword - name: source.ip type: ip risk_score: 21 severity: medium type: new_terms example7: description: esql rule that creates alerts from events that match an Excel parent process summary: Esql rule value: description: Find Excel events enabled: false from: now-360s interval: 5m language: esql name: Find Excel events query: from auditbeat-8.10.2 METADATA _id, _version, _index | where process.parent.name == "EXCEL.EXE" required_fields: - name: process.parent.name type: keyword risk_score: 21 severity: low tags: [] to: now type: esql example8: description: Query rule that searches for processes started by MS Office and suppresses alerts by the process.parent.name field within a 5-hour time period summary: Query rule 2 value: alert_suppression: duration: unit: h value: 5 group_by: - process.parent.name missing_fields_strategy: suppress description: Process started by MS Office program - possible payload enabled: false filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-70m interval: 1h language: kuery name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE risk_score: 50 rule_id: process_started_by_ms_office_program severity: low tags: - child process - ms office type: query schema: $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' required: true responses: '200': content: application/json: examples: example1: description: Example response for a query rule summary: Query rule response value: actions: [] created_at: '2020-04-07T14:51:09.755Z' created_by: elastic description: Process started by MS Office program - possible payload enabled: false false_positives: [] filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-70m id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 immutable: false interval: 1h language: kuery max_signals: 100 name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 version: ^2.3.2 - integration: graphactivitylogs package: azure version: ^1.11.4 required_fields: - ecs: true name: process.parent.name type: keyword risk_score: 50 rule_id: process_started_by_ms_office_program setup: '' severity: low tags: - child process - ms office threat: [] to: now type: query updated_at: '2020-04-07T14:51:09.970Z' updated_by: elastic version: 1 example2: description: Example response for a machine learning job rule summary: Machine learning response value: actions: - action_type_id: .slack frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 5ad22cd5-5e6e-4c6c-a81a-54b626a4cec5 params: message: 'Urgent: {{context.rule.description}}' anomaly_threshold: 70 created_at: '2020-04-07T14:45:15.679Z' created_by: elastic description: Generates alerts when the job discovers anomalies over 70 enabled: true false_positives: [] from: now-6m id: 83876f66-3a57-4a99-bf37-416494c80f3b immutable: false interval: 5m machine_learning_job_id: linux_anomalous_network_activity_ecs max_signals: 100 name: Anomalous Linux network activity note: Shut down the internet. references: [] related_integrations: [] required_fields: [] risk_score: 70 rule_id: ml_linux_network_high_threshold setup: '' severity: high status: going to run status_date: '2020-04-07T14:45:21.685Z' tags: - machine learning - Linux threat: [] to: now type: machine_learning updated_at: '2020-04-07T14:45:15.892Z' updated_by: elastic version: 1 example3: description: Example response for a threshold rule summary: Threshold rule response value: actions: [] author: [] created_at: '2020-07-22T10:27:23.486Z' created_by: elastic description: Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame. enabled: true exceptions_list: - id: int-ips namespace_type: single type: detection false_positives: [] from: now-180s id: 15dbde26-b627-4d74-bb1f-a5e0ed9e4993 immutable: false index: - winlogbeat-* interval: 2m language: kuery max_signals: 100 name: Windows server prml-19 query: host.name:prml-19 and event.category:authentication and event.outcome:failure references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: source.ip type: ip risk_score: 30 risk_score_mapping: [] rule_id: liv-win-ser-logins setup: '' severity: low severity_mapping: - field: source.geo.city_name operator: equals severity: low value: Manchester - field: source.geo.city_name operator: equals severity: medium value: London - field: source.geo.city_name operator: equals severity: high value: Birmingham - field: source.geo.city_name operator: equals severity: critical value: Wallingford tags: - Brute force threat: [] threshold: field: source.ip value: 20 to: now type: threshold updated_at: '2020-07-22T10:27:23.673Z' updated_by: elastic version: 1 example4: description: Example response for an EQL rule summary: EQL rule response value: author: [] created_at: '2020-10-05T09:06:16.392Z' created_by: elastic description: Unusual rundll32.exe network connection enabled: true exceptions_list: [] false_positives: [] from: now-6m id: 93808cae-b05b-4dc9-8479-73574b50f8b1 immutable: false interval: 5m language: eql max_signals: 100 name: rundll32.exe network connection query: sequence by process.entity_id with maxspan=2h [process where event.type in ("start", "process_started") and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe") and ((process.args == "rundll32.exe" and process.args_count == 1) or (process.args != "rundll32.exe" and process.args_count == 0))] [network where event.type == "connection" and (process.name == "rundll32.exe" or process.pe.original_file_name == "rundll32.exe")] references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: event.type type: keyword - ecs: true name: process.args type: keyword - ecs: true name: process.args_count type: long - ecs: true name: process.entity_id type: keyword - ecs: true name: process.name type: keyword - ecs: true name: process.pe.original_file_name type: keyword risk_score: 21 risk_score_mapping: [] rule_id: eql-outbound-rundll32-connections setup: '' severity: low severity_mapping: [] tags: - EQL - Windows - rundll32.exe threat: [] throttle: no_actions to: now type: eql updated_at: '2020-10-05T09:06:16.403Z' updated_by: elastic version: 1 example5: description: Example response for an indicator match rule summary: Indicator match rule response value: author: [] created_at: '2020-10-06T07:07:58.227Z' created_by: elastic description: Checks for bad IP addresses listed in the ip-threat-list index enabled: true exceptions_list: [] false_positives: [] from: now-6m id: d5daa13f-81fb-4b13-be2f-31011e1d9ae1 immutable: false index: - packetbeat-* interval: 5m language: kuery max_signals: 100 name: Bad IP threat match query: destination.ip:* or host.ip:* references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: destination.ip type: ip - ecs: true name: destination.port type: long - ecs: true name: host.ip type: ip risk_score: 50 risk_score_mapping: [] rule_id: 608501e4-c768-4f64-9326-cec55b5d439b setup: '' severity: medium severity_mapping: [] tags: [] threat: [] threat_index: - ip-threat-list threat_mapping: - entries: - field: destination.ip type: mapping value: destination.ip - field: destination.port type: mapping value: destination.port - entries: - field: source.ip type: mapping value: host.ip threat_query: '*:*' to: now type: threat_match updated_at: '2020-10-06T07:07:58.237Z' updated_by: elastic version: 1 example6: description: Example response for a new terms rule summary: New terms rule response value: author: [] created_at: '2020-10-06T07:07:58.227Z' created_by: elastic description: Detects a user associated with a new IP address enabled: true exceptions_list: [] false_positives: [] from: now-6m history_window_start: now-30d id: eb7225c0-566b-11ee-8b4f-bbf3afdeb9f4 immutable: false index: - auditbeat* interval: 5m language: kuery max_signals: 100 name: New User IP Detected new_terms_fields: - user.id - source.ip query: '*' references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: user.id type: keyword - ecs: true name: source.ip type: ip risk_score: 21 risk_score_mapping: [] rule_id: c6f5d0bc-7be9-47d4-b2f3-073d22641e30 setup: '' severity: medium severity_mapping: [] tags: [] threat: [] to: now type: new_terms updated_at: '2020-10-06T07:07:58.237Z' updated_by: elastic version: 1 example7: description: Example response for an Esql rule summary: Esql rule response value: actions: [] author: [] created_at: '2023-10-18T10:55:14.269Z' created_by: elastic description: Find Excel events enabled: false exceptions_list: [] false_positives: [] from: now-360s id: d0f20490-6da4-11ee-b85e-09e9b661f2e2 immutable: false interval: 5m language: esql max_signals: 100 name: Find Excel events output_index: '' query: from auditbeat-8.10.2 METADATA _id | where process.parent.name == "EXCEL.EXE" references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: process.parent.name type: keyword revision: 0 risk_score: 21 risk_score_mapping: [] rule_id: e4b53a89-debd-4a0d-a3e3-20606952e589 setup: '' severity: low severity_mapping: [] tags: [] threat: [] to: now type: esql updated_at: '2023-10-18T10:55:14.269Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Create a detection rule tags: - Security Detections API put: description: | Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: UpdateRule requestBody: content: application/json: examples: example1: summary: Update query rule value: description: A new description id: 14b7b513-3d8d-4b22-b7da-a7ae632f7e76 name: A new name for the rule risk_score: 22 severity: medium type: query example2: summary: Update EQL rule value: description: eql rule test id: 9b684efb-acf9-4323-9bff-8335b3867d14 index: - apm-*-transaction* language: eql name: New name for EQL rule query: process where process.name == "regsvr32.exe" risk_score: 21 severity: low type: eql example3: summary: Update threshold rule value: description: Description of threat rule test id: 005d2c4f-51ca-493d-a2bd-20ef076339b1 language: kuery name: New name for threat rule query: 'agent.version : * and agent.id : "243d9b4f-ca01-4311-8e5c-9abbee91afd8"' risk_score: 21 severity: low tags: - new_tag threshold: cardinality: [] field: [] value: 400 type: threshold example4: summary: Update new terms rule value: description: New description history_window_start: now-7d id: 569aac91-40dc-4807-a8ae-a2c8698089c4 interval: 5m name: New terms rule name new_terms_fields: - Endpoint.policy.applied.artifacts.global.identifiers.name query: 'agent.version : "9.1.0"' risk_score: 21 severity: low type: new_terms example5: summary: Update esql rule value: description: New description for esql rule id: 0b15e8a2-49b6-47e0-a8e6-d63a6cc335bd language: esql name: New name for esql rule query: | FROM logs* | STATS count = COUNT(*), min_timestamp = MIN(@timestamp) /* MIN(dateField) finds the earliest timestamp in the dataset. */ | EVAL event_rate = count / DATE_DIFF("seconds", min_timestamp, NOW()) /* Calculates the event rate by dividing the total count of events by the time difference (in seconds) between the earliest event and the current time. */ | KEEP event_rate risk_score: 21 severity: low type: esql example6: summary: Update indicator match rule value: description: New description id: 462f1986-10fe-40a3-a22c-2b1c9c4c48fd name: New name for Indicator Match rule query: source.ip:* or destination.ip:*\n risk_score: 99 severity: critical threat_index: - filebeat-* - logs-ti_* threat_mapping: - entries: - field: source.ip type: mapping value: threat.indicator.ip - entries: - field: destination.ip type: mapping value: threat.indicator.ip threat_query: '@timestamp >= "now-30d/d" and event.module:(threatintel or ti_*) and threat.indicator.ip:* and not labels.is_ioc_transform_source:"true"' type: threat_match example7: summary: Update machine learning rule value: anomaly_threshold: 50 description: New description of ml rule id: 60b13926-289b-41b1-a537-197ef1fa5059 machine_learning_job_id: - auth_high_count_logon_events name: New name of ml rule risk_score: 21 severity: low type: machine_learning schema: $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' description: | > info > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. required: true responses: '200': content: application/json: examples: example1: summary: Example response for an updated rule value: actions: [] created_at: '2020-04-07T14:51:09.755Z' created_by: elastic description: Updated description for the rule. enabled: false false_positives: [] filters: - query: null from: now-70m id: 6541b99a-dee9-4f6d-a86d-dbd1869d73b1 immutable: false interval: 1h language: kuery max_signals: 100 name: Updated Rule Name query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE references: [] related_integrations: - package: o365 required_fields: - name: process.parent.name risk_score: 50 rule_id: process_started_by_ms_office_program setup: '' severity: low tags: - child process - ms office threat: [] to: now type: query updated_at: '2020-04-07T14:51:09.970Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' description: Indicates a successful call. summary: Update a detection rule tags: - Security Detections API /api/detection_engine/rules/_bulk_action: post: description: | Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs. The edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. The edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: PerformRulesBulkAction parameters: - description: | Enables dry run mode for the request call. Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. > info > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. in: query name: dry_run required: false schema: type: boolean requestBody: content: application/json: examples: example01: description: The following request activates all rules with the test tag. summary: Enable - Enable all rules with the test tag value: action: enable query: 'alert.attributes.tags: "test"' example02: description: The following request enables the rule with the specified ID. summary: Enable - Enable a specific rule by ID. value: action: enable ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example03: description: The following request disables the rule with the specified ID. summary: Disable - Disable a specific rule by ID value: action: disable ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example04: description: The following request duplicates rules with the specified IDs, including exceptions but not expired exceptions. summary: Duplicate - Duplicate rules with specific IDs value: action: duplicate duplicate: include_exceptions: true include_expired_exceptions: false ids: - 748694f0-6977-4ea5-8384-cd2e39730779 - 461a4c22-416e-4009-a9a7-cf79656454bf example05: description: The following request deletes the rule with the specified ID. summary: Delete - Delete a specific rule by ID value: action: delete ids: - cf4abfd1-7c37-4519-ab0f-5ea5c75fac60 example06: description: The following request runs the rule with the specified ID within the given date range. summary: Run - Run a specific rule by ID value: action: run ids: - 748694f0-6977-4ea5-8384-cd2e39730779 run: end_date: '2025-03-10T23:59:59.999Z' start_date: '2025-03-01T00:00:00.000Z' example07: description: The following request exports the rules with the specified IDs. summary: Export - Export specific rules by ID value: action: export ids: - 748694f0-6977-4ea5-8384-cd2e39730779 example08: description: The following request will validate that the add_index_patterns bulk action can be successfully applied to three rules. The dry_run parameter is specified in query parameters, e.g. POST api/detection_engine/rules/_bulk_action?dry_run=true summary: Edit - dry run - Validate add_index_patterns bulk action value: action: edit edit: - type: add_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a - de8f5af0-0831-11ed-ac8b-05a222bd8d4a example09: description: The following request adds the tag "tag-1" to the rules with the specified IDs. If the tag already exists for a rule, no changes are made. summary: Edit - Add a tag to rules (idempotent) value: action: edit edit: - type: add_tags value: - tag-1 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example10: description: The following request adds two tags at the same time, tag-1 and tag-2, to the rules that have the IDs sent in the payload. If the tags already exist for a rule, no changes are made. summary: Edit - Add two tags to rules (idempotent) value: action: edit edit: - type: add_tags value: - tag-1 - tag-2 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example11: description: The following request removes the tag "tag-1" from the rules with the specified IDs. If the tag does not exist for a rule, no changes are made. summary: Edit - Delete a tag from rules (idempotent) value: action: edit edit: - type: delete_tags value: - tag-1 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example12: description: The following request sets the tags "tag-1" and "tag-2" for the rules with the specified IDs, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. summary: Edit - Set (overwrite existing) tags for rules (idempotent) value: action: edit edit: - type: set_tags value: - tag-1 - tag-2 ids: - 8bc7dad0-9320-11ec-9265-8b772383a08d - 8e5c1a40-9320-11ec-9265-8b772383a08d example13: description: The following request adds the index pattern "test-*" to the rules with the specified IDs. If the index pattern already exists for a rule, no changes are made. summary: Edit - Add index patterns to rules (idempotent) value: action: edit edit: - type: add_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example14: description: The following request removes the index pattern "test-*" from the rules with the specified IDs. If the index pattern does not exist for a rule, no changes are made. summary: Edit - Remove index patterns from rules (idempotent) value: action: edit edit: - type: delete_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example15: description: The following request sets the index patterns "test-*" and "prod-*" for the rules with the specified IDs, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. summary: Edit - Set (overwrite existing) index patterns for rules patterns (idempotent) value: action: edit edit: - type: set_index_patterns value: - test-* ids: - 81aa0480-06af-11ed-94fb-dd1a0597d8d2 - dc015d10-0831-11ed-ac8b-05a222bd8d4a example16: description: The following request adds investigation field to the rules with the specified IDs. summary: Edit - Add investigation field to rules value: action: edit edit: - type: add_investigation_fields value: field_names: - alert.status ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example17: description: The following request deletes investigation fields from the rules with the specified IDs. If the field does not exist for a rule, no changes are made. summary: Edit - Delete investigation fields from rules (idempotent) value: action: edit edit: - type: delete_investigation_fields ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba value: - field1 - field2 example18: description: The following request sets investigation fields for the rules with the specified IDs, overwriting any existing investigation fields. If the set of investigation fields is the same as the existing investigation fields, no changes are made. summary: Edit - Set (overwrite existing) investigation fields for rules (idempotent) value: action: edit edit: - type: set_investigation_fields value: - field1 - field2 ids: - 12345678-1234-1234-1234-1234567890ab - 87654321-4321-4321-4321-0987654321ba example19: description: The following request sets a timeline template for the rules with the specified IDs. If the same timeline template is already set for a rule, no changes are made. summary: Edit - Set (overwrite existing) timeline template for rules (idempotent) value: action: edit edit: - type: set_timeline value: timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline ids: - eacdfc95-e007-41c9-986e-4b2cbdfdc71b example20: description: The following request sets a schedule for the rules with the specified IDs. If the same schedule is already set for a rule, no changes are made. summary: Edit - Set (overwrite existing) schedule for rules (idempotent) value: action: edit edit: - type: set_schedule value: interval: 1h lookback: 30m ids: - 99887766-5544-3322-1100-aabbccddeeff example21: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules (non-idempotent) value: action: edit edit: - type: add_rule_actions value: actions: - group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: The message body ids: - 9e946bfc-3118-4c77-bb25-67d781191928 example22: description: The following request sets rule actions for the rules with the specified IDs. Each action receives its own unique ID. summary: Edit - Set (overwrite existing) rule actions for rules (non-idempotent) value: action: edit edit: - type: set_rule_actions value: actions: - group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: The message body ids: - 9e946bfc-3118-4c77-bb25-67d781191928 example23: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a webhook connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: The message body ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example24: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for an email connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: message: The message body subject: Subject to: address@domain.com ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example25: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a slack connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: message: The content of the message ids: - 9e946bfc-3118-4c77-bb25-67d781191921 example26: description: The following request adds rule actions to the rules with the specified IDs. Each new action receives its own unique ID. summary: Edit - Add rule actions to rules for a PagerDuty connector value: action: edit edit: - type: add_rule_actions value: actions: - group: default3 id: 20fbf986-a270-460e-80f3-7b83c08b430f params: eventAction: trigger severity: critical summary: The message body timestamp: '2023-10-31T00:00:00.000Z' ids: - 9e946bfc-3118-4c77-bb25-67d781191921 schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' responses: '200': content: application/json: examples: example01: description: In this response one rule was updated and one was skipped. Objects returned in attributes.results.skipped will only include rules' id, name, and skip_reason. summary: Successful response value: attributes: results: created: [] deleted: [] skipped: - id: 51658332-a15e-4c9e-912a-67214e2e2359 name: Skipped rule skip_reason: RULE_NOT_MODIFIED updated: - anomaly_threshold: 50 author: - Elastic created_at: '2022-02-21T14:14:13.801Z' created_by: elastic description: A machine learning job detected unusually large numbers of DNS queries for a single top-level DNS domain, which is often used for DNS tunneling. DNS tunneling can be used for command-and-control, persistence, or data exfiltration activity. For example, dnscat tends to generate many DNS questions for a top-level domain as it uses the DNS protocol to tunnel data. enabled: true exceptions_list: [] execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: - DNS domains that use large numbers of child domains, such as software or content distribution networks, can trigger this alert and such parent domains can be excluded. from: now-45m id: 8bc7dad0-9320-11ec-9265-8b772383a08d immutable: false interval: 15m license: Elastic License v2 machine_learning_job_id: - packetbeat_dns_tunneling max_signals: 100 name: DNS Tunneling [Duplicate] references: - https://www.elastic.co/guide/en/security/current/prebuilt-ml-jobs.html related_integrations: [] required_fields: [] risk_score: 21 risk_score_mapping: [] rule_id: 7289bf08-4e91-4c70-bf01-e04c4c5d7756 setup: '' severity: low severity_mapping: [] tags: - Elastic - Network - Threat Detection - ML threat: [] to: now type: machine_learning updated_at: '2022-02-21T17:05:50.883Z' updated_by: elastic version: 6 summary: failed: 0 skipped: 1 succeeded: 1 total: 2 rules_count: 1 success: true example02: description: If processing of any rule fails, a partial error outputs the ID and/or name of the affected rule and the corresponding error, as well as successfully processed rules (in the same format as a successful 200 request). summary: Partial failure value: value: attributes: errors: - message: Index patterns can't be added. Machine learning rule doesn't have index patterns property rules: - id: 8bc7dad0-9320-11ec-9265-8b772383a08d name: DNS Tunneling [Duplicate] status_code: 500 results: created: [] deleted: [] skipped: [] updated: - actions: [] author: - Elastic created_at: '2022-02-21T14:14:17.883Z' created_by: elastic description: Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app. enabled: true exceptions_list: [] execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: [] from: now-6m id: 8e5c1a40-9320-11ec-9265-8b772383a08d immutable: false index: - apm-*-transaction* - traces-apm* - auditbeat-* - filebeat-* - logs-* - packetbeat-* - winlogbeat-* - added-by-id-* interval: 5m language: kuery license: Elastic License v2 max_signals: 10000 name: External Alerts [Duplicate] query: | event.kind:alert and not event.module:(endgame or endpoint) references: [] related_integrations: [] required_fields: [] risk_score: 47 risk_score_mapping: - field: event.risk_score operator: equals value: '' rule_id: 941faf98-0cdc-4569-b16d-4af962914d61 rule_name_override: message setup: '' severity: medium severity_mapping: - field: event.severity operator: equals severity: low value: '21' - field: event.severity operator: equals severity: medium value: '47' - field: event.severity operator: equals severity: high value: '73' - field: event.severity operator: equals severity: critical value: '99' tags: - Elastic - Network - Windows - APM - macOS - Linux threat: [] timestamp_override: event.ingested to: now type: query updated_at: '2022-02-21T16:56:22.818Z' updated_by: elastic version: 5 summary: failed: 1 skipped: 0 succeeded: 1 total: 2 message: Bulk edit partially failed rules_count: 2 status_code: 500 success: false example03: description: The attributes.errors section of the response shows that two rules failed to update and one succeeded. The same results would be returned if you ran the request without dry run mode enabled. Notice that there are no arrays in attributes.results. In dry run mode, rule updates are not applied and saved to Elasticsearch, so the endpoint wouldn’t return results for rules that have been updated, created, or deleted. summary: Dry run value: attributes: errors: - err_code: IMMUTABLE message: Elastic rule can't be edited rules: - id: 81aa0480-06af-11ed-94fb-dd1a0597d8d2 name: Unusual AWS Command for a User status_code: 500 - err_code: MACHINE_LEARNING_INDEX_PATTERN message: Machine learning rule doesn't have index patterns rules: - id: dc015d10-0831-11ed-ac8b-05a222bd8d4a name: Suspicious Powershell Script [Duplicate] status_code: 500 results: created: [] deleted: [] skipped: [] updated: [] summary: failed: 2 skipped: 0 succeeded: 1 total: 3 message: Bulk edit partially failed status_code: 500 example04: description: This example presents the successful setting of tags for 2 rules. There was a difference between the set of tags that were being added and the tags that were already set in the rules, that's why the rules were updated. summary: Set tags successsully for 2 rules value: attributes: results: created: [] deleted: [] skipped: [] updated: - actions: [] author: [] created_at: '2025-03-25T11:46:41.899Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-6m id: 738112cd-6cfa-414a-8457-2a658845d6ba immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 5m language: kuery license: '' max_signals: 100 meta: kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Rule 1 output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 1 risk_score: 21 risk_score_mapping: [] rule_id: 6fb746a0-dfe5-40fa-b03f-5cbb84f3e32e rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 threat: [] to: now type: query updated_at: '2025-03-25T11:47:11.350Z' updated_by: elastic version: 2 - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: Hello uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 author: [] created_at: '2025-03-25T09:49:08.343Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-360s id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 3m investigation_fields: field_names: - alert.status - Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 meta: from: 3m kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Rule 2 output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 33 risk_score: 21 risk_score_mapping: [] rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 threat: [] timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline to: now type: query updated_at: '2025-03-25T11:47:11.357Z' updated_by: elastic version: 24 summary: failed: 0 skipped: 0 succeeded: 2 total: 2 rules_count: 2 success: true example05: description: This example presents the idempotent behavior of the edit action with set_tags request. Both rules already had exactly the same tags that were being added, so no changes were made in any of them. summary: Idempotent behavior of set_tags value: attributes: results: created: [] deleted: [] skipped: - id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b name: Rule 1 skip_reason: RULE_NOT_MODIFIED - id: 738112cd-6cfa-414a-8457-2a658845d6ba name: Rule 2 skip_reason: RULE_NOT_MODIFIED updated: [] summary: failed: 0 skipped: 2 succeeded: 0 total: 2 rules_count: 2 success: true example06: description: This example presents the idempotent behavior of the edit action with add_tags request. One rule was updated and one was skipped. The rule that was skipped already had all the tags that were being added. summary: Idempotent behavior of add_tags value: attributes: results: created: [] deleted: [] skipped: - id: 738112cd-6cfa-414a-8457-2a658845d6ba name: Test Rule 2 skip_reason: RULE_NOT_MODIFIED updated: - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: Hello uuid: 580e2e16-5e91-411c-999b-7b75a11ed441 author: [] created_at: '2025-03-25T09:49:08.343Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-360s id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 3m investigation_fields: field_names: - alert.status - Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 meta: from: 3m kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Test rule output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 34 risk_score: 21 risk_score_mapping: [] rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 - tag-4 threat: [] timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline to: now type: query updated_at: '2025-03-25T11:55:12.752Z' updated_by: elastic version: 25 summary: failed: 0 skipped: 1 succeeded: 1 total: 2 rules_count: 2 success: true example07: description: This example shows a non-idempotent nature of the set_rule_actions requests. Regardless if the actions are the same as the existing actions for a rule, the actions are always set in the rule and receive a new unique ID. summary: Non-idempotent behavior for set_rule_actions value: attributes: results: created: [] deleted: [] skipped: [] updated: - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 20fbf986-a270-460e-80f3-7b83c08b430f params: body: Hello uuid: e48428e5-efac-4856-b8ad-b271c14eaa91 author: [] created_at: '2025-03-25T09:49:08.343Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-360s id: eacdfc95-e007-41c9-986e-4b2cbdfdc71b immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 3m investigation_fields: field_names: - alert.status - Endpoint.policy.applied.artifacts.global.channel language: kuery license: '' max_signals: 100 meta: from: 3m kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Test rule output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 39 risk_score: 21 risk_score_mapping: [] rule_id: 43250a55-53a3-4ddd-96cb-82a1bd720180 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: - tag-1 - tag-2 - tag-4 threat: [] timeline_id: 3e827bab-838a-469f-bd1e-5e19a2bff2fd timeline_title: Alerts Involving a Single User Timeline to: now type: query updated_at: '2025-03-25T12:17:40.528Z' updated_by: elastic version: 30 summary: failed: 0 skipped: 0 succeeded: 1 total: 1 rules_count: 1 success: true example08: description: This example shows a non-idempotent nature of the add_rule_actions requests. Regardless if the added action is the same as another existing action for a rule, the new action is added to the rule and receives a new unique ID. summary: Non-idempotent behavior for add_rule_actions value: attributes: results: created: [] deleted: [] skipped: [] updated: - actions: - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 params: body: Message body uuid: 0309347e-3954-429c-9168-5da2663389af - action_type_id: .webhook frequency: notifyWhen: onActiveAlert summary: true throttle: null group: default id: 76af173d-38d8-4a9a-b2cc-a3c695b845b4 params: body: Message body uuid: 49ddaa94-d63d-410e-90dc-8c1bad9552bd author: [] created_at: '2025-04-02T12:42:03.400Z' created_by: elastic description: test enabled: false exceptions_list: [] false_positives: [] filters: [] from: now-6m id: 0d3eb0cd-88c4-4651-ac87-6d9f0cb87217 immutable: false index: - apm-*-transaction* - auditbeat-* - endgame-* - filebeat-* - logs-* - packetbeat-* - traces-apm* - winlogbeat-* - '-*elastic-cloud-logs-*' interval: 5m language: kuery license: '' max_signals: 100 meta: kibana_siem_app_url: http://localhost:5601/kbn/app/security name: Jacek test rule output_index: '' query: '*' references: [] related_integrations: [] required_fields: [] revision: 2 risk_score: 21 risk_score_mapping: [] rule_id: 2684c020-1370-4719-ac27-eafe6428fe10 rule_source: type: internal setup: '' severity: low severity_mapping: [] tags: [] threat: [] to: now type: query updated_at: '2025-04-02T12:51:40.215Z' updated_by: elastic version: 2 summary: failed: 0 skipped: 0 succeeded: 1 total: 1 rules_count: 1 success: true schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' description: OK summary: Apply a bulk action to detection rules tags: - Security Detections API /api/detection_engine/rules/_bulk_create: post: deprecated: true description: | Create new detection rules in bulk. > warn > This API is deprecated and will be removed in Kibana v9.0. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: BulkCreateRules requestBody: content: application/json: examples: example1: value: - description: Process started by MS Office program - possible payload enabled: false filters: - query: match: event.action: query: 'Process Create (rule: ProcessCreate)' type: phrase from: now-6m interval: 5m language: kuery name: MS Office child process query: process.parent.name:EXCEL.EXE or process.parent.name:MSPUB.EXE or process.parent.name:OUTLOOK.EXE or process.parent.name:POWERPNT.EXE or process.parent.name:VISIO.EXE or process.parent.name:WINWORD.EXE risk_score: 50 rule_id: process_started_by_ms_office_program_possible_payload severity: low tags: - child process - ms office type: query - description: Query with a rule_id for referencing an external id from: now-6m name: Second bulk rule query: 'user.name: root or user.name: admin' risk_score: 2 rule_id: query-rule-id-2 severity: low type: query schema: items: $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' type: array description: A JSON array of rules, where each rule contains the required fields. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_BulkCrudRulesResponse' description: Indicates a successful call. summary: Create multiple detection rules tags: - Security Detections API /api/detection_engine/rules/_bulk_delete: delete: deprecated: true description: | Delete detection rules in bulk. > warn > This API is deprecated and will be removed in Kibana v9.0. operationId: BulkDeleteRules requestBody: content: application/json: examples: example1: value: - rule_id: process_started_by_ms_office_program_possible_payload - id: 51658332-a15e-4c9e-912a-67214e2e2359 schema: items: type: object properties: id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' type: array description: A JSON array of `id` or `rule_id` fields of the rules you want to delete. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_BulkCrudRulesResponse' description: Indicates a successful call. '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Delete multiple detection rules tags: - Security Detections API post: deprecated: true description: | Delete detection rules in bulk. > warn > This API is deprecated and will be removed in Kibana v9.0. operationId: BulkDeleteRulesPost requestBody: content: application/json: examples: example1: value: - rule_id: process_started_by_ms_office_program_possible_payload - id: 51658332-a15e-4c9e-912a-67214e2e2359 schema: items: type: object properties: id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' type: array description: A JSON array of `id` or `rule_id` fields of the rules you want to delete. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_BulkCrudRulesResponse' description: Indicates a successful call. '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Delete multiple detection rules tags: - Security Detections API /api/detection_engine/rules/_bulk_update: patch: deprecated: true description: | Update specific fields of existing detection rules using the `rule_id` or `id` field. > warn > This API is deprecated and will be removed in Kibana v9.0. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: BulkPatchRules requestBody: content: application/json: examples: example1: value: - rule_id: process_started_by_ms_office_program_possible_payload threat: - framework: MITRE ATT&CK id: TA0001 name: Initial Access reference: https://attack.mitre.org/tactics/TA0001 tactic: null technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193 - id: 56b22b65-173e-4a5b-b27a-82599cb1433e name: New name schema: items: $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' type: array description: A JSON array of rules, where each rule contains the required fields. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_BulkCrudRulesResponse' description: Indicates a successful call. summary: Patch multiple detection rules tags: - Security Detections API put: deprecated: true description: | Update multiple detection rules using the `rule_id` or `id` field. The original rules are replaced, and all unspecified fields are deleted. > warn > This API is deprecated and will be removed in Kibana v9.0. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. operationId: BulkUpdateRules requestBody: content: application/json: examples: example1: value: - description: Detects when a previously suspended user's account is renewed in Google Workspace. An adversary may renew a suspended user account to maintain access to the Google Workspace organization with a valid account. id: 7d2f5ed8-6c05-44ab-81ce-9160ae147057 name: Updated Google Workspace Suspended User Account Renewed risk_score: 21 severity: low tags: - new_tag type: query - description: Identifies the creation of an Amazon Redshift cluster. Unexpected creation of this cluster by a non-administrative user may indicate a permission or role issue with current users. If unexpected, the resource may not properly be configured and could introduce security vulnerabilities. id: 43b2dc3b-4f21-4a10-95e2-0dbc19e6e974 name: Updated AWS Redshift Cluster Creation risk_score: 21 severity: low tags: - new_tag type: query schema: items: $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' type: array description: | A JSON array where each element includes the `id` or `rule_id` field of the rule you want to update and the fields you want to be specified in this rule. > info > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_BulkCrudRulesResponse' description: Indicates a successful call. summary: Update multiple detection rules tags: - Security Detections API /api/detection_engine/rules/_export: post: description: | Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: - Actions - Exception lists > info > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. > You can use Kibana’s [Saved Objects](https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/guide/en/security/current/value-lists-exceptions.html#manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. operationId: ExportRules parameters: - description: Determines whether a summary of the exported rules is returned. in: query name: exclude_export_details required: false schema: default: false type: boolean - description: | File name for saving the exported rules. > info > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. in: query name: file_name required: false schema: default: export.ndjson type: string requestBody: content: application/json: schema: nullable: true type: object properties: objects: description: Array of `rule_id` fields. Exports all rules when unspecified. items: type: object properties: rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' required: - rule_id type: array required: - objects required: false responses: '200': content: application/ndjson: schema: description: | An `.ndjson` file containing the returned rules. Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. format: binary type: string description: Indicates a successful call. summary: Export detection rules tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' { "objects": [ { "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" }, { "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" } ] } /api/detection_engine/rules/_find: get: description: Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. operationId: FindRules parameters: - in: query name: fields required: false schema: items: type: string type: array - description: | Search query Filters the returned results according to the value of the specified field, using the alert.attributes.<field name>:<field value> syntax, where <field name> can be: - name - enabled - tags - createdBy - interval - updatedBy > info > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. in: query name: filter required: false schema: type: string - description: Field to sort by in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - description: Sort order in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_Detections_API_SortOrder' - description: Page number in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: Rules per page in: query name: per_page required: false schema: default: 20 minimum: 0 type: integer - description: Gaps range start in: query name: gaps_range_start required: false schema: type: string - description: Gaps range end in: query name: gaps_range_end required: false schema: type: string responses: '200': content: application/json: examples: example1: value: data: - created_at: '2020-02-02T10:05:19.613Z' created_by: elastic description: Identifies a PowerShell process launched by either cscript.exe or wscript.exe. Observing Windows scripting processes executing a PowerShell script, may be indicative of malicious activity. enabled: false execution_summary: last_execution: date: '2022-03-23T16:06:12.787Z' message: This rule attempted to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, but no matching index was found. metrics: execution_gap_duration_s: 0 total_indexing_duration_ms: 15 total_search_duration_ms: 135 status: partial failure status_order: 20 false_positives: [] from: now-6m id: 89761517-fdb0-4223-b67b-7621acc48f9e immutable: true index: - winlogbeat-* interval: 5m language: kuery max_signals: 33 name: Windows Script Executing PowerShell query: 'event.action:"Process Create (rule: ProcessCreate)" and process.parent.name:("wscript.exe" or "cscript.exe") and process.name:"powershell.exe"' references: [] related_integrations: - package: o365 version: ^2.3.2 required_fields: - ecs: true name: event.action type: keyword - ecs: true name: process.name type: keyword - ecs: true name: process.parent.name type: keyword risk_score: 21 rule_id: f545ff26-3c94-4fd0-bd33-3c7f95a3a0fc setup: '' severity: low tags: - Elastic - Windows threat: - framework: MITRE ATT&CK tactic: id: TA0002 name: Execution reference: https://attack.mitre.org/tactics/TA0002/ technique: - id: T1193 name: Spearphishing Attachment reference: https://attack.mitre.org/techniques/T1193/ to: now type: query updated_at: '2020-02-02T10:05:19.830Z' updated_by: elastic page: 1 perPage: 5 total: 4 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array page: type: integer perPage: type: integer total: type: integer required: - page - perPage - total - data description: | Successful response > info > These fields are under development and their usage or schema may change: execution_summary. summary: List all detection rules tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' /api/detection_engine/rules/_import: post: description: | Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: - The `Content-Type: multipart/form-data` HTTP header. - A link to the `.ndjson` file containing the rules. > warn > When used with [API key](https://www.elastic.co/guide/en/kibana/current/api-keys.html) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. > info > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for more information. > info > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. > You can use Kibana’s [Saved Objects](https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/guide/en/security/current/value-lists-exceptions.html#manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. operationId: ImportRules parameters: - description: Determines whether existing rules with the same `rule_id` are overwritten. in: query name: overwrite required: false schema: default: false type: boolean - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. in: query name: overwrite_exceptions required: false schema: default: false type: boolean - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. in: query name: overwrite_action_connectors required: false schema: default: false type: boolean - description: Generates a new list ID for each imported exception list. in: query name: as_new_list required: false schema: default: false type: boolean requestBody: content: multipart/form-data: schema: type: object properties: file: description: The `.ndjson` file containing the rules. format: binary type: string required: true responses: '200': content: application/json: examples: example1: summary: Import rules with success value: errors: [] exceptions_errors: [] exceptions_success: true exceptions_success_count: 0 rules_count: 1 success: true success_count: 1 schema: additionalProperties: false type: object properties: action_connectors_errors: items: $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array action_connectors_success: type: boolean action_connectors_success_count: minimum: 0 type: integer action_connectors_warnings: items: $ref: '#/components/schemas/Security_Detections_API_WarningSchema' type: array errors: items: $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array exceptions_errors: items: $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array exceptions_success: type: boolean exceptions_success_count: minimum: 0 type: integer rules_count: minimum: 0 type: integer success: type: boolean success_count: minimum: 0 type: integer required: - exceptions_success - exceptions_success_count - exceptions_errors - rules_count - success - success_count - errors - action_connectors_errors - action_connectors_warnings - action_connectors_success - action_connectors_success_count description: Indicates a successful call. summary: Import detection rules tags: - Security Detections API x-codeSamples: - lang: cURL source: | curl -X POST "<KibanaURL>/api/detection_engine/rules/_import" -u <username>:<password> -H 'kbn-xsrf: true' -H 'Content-Type: multipart/form-data' --form "file=@<link to file>" /api/detection_engine/rules/{id}/exceptions: post: description: Create exception items that apply to a single detection rule. operationId: CreateRuleExceptionListItems parameters: - description: Detection rule's identifier examples: id: value: 330bdd28-eedf-40e1-bed0-f10176c7f9e0 in: path name: id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_RuleId' requestBody: content: application/json: schema: example: items: - description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware type: simple type: object properties: items: items: $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' type: array required: - items description: Rule exception items. required: true responses: '200': content: application/json: examples: ruleExceptionItems: value: - _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic schema: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' type: array description: Successful response '400': content: application/json: examples: badPayload: value: error: Bad Request message: Invalid request payload JSON format statusCode: 400 badRequest: value: error: Bad Request message: '[request params]: id: Invalid uuid' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: message: Unable to create exception-list status_code: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create rule exception items tags: - Security Exceptions API /api/detection_engine/rules/prepackaged: put: description: | Install and update all Elastic prebuilt detection rules and Timelines. This endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic. When you call this endpoint, it will: - Install any new prebuilt detection rules that are not currently installed in your system. - Update any existing prebuilt detection rules that have been modified or improved by Elastic. - Install any new prebuilt Timelines that are not currently installed in your system. - Update any existing prebuilt Timelines that have been modified or improved by Elastic. This ensures that your detection engine is always up-to-date with the latest rules and Timelines, providing you with the most current and effective threat detection capabilities. operationId: InstallPrebuiltRulesAndTimelines responses: '200': content: application/json: examples: example1: value: rules_installed: 112 rules_updated: 0 timelines_installed: 5 timelines_updated: 2 schema: additionalProperties: false type: object properties: rules_installed: description: The number of rules installed minimum: 0 type: integer rules_updated: description: The number of rules updated minimum: 0 type: integer timelines_installed: description: The number of timelines installed minimum: 0 type: integer timelines_updated: description: The number of timelines updated minimum: 0 type: integer required: - rules_installed - rules_updated - timelines_installed - timelines_updated description: Indicates a successful call summary: Install prebuilt detection rules and Timelines tags: - Security Detections API /api/detection_engine/rules/prepackaged/_status: get: description: | Retrieve the status of all Elastic prebuilt detection rules and Timelines. This endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines. operationId: ReadPrebuiltRulesAndTimelinesStatus responses: '200': content: application/json: examples: example1: value: rules_custom_installed: 0 rules_installed: 0 rules_not_installed: 112 rules_not_updated: 0 timelines_installed: 0 timelines_not_installed: 0 timelines_not_updated: 0 schema: additionalProperties: false type: object properties: rules_custom_installed: description: The total number of custom rules minimum: 0 type: integer rules_installed: description: The total number of installed prebuilt rules minimum: 0 type: integer rules_not_installed: description: The total number of available prebuilt rules that are not installed minimum: 0 type: integer rules_not_updated: description: The total number of outdated prebuilt rules minimum: 0 type: integer timelines_installed: description: The total number of installed prebuilt timelines minimum: 0 type: integer timelines_not_installed: description: The total number of available prebuilt timelines that are not installed minimum: 0 type: integer timelines_not_updated: description: The total number of outdated prebuilt timelines minimum: 0 type: integer required: - rules_custom_installed - rules_installed - rules_not_installed - rules_not_updated - timelines_installed - timelines_not_installed - timelines_not_updated description: Indicates a successful call summary: Retrieve the status of prebuilt detection rules and Timelines tags: - Security Detections API /api/detection_engine/rules/preview: post: operationId: RulePreview parameters: - description: Enables logging and returning in response ES queries, performed during rule execution in: query name: enable_logged_requests required: false schema: type: boolean requestBody: content: application/json: schema: anyOf: - allOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' - allOf: - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' discriminator: propertyName: type description: An object containing tags to add or remove and alert ids the changes will be applied required: true responses: '200': content: application/json: schema: type: object properties: isAborted: type: boolean logs: items: $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' type: array previewId: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - logs description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Preview rule alerts generated on specified time range tags: - Security Detections API /api/detection_engine/signals/assignees: post: description: | Assign users to detection alerts, and unassign them from alerts. > info > You cannot add and remove the same assignee in the same request. operationId: SetAlertAssignees requestBody: content: application/json: examples: add: value: assignees: add: - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 remove: [] ids: - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 remove: value: assignees: add: [] remove: - u_MxY0jbrft7EcfC6iNZSUGeI_n6iYrSwZj5mWF5EqmSU_0 ids: - 681c2a707335aa7df5f349b70013d87254746191712ecf0ced9b3e2d538503a6 schema: type: object properties: assignees: $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' description: Details about the assignees to assign and unassign. ids: $ref: '#/components/schemas/Security_Detections_API_AlertIds' required: - assignees - ids required: true responses: '200': content: application/ndjson: examples: add: value: batches: 1, deleted: 0, failures: [] noops: 0, requests_per_second: '-1,' retries: - bulk: 0, - search: 0 throttled_millis: 0, throttled_until_millis: 0, timed_out: false, took: 76, total: 1, updated: 1, version_conflicts: 0, description: Indicates a successful call. '400': description: Invalid request. summary: Assign and unassign users from detection alerts tags: - Security Detections API /api/detection_engine/signals/finalize_migration: post: deprecated: true description: | Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, finalize it. operationId: FinalizeAlertsMigration requestBody: content: application/json: schema: example: migration_ids: - 924f7c50-505f-11eb-ae0a-3fa2e626a51d type: object properties: migration_ids: description: Array of `migration_id`s to finalize. items: type: string minItems: 1 type: array required: - migration_ids description: Array of `migration_id`s to finalize required: true responses: '200': content: application/json: examples: success: value: migrations: - completed: true destinationIndex: .siem-signals-default-000002-r000016 id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d sourceIndex: .siem-signals-default-000002 status: success updated: '2021-01-06T22:05:56.859Z' version: 16 schema: items: $ref: '#/components/schemas/Security_Detections_API_MigrationFinalizationResult' type: array description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Finalize detection alert migrations tags: - Security Detections API /api/detection_engine/signals/migration: delete: deprecated: true description: | Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of the migration process. A successful migration will result in both the old and new indices being present. As such, the old, orphaned index can (and likely should) be deleted. While you can delete these indices manually, the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted after 30 days. It also deletes other artifacts specific to the migration implementation. operationId: AlertsMigrationCleanup requestBody: content: application/json: schema: example: migration_ids: - 924f7c50-505f-11eb-ae0a-3fa2e626a51d type: object properties: migration_ids: description: Array of `migration_id`s to cleanup. items: type: string minItems: 1 type: array required: - migration_ids description: Array of `migration_id`s to cleanup required: true responses: '200': content: application/json: examples: success: value: migrations: - destinationIndex: .siem-signals-default-000002-r000016 id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d sourceIndex: .siem-signals-default-000002 status: success updated: '2021-01-06T22:05:56.859Z' version: 16 schema: items: $ref: '#/components/schemas/Security_Detections_API_MigrationCleanupResult' type: array description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Clean up detection alert migrations tags: - Security Detections API post: deprecated: true description: | Initiate a migration of detection alerts. Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. operationId: CreateAlertsMigration requestBody: content: application/json: examples: singleIndex: value: index: - .siem-signals-default-000001 schema: allOf: - type: object properties: index: description: Array of index names to migrate. items: format: nonempty minLength: 1 type: string minItems: 1 type: array required: - index - $ref: '#/components/schemas/Security_Detections_API_AlertsReindexOptions' description: Alerts migration parameters required: true responses: '200': content: application/json: examples: success: value: indices: - index: .siem-signals-default-000001, migration_id: 923f7c50-505f-11eb-ae0a-3fa2e626a51d migration_index: .siem-signals-default-000001-r000016 schema: type: object properties: indices: items: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess' - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationError' - $ref: '#/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration' type: array required: - indices description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Initiate a detection alert migration tags: - Security Detections API /api/detection_engine/signals/migration_status: get: deprecated: true description: Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. operationId: ReadAlertsMigrationStatus parameters: - description: Maximum age of qualifying detection alerts in: query name: from required: true schema: description: | Time from which data is analyzed. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). example: now-30d format: date-math type: string responses: '200': content: application/json: examples: success: value: indices: - index: .siem-signals-default-000002 is_outdated: true migrations: - id: 924f7c50-505f-11eb-ae0a-3fa2e626a51d status: pending updated: '2021-01-06T20:41:37.173Z' version: 16 signal_versions: - count: 100 version: 15 - count: 87 version: 16 version: 15 - index: .siem-signals-default-000003 is_outdated: false migrations: [] signal_versions: - count: 54 version: 16 version: 16 schema: type: object properties: indices: items: $ref: '#/components/schemas/Security_Detections_API_IndexMigrationStatus' type: array required: - indices description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Retrieve the status of detection alert migrations tags: - Security Detections API /api/detection_engine/signals/search: post: description: Find and/or aggregate detection alerts that match the given query. operationId: SearchAlerts requestBody: content: application/json: examples: query: value: aggs: alertsByGrouping: terms: field: host.name size: 10 missingFields: missing: field: host.name query: bool: filter: - bool: filter: - match_phrase: kibana.alert.workflow_status: open must: [] must_not: - exists: field: kibana.alert.building_block_type should: [] - range: '@timestamp': gte: '2025-01-17T08:00:00.000Z' lte: '2025-01-18T07:59:59.999Z' runtime_mappings: {} size: 0 schema: description: Elasticsearch query and aggregation request type: object properties: _source: oneOf: - type: boolean - type: string - items: type: string type: array aggs: additionalProperties: true type: object fields: items: type: string type: array query: additionalProperties: true type: object runtime_mappings: additionalProperties: true type: object size: minimum: 0 type: integer sort: $ref: '#/components/schemas/Security_Detections_API_AlertsSort' track_total_hits: type: boolean description: Search and/or aggregation query required: true responses: '200': content: application/json: examples: success: value: _shards: failed: 0 skipped: 0 successful: 1 total: 1 aggregations: alertsByGrouping: buckets: - doc_count: 5 key: Host-f43kkddfyc doc_count_error_upper_bound: 0 sum_other_doc_count: 0 missingFields: doc_count: 0 hits: hits: [] max_score: null total: relation: eq value: 5 timed_out: false took: 0 schema: additionalProperties: true description: Elasticsearch search response type: object description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Find and/or aggregate detection alerts tags: - Security Detections API /api/detection_engine/signals/status: post: description: Set the status of one or more detection alerts. operationId: SetAlertsStatus requestBody: content: application/json: examples: byId: value: signal_ids: - 80e1383f856e67c1b7f7a1634744fa6d66b6e2ef7aa26d226e57afb5a7b2b4a1 status: closed byQuery: value: conflicts: proceed query: bool: filter: - '@timestamp': format: strict_date_optional_time gte: '2024-10-23T07:00:00.000Z' lte: '2025-01-21T20:12:11.704Z' range: null - bool: filter: bool: filter: - match_phrase: kibana.alert.workflow_status: open - '@timestamp': format: strict_date_optional_time gte: '2024-10-23T07:00:00.000Z' lte: '2025-01-21T20:12:11.704Z' range: null must: [] must_not: - exists: field: kibana.alert.building_block_type should: [] must: [] must_not: [] should: [] status: closed schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' description: An object containing desired status and explicit alert ids or a query to select alerts required: true responses: '200': content: application/json: examples: byId: value: batches: 1 deleted: 0 failures: [] noops: 0 requests_per_second: -1 retries: bulk: 0 search: 0 throttled_millis: 0 throttled_until_millis: 0 timed_out: false took: 81 total: 1 updated: 1 version_conflicts: 0 byQuery: value: batches: 1 deleted: 0 failures: [] noops: 0 requests_per_second: -1 retries: bulk: 0 search: 0 throttled_millis: 0 throttled_until_millis: 0 timed_out: false took: 100 total: 17 updated: 17 version_conflicts: 0 schema: additionalProperties: true description: Elasticsearch update by query response type: object description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Set a detection alert status tags: - Security Detections API /api/detection_engine/signals/tags: post: description: | And tags to detection alerts, and remove them from alerts. > info > You cannot add and remove the same alert tag in the same request. operationId: SetAlertTags requestBody: content: application/json: examples: add: value: ids: - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e tags: tags_to_add: - Duplicate tags_to_remove: [] remove: value: ids: - 549c7129c76cbd554aba1bd638f8a49dde95088f5832e50218358e7eca1cf16e tags: tags_to_add: [] tags_to_remove: - Duplicate schema: type: object properties: ids: $ref: '#/components/schemas/Security_Detections_API_AlertIds' tags: $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' required: - ids - tags description: An object containing tags to add or remove and alert ids the changes will be applied required: true responses: '200': content: application/json: examples: success: value: batches: 1, deleted: 0, failures: [] noops: 0, requests_per_second: '-1,' retries: bulk: 0, search: 0 throttled_millis: 0, throttled_until_millis: 0, timed_out: false, took: 68, total: 1, updated: 1, version_conflicts: 0, schema: additionalProperties: true description: Elasticsearch update by query response type: object description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' description: Unsuccessful authentication response '500': content: application/json: schema: $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' description: Internal server error response summary: Add and remove detection alert tags tags: - Security Detections API /api/detection_engine/tags: get: description: List all unique tags from all detection rules. operationId: ReadTags responses: '200': content: application/json: examples: example1: value: - zeek - suricata - windows - linux - network - initial access - remote access - phishing schema: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' description: Indicates a successful call summary: List all detection rule tags tags: - Security Detections API /api/encrypted_saved_objects/_rotate_key: post: description: | Superuser role required. If a saved object cannot be decrypted using the primary encryption key, then Kibana will attempt to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. operationId: rotateEncryptionKey parameters: - description: | Specifies a maximum number of saved objects that Kibana can process in a single batch. Bulk key rotation is an iterative process since Kibana may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value. in: query name: batch_size required: false schema: default: 10000 type: number - description: | Limits encryption key rotation only to the saved objects with the specified type. By default, Kibana tries to rotate the encryption key for all saved object types that may contain encrypted attributes. in: query name: type required: false schema: type: string responses: '200': content: application/json: examples: rotateEncryptionKeyResponse: $ref: '#/components/examples/Saved_objects_key_rotation_response' schema: type: object properties: failed: description: | Indicates the number of the saved objects that were still encrypted with one of the old encryption keys that Kibana failed to re-encrypt with the primary key. type: number successful: description: | Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. NOTE: In most cases, `total` will be greater than `successful` even if `failed` is zero. The reason is that Kibana may not need or may not be able to rotate encryption keys for all encrypted saved objects. type: number total: description: | Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. type: number description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request '429': content: application/json: schema: type: object description: Already in progress. summary: Rotate a key for encrypted saved objects tags: - saved objects /api/endpoint_list: post: description: Create an endpoint exception list, which groups endpoint exception list items. If an endpoint exception list already exists, an empty response is returned. operationId: CreateEndpointList responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Create an endpoint exception list tags: - Security Endpoint Exceptions API /api/endpoint_list/items: delete: description: Delete an endpoint exception list item using the `id` or `item_id` field. operationId: DeleteEndpointListItem parameters: - description: Either `id` or `item_id` must be specified in: query name: id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Delete an endpoint exception list item tags: - Security Endpoint Exceptions API get: description: Get the details of an endpoint exception list item using the `id` or `item_id` field. operationId: ReadEndpointListItem parameters: - description: Either `id` or `item_id` must be specified in: query name: id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' - description: Either `id` or `item_id` must be specified in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' responses: '200': content: application/json: schema: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' type: array description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Get an endpoint exception list item tags: - Security Endpoint Exceptions API post: description: Create an endpoint exception list item, and associate it with the endpoint exception list. operationId: CreateEndpointListItem requestBody: content: application/json: schema: type: object properties: comments: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' item_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' default: [] type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries description: Exception list item's properties required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '409': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item already exists '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Create an endpoint exception list item tags: - Security Endpoint Exceptions API put: description: Update an endpoint exception list item using the `id` or `item_id` field. operationId: UpdateEndpointListItem requestBody: content: application/json: schema: type: object properties: _version: type: string comments: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' description: Either `id` or `item_id` must be specified item_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' description: Either `id` or `item_id` must be specified meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries description: Exception list item's properties required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list item not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Update an endpoint exception list item tags: - Security Endpoint Exceptions API /api/endpoint_list/items/_find: get: description: Get a list of all endpoint exception list items. operationId: FindEndpointListItems parameters: - description: | Filters the returned results according to the value of the specified field, using the `<field name>:<field value>` syntax. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter' - description: The page number to return in: query name: page required: false schema: minimum: 0 type: integer - description: The number of exception list items to return per page in: query name: per_page required: false schema: minimum: 0 type: integer - description: Determines which field is used to sort the results in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order required: false schema: enum: - desc - asc type: string responses: '200': content: application/json: schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' type: array page: minimum: 0 type: integer per_page: minimum: 0 type: integer pit: type: string total: minimum: 0 type: integer required: - data - page - per_page - total description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Invalid input data '401': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication '403': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' description: Insufficient privileges '404': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Endpoint list not found '500': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' description: Internal server error summary: Get endpoint exception list items tags: - Security Endpoint Exceptions API /api/endpoint/action: get: description: Get a list of all response actions. operationId: EndpointGetActionsList parameters: - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - in: query name: commands required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - in: query name: agentIds required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - in: query name: userIds required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - in: query name: startDate required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - in: query name: endDate required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - in: query name: agentTypes required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - in: query name: withOutputs required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - in: query name: types required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' description: OK summary: Get response actions tags: - Security Endpoint Management API /api/endpoint/action_log/{agent_id}: get: deprecated: true description: Get an action request log for the specified agent ID. operationId: EndpointGetActionLog parameters: - in: path name: agent_id required: true schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' - in: query name: query required: true schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionLogRequestQuery' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Get an action request log tags: - Security Endpoint Management API /api/endpoint/action_status: get: description: Get the status of response actions for the specified agent IDs. operationId: EndpointGetActionsStatus parameters: - in: query name: query required: true schema: type: object properties: agent_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' description: OK summary: Get response actions status tags: - Security Endpoint Management API /api/endpoint/action/{action_id}: get: description: Get the details of a response action using the action ID. operationId: EndpointGetActionsDetails parameters: - in: path name: action_id required: true schema: description: The ID of the action to retrieve. example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionResponse' description: OK summary: Get action details tags: - Security Endpoint Management API /api/endpoint/action/{action_id}/file/{file_id}: get: description: Get information for the specified file using the file ID. operationId: EndpointFileInfo parameters: - in: path name: action_id required: true schema: type: string - in: path name: file_id required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Get file information tags: - Security Endpoint Management API /api/endpoint/action/{action_id}/file/{file_id}/download: get: description: Download a file from an endpoint. operationId: EndpointFileDownload parameters: - in: path name: action_id required: true schema: type: string - in: path name: file_id required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Download a file tags: - Security Endpoint Management API /api/endpoint/action/execute: post: description: Run a shell command on an endpoint. operationId: EndpointExecuteAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse' description: OK summary: Run a command tags: - Security Endpoint Management API /api/endpoint/action/get_file: post: description: Get a file from an endpoint. operationId: EndpointGetFileAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse' description: OK summary: Get a file tags: - Security Endpoint Management API /api/endpoint/action/isolate: post: description: Isolate an endpoint from the network. The endpoint remains isolated until it's released. operationId: EndpointIsolateAction requestBody: content: application/json: examples: multiple_endpoints: summary: Isolates several hosts; includes a comment value: comment: Locked down, pending further investigation endpoint_ids: - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - fa89271b-b9d4-43f2-a684-307cffddeb5a single_endpoint: summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 with_case_id: summary: Isolates a single host with a case_id value of 1234 value: case_ids: - 4976be38-c134-4554-bd5e-0fd89ce63667 comment: Isolating as initial response endpoint_ids: - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - b30a11bf-1395-4707-b508-fbb45ef9793e schema: type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' description: OK summary: Isolate an endpoint tags: - Security Endpoint Management API /api/endpoint/action/kill_process: post: description: Terminate a running process on an endpoint. operationId: EndpointKillProcessAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse' description: OK summary: Terminate a process tags: - Security Endpoint Management API /api/endpoint/action/running_procs: post: description: Get a list of all processes running on an endpoint. operationId: EndpointGetProcessesAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse' description: OK summary: Get running processes tags: - Security Endpoint Management API /api/endpoint/action/runscript: post: description: Run a shell command on an endpoint. operationId: RunScriptAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Run a script tags: - Security Endpoint Management API /api/endpoint/action/scan: post: description: Scan a specific file or directory on an endpoint for malware. operationId: EndpointScanAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse' description: OK summary: Scan a file or directory tags: - Security Endpoint Management API /api/endpoint/action/state: get: description: Get a response actions state, which reports whether encryption is enabled. operationId: EndpointGetActionsState responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' description: OK summary: Get actions state tags: - Security Endpoint Management API /api/endpoint/action/suspend_process: post: description: Suspend a running process on an endpoint. operationId: EndpointSuspendProcessAction requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse' description: OK summary: Suspend a process tags: - Security Endpoint Management API /api/endpoint/action/unisolate: post: description: Release an isolated endpoint, allowing it to rejoin a network. operationId: EndpointUnisolateAction requestBody: content: application/json: examples: multipleHosts: summary: 'Releases several hosts; includes a comment:' value: comment: Benign process identified, releasing group endpoint_ids: - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 - bc0e4f0c-3bca-4633-9fee-156c0b505d16 - fa89271b-b9d4-43f2-a684-307cffddeb5a singleHost: summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 value: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 withCaseId: summary: Releases hosts with an associated case; includes a comment. value: case_ids: - 4976be38-c134-4554-bd5e-0fd89ce63667 comment: Remediation complete, restoring network endpoint_ids: - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 - b30a11bf-1395-4707-b508-fbb45ef9793e schema: type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' description: OK summary: Release an isolated endpoint tags: - Security Endpoint Management API /api/endpoint/action/upload: post: description: Upload a file to an endpoint. operationId: EndpointUploadAction requestBody: content: multipart/form-data: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse' description: OK summary: Upload a file tags: - Security Endpoint Management API /api/endpoint/isolate: post: deprecated: true description: | Isolate an endpoint from the network. > info > This URL will return a 308 permanent redirect to `POST <kibana host>:<port>/api/endpoint/action/isolate`. operationId: EndpointIsolateRedirect requestBody: content: application/json: schema: type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK '308': description: Permanent Redirect headers: Location: description: Permanently redirects to "/api/endpoint/action/isolate" schema: example: /api/endpoint/action/isolate type: string summary: Isolate an endpoint tags: - Security Endpoint Management API /api/endpoint/metadata: get: operationId: GetEndpointMetadataList parameters: - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' - in: query name: hostStatuses required: true schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' - in: query name: sortField required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' - in: query name: sortDirection required: false schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' description: OK summary: Get a metadata list tags: - Security Endpoint Management API /api/endpoint/metadata/{id}: get: operationId: GetEndpointMetadata parameters: - in: path name: id required: true schema: example: ed518850-681a-4d60-bb98-e22640cae2a8 type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' description: OK summary: Get metadata tags: - Security Endpoint Management API /api/endpoint/metadata/transforms: get: deprecated: true operationId: GetEndpointMetadataTransform responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Get metadata transforms tags: - Security Endpoint Management API /api/endpoint/policy_response: get: operationId: GetPolicyResponse parameters: - in: query name: query required: true schema: type: object properties: agentId: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Get a policy response tags: - Security Endpoint Management API /api/endpoint/policy/summaries: get: deprecated: true operationId: GetAgentPolicySummary parameters: - in: query name: query required: true schema: type: object properties: package_name: type: string policy_id: nullable: true type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Get an agent policy summary tags: - Security Endpoint Management API /api/endpoint/protection_updates_note/{package_policy_id}: get: operationId: GetProtectionUpdatesNote parameters: - in: path name: package_policy_id required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' description: OK summary: Get a protection updates note tags: - Security Endpoint Management API post: operationId: CreateUpdateProtectionUpdatesNote parameters: - in: path name: package_policy_id required: true schema: type: string requestBody: content: application/json: schema: type: object properties: note: type: string required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' description: OK summary: Create or update a protection updates note tags: - Security Endpoint Management API /api/endpoint/suggestions/{suggestion_type}: post: deprecated: true operationId: GetEndpointSuggestions parameters: - in: path name: suggestion_type required: true schema: enum: - eventFilters type: string requestBody: content: application/json: schema: type: object properties: field: type: string fieldMeta: {} filters: {} query: type: string required: - parameters required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK summary: Get suggestions tags: - Security Endpoint Management API /api/endpoint/unisolate: post: deprecated: true description: | Release an isolated endpoint, allowing it to rejoin a network. > info > This URL will return a 308 permanent redirect to `POST <kibana host>:<port>/api/endpoint/action/unisolate`. operationId: EndpointUnisolateRedirect requestBody: content: application/json: schema: type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' description: OK '308': description: Permanent Redirect headers: Location: description: Permanently redirects to "/api/endpoint/action/unisolate" schema: example: /api/endpoint/action/unisolate type: string summary: Release an isolated endpoint tags: - Security Endpoint Management API /api/entity_store/enable: post: operationId: InitEntityStore requestBody: content: application/json: schema: type: object properties: delay: default: 1m description: The delay before the transform will run. pattern: '[smdh]$' type: string docsPerSecond: description: The number of documents per second to process. type: integer enrichPolicyExecutionInterval: $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' entityTypes: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' type: array fieldHistoryLength: default: 10 description: The number of historical values to keep for each field. type: integer filter: type: string frequency: default: 1m description: The frequency at which the transform will run. pattern: '[smdh]$' type: string indexPattern: $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' lookbackPeriod: default: 24h description: The amount of time the transform looks back to calculate the aggregations. pattern: '[smdh]$' type: string timeout: default: 180s description: The timeout for initializing the aggregating transform. pattern: '[smdh]$' type: string timestampField: default: '@timestamp' description: The field to use as the timestamp. type: string description: Schema for the entity store initialization required: true responses: '200': content: application/json: schema: type: object properties: engines: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' type: array succeeded: type: boolean description: Successful response '400': description: Invalid request summary: Initialize the Entity Store tags: - Security Entity Analytics API /api/entity_store/engines: get: operationId: ListEntityEngines responses: '200': content: application/json: schema: type: object properties: count: type: integer engines: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' type: array description: Successful response summary: List the Entity Engines tags: - Security Entity Analytics API /api/entity_store/engines/{entityType}: delete: operationId: DeleteEntityEngine parameters: - description: The entity type of the engine (either 'user' or 'host'). in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - description: Control flag to also delete the entity data. in: query name: data required: false schema: type: boolean responses: '200': content: application/json: schema: type: object properties: deleted: type: boolean description: Successful response summary: Delete the Entity Engine tags: - Security Entity Analytics API get: operationId: GetEntityEngine parameters: - description: The entity type of the engine (either 'user' or 'host'). in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' description: Successful response summary: Get an Entity Engine tags: - Security Entity Analytics API /api/entity_store/engines/{entityType}/init: post: operationId: InitEntityEngine parameters: - description: The entity type of the engine (either 'user' or 'host'). in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' requestBody: content: application/json: schema: type: object properties: delay: default: 1m description: The delay before the transform will run. pattern: '[smdh]$' type: string docsPerSecond: description: The number of documents per second to process. type: integer enrichPolicyExecutionInterval: $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' fieldHistoryLength: default: 10 description: The number of historical values to keep for each field. type: integer filter: type: string frequency: default: 1m description: The frequency at which the transform will run. pattern: '[smdh]$' type: string indexPattern: $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' lookbackPeriod: default: 24h description: The amount of time the transform looks back to calculate the aggregations. pattern: '[smdh]$' type: string timeout: default: 180s description: The timeout for initializing the aggregating transform. pattern: '[smdh]$' type: string timestampField: default: '@timestamp' description: The field to use as the timestamp for the entity type. type: string description: Schema for the engine initialization required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' description: Successful response '400': description: Invalid request summary: Initialize an Entity Engine tags: - Security Entity Analytics API /api/entity_store/engines/{entityType}/start: post: operationId: StartEntityEngine parameters: - description: The entity type of the engine in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: application/json: schema: type: object properties: started: type: boolean description: Successful response summary: Start an Entity Engine tags: - Security Entity Analytics API /api/entity_store/engines/{entityType}/stop: post: operationId: StopEntityEngine parameters: - description: The entity type of the engine (either 'user' or 'host'). in: path name: entityType required: true schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' responses: '200': content: application/json: schema: type: object properties: stopped: type: boolean description: Successful response summary: Stop an Entity Engine tags: - Security Entity Analytics API /api/entity_store/engines/apply_dataview_indices: post: operationId: ApplyEntityEngineDataviewIndices responses: '200': content: application/json: schema: type: object properties: result: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' type: array success: type: boolean description: Successful response '207': content: application/json: schema: type: object properties: errors: items: type: string type: array result: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' type: array success: type: boolean description: Partial successful response '500': content: application/json: schema: type: object properties: body: type: string statusCode: type: number description: Error response summary: Apply DataView indices to all installed engines tags: - Security Entity Analytics API /api/entity_store/entities/list: get: description: List entities records, paging, sorting and filtering as needed. operationId: ListEntities parameters: - in: query name: sort_field required: false schema: type: string - in: query name: sort_order required: false schema: enum: - asc - desc type: string - in: query name: page required: false schema: minimum: 1 type: integer - in: query name: per_page required: false schema: maximum: 10000 minimum: 1 type: integer - description: An ES query to filter by. in: query name: filterQuery required: false schema: type: string - in: query name: entity_types required: true schema: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' type: array responses: '200': content: application/json: schema: type: object properties: inspect: $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' page: minimum: 1 type: integer per_page: maximum: 1000 minimum: 1 type: integer records: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' type: array total: minimum: 0 type: integer required: - records - page - per_page - total description: Entities returned successfully summary: List Entity Store Entities tags: - Security Entity Analytics API /api/entity_store/status: get: operationId: GetEntityStoreStatus parameters: - description: If true returns a detailed status of the engine including all it's components in: query name: include_components schema: type: boolean responses: '200': content: application/json: schema: type: object properties: engines: items: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' - type: object properties: components: items: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' type: array type: array status: $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' required: - status - engines description: Successful response summary: Get the status of the Entity Store tags: - Security Entity Analytics API /api/exception_lists: delete: description: Delete an exception list using the `id` or `list_id` field. operationId: DeleteExceptionList parameters: - description: Exception list's identifier. Either `id` or `list_id` must be specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. examples: autogeneratedId: value: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 list_id: value: simple_list in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: detectionExceptionList: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list list_id: "foo" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Delete an exception list tags: - Security Exceptions API get: description: Get the details of an exception list using the `id` or `list_id` field. operationId: ReadExceptionList parameters: - description: Exception list's identifier. Either `id` or `list_id` must be specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: detectionType: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get exception list details tags: - Security Exceptions API post: description: | An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. > info > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. operationId: CreateExceptionList requestBody: content: application/json: schema: example: description: This is a sample detection type exception list. list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware type: detection type: object properties: description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' default: [] type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' version: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' default: 1 required: - name - description - type description: Exception list's properties required: true responses: '200': content: application/json: examples: autogeneratedListId: value: _version: WzMsMV0= created_at: '2025-01-09T01:05:23.019Z' created_by: elastic description: This is a sample detection type exception with an autogenerated list_id. id: 28243c2f-624a-4443-823d-c0b894880931 immutable: false list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 name: Sample Detection Exception List namespace_type: single os_types: [] tags: - malware tie_breaker_id: ad94de31-39f7-4ad7-b8e4-988bfa95f338 type: detection updated_at: '2025-01-09T01:05:23.020Z' updated_by: elastic version: 1 namespaceAgnostic: value: _version: WzUsMV0= created_at: '2025-01-09T01:10:36.369Z' created_by: elastic description: This is a sample agnostic endpoint type exception. id: 1a744e77-22ca-4b6b-9085-54f55275ebe5 immutable: false list_id: b935eb55-7b21-4c1c-b235-faa1df23b3d6 name: Sample Agnostic Endpoint Exception List namespace_type: agnostic os_types: - linux tags: - malware tie_breaker_id: 49ea0adc-a2b8-4d83-a8f3-2fb98301dea3 type: endpoint updated_at: '2025-01-09T01:10:36.369Z' updated_by: elastic version: 1 typeDetection: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 typeEndpoint: value: _version: WzQsMV0= created_at: '2025-01-09T01:07:49.658Z' created_by: elastic description: This is a sample endpoint type exception list. id: a79f4730-6e32-4278-abfc-349c0add7d54 immutable: false list_id: endpoint_list name: Sample Endpoint Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 94a028af-8f47-427a-aca5-ffaf829e64ee type: endpoint updated_at: '2025-01-09T01:07:49.658Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'exception list id: "simple_list" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create an exception list tags: - Security Exceptions API put: description: Update an exception list using the `id` or `list_id` field. operationId: UpdateExceptionList requestBody: content: application/json: schema: example: description: Different description list_id: simple_list name: Updated exception list name os_types: - linux tags: - draft malware type: detection type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' version: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' required: - name - description - type description: Exception list's properties required: true responses: '200': content: application/json: examples: simpleList: value: _version: WzExLDFd created_at: '2025-01-07T20:43:55.264Z' created_by: elastic description: Different description id: fa7f545f-191b-4d32-b1f0-c7cd62a79e55 immutable: false list_id: simple_list name: Updated exception list name namespace_type: single os_types: [] tags: - draft malware tie_breaker_id: 319fe983-acdd-4806-b6c4-3098eae9392f type: detection updated_at: '2025-01-07T21:32:03.726Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/exception_lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Update an exception list tags: - Security Exceptions API /api/exception_lists/_duplicate: post: description: Duplicate an existing exception list. operationId: DuplicateExceptionList parameters: - in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. in: query name: include_expired_exceptions required: true schema: default: 'true' enum: - 'true' - 'false' example: true type: string responses: '200': content: application/json: examples: detectionExceptionList: value: _version: WzExNDY1LDFd created_at: '2025-01-09T16:19:50.280Z' created_by: elastic description: This is a sample detection type exception id: b2f4a715-6ab1-444c-8b1e-3fa1b1049429 immutable: false list_id: d6390d60-bce3-4a48-9002-52db600f329c name: Sample Detection Exception List [Duplicate] namespace_type: single os_types: [] tags: - malware tie_breaker_id: 6fa670bd-666d-4c9c-9f1e-d1dbc516e985 type: detection updated_at: '2025-01-09T16:19:50.280Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type: Invalid enum value. Expected ''agnostic'' | ''single'', received ''foo''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/_duplicate] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Exception list not found '405': content: application/json: schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list to duplicate not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Duplicate an exception list tags: - Security Exceptions API /api/exception_lists/_export: post: description: Export an exception list and its associated items to an NDJSON file. operationId: ExportExceptionList parameters: - in: query name: id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: true schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. example: true in: query name: include_expired_exceptions required: true schema: default: 'true' enum: - 'true' - 'false' type: string responses: '200': content: application/ndjson: examples: exportSavedObjectsResponse: value: | {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} {"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0} schema: description: A `.ndjson` file containing specified exception list and its items format: binary type: string description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: list_id: Required, namespace_type: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Export an exception list tags: - Security Exceptions API /api/exception_lists/_find: get: description: Get a list of all exception list containers. operationId: FindExceptionLists parameters: - description: | Filters the returned results according to the value of the specified field. Uses the `so type.field name:field` value syntax, where `so type` can be: - `exception-list`: Specify a space-aware exception list. - `exception-list-agnostic`: Specify an exception list that is shared across spaces. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' - description: | Determines whether the returned containers are Kibana associated with a Kibana space or available in all spaces (`agnostic` or `single`) examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: default: - single items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' type: array - description: The page number to return in: query name: page required: false schema: example: 1 minimum: 1 type: integer - description: The number of exception lists to return per page in: query name: per_page required: false schema: example: 20 minimum: 1 type: integer - description: Determines which field is used to sort the results. in: query name: sort_field required: false schema: example: name type: string - description: Determines the sort order, which can be `desc` or `asc`. in: query name: sort_order required: false schema: enum: - desc - asc example: desc type: string responses: '200': content: application/json: examples: simpleLists: value: data: - _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Detection Exception List namespace_type: single os_types: [] tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 page: 1 per_page: 20 total: 1 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' type: array page: minimum: 1 type: integer per_page: minimum: 1 type: integer total: minimum: 0 type: integer required: - data - page - per_page - total description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/_find?namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get exception lists tags: - Security Exceptions API /api/exception_lists/_import: post: description: Import an exception list and its associated items from an NDJSON file. operationId: ImportExceptionList parameters: - description: | Determines whether existing exception lists with the same `list_id` are overwritten. If any exception items have the same `item_id`, those are also overwritten. in: query name: overwrite required: false schema: default: false example: false type: boolean - description: | Determines whether the list being imported will have a new `list_id` generated. Additional `item_id`'s are generated for each exception item. Both the exception list and its items are overwritten. in: query name: as_new_list required: false schema: default: false example: false type: boolean requestBody: content: multipart/form-data: schema: type: object properties: file: description: A `.ndjson` file containing the exception list example: | {"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1} {"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"} format: binary type: string required: true responses: '200': content: application/json: examples: withErrors: value: errors: - error: message: 'Error found importing exception list: Invalid value \"4\" supplied to \"list_id\"' status_code: 400 list_id: (unknown list_id) - error: message: 'Found that item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" already exists. Import of item_id: \"f7fd00bb-dba8-4c93-9d59-6cbd427b6330\" skipped.' status_code: 409 item_id: f7fd00bb-dba8-4c93-9d59-6cbd427b6330 list_id: 7d7cccb8-db72-4667-b1f3-648efad7c1ee success: false, success_count: 0, success_count_exception_list_items: 0 success_count_exception_lists: 0, success_exception_list_items: false, success_exception_lists: false, withoutErrors: value: errors: [] success: true success_count: 2 success_count_exception_list_items: 1 success_count_exception_lists: 1 success_exception_list_items: true success_exception_lists: true, schema: type: object properties: errors: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' success: type: boolean success_count: minimum: 0 type: integer success_count_exception_list_items: minimum: 0 type: integer success_count_exception_lists: minimum: 0 type: integer success_exception_list_items: type: boolean success_exception_lists: type: boolean required: - errors - success - success_count - success_exception_lists - success_count_exception_lists - success_exception_list_items - success_count_exception_list_items description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/_import] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Import an exception list tags: - Security Exceptions API /api/exception_lists/items: delete: description: Delete an exception list item using the `id` or `item_id` field. operationId: DeleteExceptionListItem parameters: - description: Exception item's identifier. Either `id` or `item_id` must be specified in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: simpleExceptionItem: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: schema: example: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/exception_lists/items?item_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: \"foo\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Delete an exception list item tags: - Security Exceptions API get: description: Get the details of an exception list item using the `id` or `item_id` field. operationId: ReadExceptionListItem parameters: - description: Exception list item's identifier. Either `id` or `item_id` must be specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. in: query name: item_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single responses: '200': content: application/json: examples: simpleListItem: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/items?item_id=&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: \"foo\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get an exception list item tags: - Security Exceptions API post: description: | Create an exception item and associate it with the specified exception list. > info > Before creating exception items, you must create an exception list. operationId: CreateExceptionListItem requestBody: content: application/json: schema: example: description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - saturn - jupiter item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware type: simple type: object properties: comments: $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' default: [] type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - list_id - type - name - description - entries description: Exception list item's properties required: true responses: '200': content: application/json: examples: autogeneratedItemId: value: _version: WzYsMV0= comments: [] created_at: '2025-01-09T01:16:23.322Z' created_by: elastic description: This is a sample exception that has no item_id so it is autogenerated. entries: - field: actingProcess.file.signer operator: excluded type: exists id: 323faa75-c657-4fa0-9084-8827612c207b item_id: 80e6edf7-4b13-4414-858f-2fa74aa52b37 list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 name: Sample Autogenerated Exception List Item ID namespace_type: single os_types: [] tags: - malware tie_breaker_id: d6799986-3a23-4213-bc6d-ed9463a32f23 type: simple updated_at: '2025-01-09T01:16:23.322Z' updated_by: elastic detectionExceptionListItem: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withExistEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withMatchAnyEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: host.name operator: included type: match_any value: - saturn - jupiter id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withMatchEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - field: actingProcess.file.signer operator: included type: match value: Elastic N.V. id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withNestedEntry: value: _version: WzQsMV0= comments: [] created_at: '2025-01-07T20:07:33.119Z' created_by: elastic description: This is a sample detection type exception item. entries: - entries: - field: signer operator: included type: match value: Evil - field: trusted operator: included type: match value: true field: file.signature type: nested id: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 09434836-9db9-4942-a234-5a9268e0b34c type: simple updated_at: '2025-01-07T20:07:33.119Z' updated_by: elastic withValueListEntry: value: _version: WzcsMV0= comments: [] created_at: '2025-01-09T01:31:12.614Z' created_by: elastic description: Don't signal when agent.name is rock01 and source.ip is in the goodguys.txt list entries: - field: source.ip list: id: goodguys.txt type: ip operator: excluded type: list id: deb26876-297d-4677-8a1f-35467d2f1c4f item_id: 686b129e-9b8d-4c59-8d8d-c93a9ea82c71 list_id: 8c1aae4c-1ef5-4bce-a2e3-16584b501783 name: Filter out good guys ip and agent.name rock01 namespace_type: single os_types: [] tags: - malware tie_breaker_id: 5e0288ce-6657-4c18-9dcc-00ec9e8cc6c8 type: simple updated_at: '2025-01-09T01:31:12.614Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request, message: '[request body]: list_id: Expected string, received number' statusCode: 400, schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'exception list item id: \"simple_list_item\" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create an exception list item tags: - Security Exceptions API put: description: Update an exception list item using the `id` or `item_id` field. operationId: UpdateExceptionListItem requestBody: content: application/json: example: comments: [] description: Updated description entries: - field: host.name operator: included type: match value: rock01 item_id: simple_list_item name: Updated name namespace_type: single tags: [] type: simple schema: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' description: Either `id` or `item_id` must be specified item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' description: Either `id` or `item_id` must be specified list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries description: Exception list item's properties required: true responses: '200': content: application/json: examples: simpleListItem: value: _version: WzEyLDFd comments: [] created_at: '2025-01-07T21:12:25.512Z' created_by: elastic description: Updated description entries: - field: host.name operator: included type: match value: rock01 id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da item_id: simple_list_item list_id: simple_list name: Updated name namespace_type: single os_types: [] tags: [] tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 type: simple updated_at: '2025-01-07T21:34:50.233Z' updated_by: elastic schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: item_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list item item_id: \"foo\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Update an exception list item tags: - Security Exceptions API /api/exception_lists/items/_find: get: description: Get a list of all exception list items in the specified list. operationId: FindExceptionListItems parameters: - description: The `list_id`s of the items to fetch. in: query name: list_id required: true schema: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' type: array - description: | Filters the returned results according to the value of the specified field, using the `<field name>:<field value>` syntax. examples: singleFilter: value: - exception-list.attributes.name:%My%20item in: query name: filter required: false schema: default: [] items: $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter' type: array - description: | Determines whether the returned containers are Kibana associated with a Kibana space or available in all spaces (`agnostic` or `single`) examples: single: value: - single in: query name: namespace_type required: false schema: default: - single items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' type: array - in: query name: search required: false schema: example: host.name type: string - description: The page number to return in: query name: page required: false schema: example: 1 minimum: 0 type: integer - description: The number of exception list items to return per page in: query name: per_page required: false schema: example: 20 minimum: 0 type: integer - description: Determines which field is used to sort the results. example: name in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - description: Determines the sort order, which can be `desc` or `asc`. in: query name: sort_order required: false schema: enum: - desc - asc example: desc type: string responses: '200': content: application/json: examples: simpleListItems: value: data: - _version: WzgsMV0= comments: [] created_at: '2025-01-07T21:12:25.512Z' created_by: elastic description: This is a sample exception item. entries: - field: actingProcess.file.signer operator: excluded type: exists - field: host.name operator: included type: match_any value: - jupiter - saturn id: 459c5e7e-f8b2-4f0b-b136-c1fc702f72da item_id: simple_list_item list_id: simple_list name: Sample Exception List Item namespace_type: single os_types: - linux tags: - malware tie_breaker_id: ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0 type: simple updated_at: '2025-01-07T21:12:25.512Z' updated_by: elastic page: 1 per_page: 20 total: 1 schema: type: object properties: data: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' type: array page: minimum: 1 type: integer per_page: minimum: 1 type: integer pit: type: string total: minimum: 0 type: integer required: - data - page - per_page - total description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/items/_find?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'exception list list_id: "foo" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get exception list items tags: - Security Exceptions API /api/exception_lists/summary: get: description: Get a summary of the specified exception list. operationId: ReadExceptionListSummary parameters: - description: Exception list's identifier generated upon creation. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - description: Exception list's human readable identifier. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - examples: agnostic: value: agnostic single: value: single in: query name: namespace_type required: false schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single - description: Search filter clause in: query name: filter required: false schema: example: exception-list-agnostic.attributes.tags:"policy:policy-1" OR exception-list-agnostic.attributes.tags:"policy:all" type: string responses: '200': content: application/json: examples: summary: value: linux: 0 macos: 0 total: 0 windows: 0 schema: type: object properties: linux: minimum: 0 type: integer macos: minimum: 0 type: integer total: minimum: 0 type: integer windows: minimum: 0 type: integer description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: namespace_type.0: Invalid enum value. Expected ''agnostic'' | ''single'', received ''blob''' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary] statusCode: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message": 'exception list id: "foo" does not exist' status_code": 404 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Get an exception list summary tags: - Security Exceptions API /api/exceptions/shared: post: description: | An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. > info > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. operationId: CreateSharedExceptionList requestBody: content: application/json: schema: example: description: This is a sample detection type exception list. list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware type: object properties: description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' required: - name - description required: true responses: '200': content: application/json: examples: sharedList: value: _version: WzIsMV0= created_at: '2025-01-07T19:34:27.942Z' created_by: elastic description: This is a sample detection type exception list. id: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 immutable: false list_id: simple_list name: Sample Detection Exception List namespace_type: single os_types: - linux tags: - malware tie_breaker_id: 78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3 type: detection updated_at: '2025-01-07T19:34:27.942Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: list_id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: message: Unable to create exception-list status_code: 403 schema: $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'exception list id: "simple_list" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Exception list already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' description: Internal server error response summary: Create a shared exception list tags: - Security Exceptions API /api/lists: delete: description: | Delete a value list using the list ID. > info > When you delete a list, all of its list items are also deleted. operationId: DeleteList parameters: - in: query name: id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: Determines whether exception items referencing this value list should be deleted. in: query name: deleteReferences required: false schema: default: false example: false type: boolean - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. in: query name: ignoreReferences required: false schema: default: false example: false type: boolean responses: '200': content: application/json: examples: ipList: value: _version: WzIsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: List of bad internet ips. id: 21b01cfb-058d-44b9-838c-282be16c91cd immutable: false name: Bad ips tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:39:39.292Z' updated_by: elastic version: 3 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: id: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"ip_list\" was not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Delete a value list tags: - Security Lists API get: description: Get the details of a value list using the list ID. operationId: ReadList parameters: - in: query name: id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: application/json: examples: ip: value: _version: WzEsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ip id: ip_list immutable: false name: My bad ips tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:21:53.843Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: id: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]" statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value list details tags: - Security Lists API patch: description: Update specific fields of an existing list using the list `id`. operationId: PatchList requestBody: content: application/json: schema: example: id: ip_list name: Bad ips list - UPDATED type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' version: $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - id description: Value list's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzEsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ips id: ip_list immutable: false name: Bad ips list - UPDATED tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:21:53.843Z' updated_by: elastic version: 2 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: name: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PATCH /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Patch a value list tags: - Security Lists API post: description: Create a new value list. operationId: CreateList requestBody: content: application/json: examples: ip: value: description: This list describes bad internet ips id: ip_list name: Simple list with ips type: ip ip_range: value: description: This list has ip ranges id: ip_range_list name: Simple list with ip ranges type: ip_range keyword: value: description: This list describes bad host names id: keyword_list name: Simple list with a keyword type: keyword keyword_custom_format: value: description: This parses the first found ipv4 only deserializer: '{{value}}' id: keyword_custom_format_list name: Simple list with a keyword using a custom format serializer: (?<value>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)) type: keyword schema: type: object properties: description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' deserializer: $ref: '#/components/schemas/Security_Lists_API_ListDeserializer' id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' serializer: $ref: '#/components/schemas/Security_Lists_API_ListSerializer' type: $ref: '#/components/schemas/Security_Lists_API_ListType' version: default: 1 minimum: 1 type: integer required: - name - description - type description: Value list's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzAsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ips id: ip_list immutable: false name: Simple list with ips tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T04:47:34.273Z' updated_by: elastic version: 1 ip_range: value: _version: WzAsMV0= '@timestamp': '2025-01-09T18:23:52.241Z' created_at: '2025-01-09T18:23:52.241Z' created_by: elastic description: This list has ip ranges id: ip_range_list immutable: false name: Simple list with ip ranges tie_breaker_id: 74aebdaf-601f-4940-b351-155728ff7003 type: ip_range updated_at: '2025-01-09T18:23:52.241Z' updated_by: elastic version: 1 keyword: value: _version: WzEsMV0= '@timestamp': '2025-01-09T18:24:55.786Z' created_at: '2025-01-09T18:24:55.786Z' created_by: elastic description: This list describes bad host names id: keyword_list immutable: false name: Simple list with a keyword tie_breaker_id: f7e7dbaa-daf7-4c9a-a3dc-56643923ef68 type: keyword updated_at: '2025-01-09T18:24:55.786Z' updated_by: elastic version: 1 keyword_custom_format: value: _version: WzIsMV0= '@timestamp': '2025-01-09T18:25:39.604Z' created_at: '2025-01-09T18:25:39.604Z' created_by: elastic description: This parses the first found ipv4 only deserializer: '{{value}}' id: keyword_custom_format_list immutable: false name: Simple list with a keyword using a custom format serializer: (?<value>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)) tie_breaker_id: 8247ae63-b780-47b8-9a89-948b643e9ec2 type: keyword updated_at: '2025-01-09T18:25:39.604Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: notFound: value: message: To create a list, the data stream must exist first. Data stream \".lists-default\" does not exist status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'list id: "keyword_custom_format_list" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Create a value list tags: - Security Lists API put: description: | Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. > info > You cannot modify the `id` value. operationId: UpdateList requestBody: content: application/json: schema: example: description: Latest list of bad ips id: ip_list name: Bad ips - updated type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' version: $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - id - name - description description: Value list's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzIsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: Latest list of bad ips id: ip_list immutable: false name: Bad ips - updated tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T05:39:39.292Z' updated_by: elastic version: 3 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PUT /api/lists] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Update a value list tags: - Security Lists API /api/lists/_find: get: description: Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. operationId: FindLists parameters: - description: The page number to return. in: query name: page required: false schema: example: 1 type: integer - description: The number of value lists to return per page. in: query name: per_page required: false schema: example: 20 type: integer - description: Determines which field is used to sort the results. in: query name: sort_field required: false schema: example: name format: nonempty minLength: 1 type: string - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order required: false schema: enum: - desc - asc example: asc type: string - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. in: query name: cursor required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - description: | Filters the returned results according to the value of the specified field, using the <field name>:<field value> syntax. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' responses: '200': content: application/json: examples: ipList: value: cursor: WzIwLFsiZjU1MDgxODgtYjFlOS00ZTZlLTk2NjItZDAzOWE3ZDg5ODk5Il1d data: - _version: WzAsMV0= '@timestamp': | 2025-01-08T04:47:34.273Z created_at: | 2025-01-08T04:47:34.273Z created_by: elastic description: This list describes bad internet ip id: ip_list immutable: false name: Simple list with an ip tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: | 2025-01-08T04:47:34.273Z updated_by: elastic version: 1 page: 1 per_page: 20 total: 1 schema: type: object properties: cursor: $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' data: items: $ref: '#/components/schemas/Security_Lists_API_List' type: array page: minimum: 0 type: integer per_page: minimum: 0 type: integer total: minimum: 0 type: integer required: - data - page - per_page - total - cursor description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request query]: page: Expected number, received nan' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/_find?page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value lists tags: - Security Lists API /api/lists/index: delete: description: Delete the `.lists` and `.items` data streams. operationId: DeleteListIndex responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Delete value list data streams tags: - Security Lists API get: description: Verify that `.lists` and `.items` data streams exist. operationId: ReadListIndex responses: '200': content: application/json: schema: type: object properties: list_index: type: boolean list_item_index: type: boolean required: - list_index - list_item_index description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream(s) not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get status of value list data streams tags: - Security Lists API post: description: Create `.lists` and `.items` data streams in the relevant space. operationId: CreateListIndex responses: '200': content: application/json: schema: type: object properties: acknowledged: type: boolean required: - acknowledged description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: | [security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate] statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'data stream: \".lists-default\" and \".items-default\" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List data stream exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Create list data streams tags: - Security Lists API /api/lists/items: delete: description: Delete a value list item using its `id`, or its `list_id` and `value` fields. operationId: DeleteListItem parameters: - description: Value list item's identifier. Required if `list_id` and `value` are not specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListItemId' - description: Value list's identifier. Required if `id` is not specified. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query name: value required: false schema: example: 255.255.255.255 type: string - description: Determines when changes made by the request are made visible to search. in: query name: refresh required: false schema: default: 'false' enum: - 'true' - 'false' - wait_for example: false type: string responses: '200': content: application/json: examples: ip: value: _version: WzIwLDFd '@timestamp': '2025-01-08T05:15:05.159Z' created_at: '2025-01-08T05:15:05.159Z' created_by: elastic id: pd1WRJQBs4HAK3VQeHFI list_id: ip_list tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 type: ip updated_at: '2025-01-08T05:44:14.009Z' updated_by: elastic value: 255.255.255.255 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - items: $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array description: Successful response '400': content: application/json: examples: badRequest: value: message: Either \"list_id\" or \"id\" needs to be defined in the request status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [DELETE /api/lists/items?id=pd1WRJQBs4HAK3VQeHFI] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item with id: \"pd1WRJQBs4HAK3VQeHFI\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Delete a value list item tags: - Security Lists API get: description: Get the details of a value list item. operationId: ReadListItem parameters: - description: Value list item identifier. Required if `list_id` and `value` are not specified. in: query name: id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: Value list item list's `id` identfier. Required if `id` is not specified. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: The value used to evaluate exceptions. Required if `id` is not specified. in: query name: value required: false schema: example: 127.0.0.2 type: string responses: '200': content: application/json: examples: ip: value: _version: WzExLDFd '@timestamp': '2025-01-08T05:16:25.882Z' created_at: '2025-01-08T05:16:25.882Z' created_by: elastic id: qN1XRJQBs4HAK3VQs3Gc list_id: ip_list tie_breaker_id: a9a34c02-a385-436e-86a0-02a3942f3537 type: ip updated_at: '2025-01-08T05:16:25.882Z' updated_by: elastic value: 127.0.0.2 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - items: $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array description: Successful response '400': content: application/json: examples: badRequest: value: message: Either \"list_id\" or \"id\" needs to be defined in the request status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get a value list item tags: - Security Lists API patch: description: Update specific fields of an existing value list item using the item `id`. operationId: PatchListItem requestBody: content: application/json: schema: example: id: pd1WRJQBs4HAK3VQeHFI value: 255.255.255.255 type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' refresh: description: Determines when changes made by the request are made visible to search. enum: - 'true' - 'false' - wait_for type: string value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id description: Value list item's properties required: true responses: '200': content: application/json: examples: ipItem: value: _version: WzE5LDFd '@timestamp': '2025-01-08T05:15:05.159Z' created_at: '2025-01-08T05:15:05.159Z' created_by: elastic id: pd1WRJQBs4HAK3VQeHFI list_id: ip_list tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 type: ip updated_at: '2025-01-08T05:23:37.602Z' updated_by: elastic value: 255.255.255.255 schema: $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: badRequest: value: message: '{"took":15,"timed_out":false,"total":1,"updated":0,"deleted":0,"batches":1,"version_conflicts":0,"noops":0,"retries":{"bulk":0,"search":0},"throttled_millis":0,"requests_per_second":-1,"throttled_until_millis":0,"failures":[{"index":".ds-.items-default-2025.01.09-000001","id":"ip_item","cause":{"type":"document_parsing_exception","reason":"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2","caused_by":{"type":"illegal_argument_exception","reason":"2 is not an IP string literal."}},"status":400}]}' status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Patch a value list item tags: - Security Lists API post: description: | Create a value list item and associate it with the specified value list. All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. > info > Before creating a list item, you must create a list. operationId: CreateListItem requestBody: content: application/json: examples: ip: value: list_id: ip_list value: 127.0.0.1 ip_range: value: list_id: ip_range_list value: 192.168.0.0/16 keyword: value: list_id: keyword_list value: zeek schema: type: object properties: id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' list_id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' refresh: description: Determines when changes made by the request are made visible to search. enum: - 'true' - 'false' - wait_for example: wait_for type: string value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - list_id - value description: Value list item's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzAsMV0= '@timestamp': '2025-01-08T04:59:06.154Z' created_at: '2025-01-08T04:59:06.154Z' created_by: elastic id: 21b01cfb-058d-44b9-838c-282be16c91cc list_id: ip_list tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a type: ip updated_at: '2025-01-08T04:59:06.154Z' updated_by: elastic value: 127.0.0.1 ip_range: value: _version: WzEsMV0= '@timestamp': '2025-01-09T18:33:08.202Z' created_at: '2025-01-09T18:33:08.202Z' created_by: elastic id: ip_range_item list_id: ip_range_list tie_breaker_id: ea1b4189-efda-4637-b8f9-74655a5ebb61 type: ip_range updated_at: '2025-01-09T18:33:08.202Z' updated_by: elastic value: 192.168.0.0/16 keyword: value: _version: WzIsMV0= '@timestamp': '2025-01-09T18:34:29.422Z' created_at: '2025-01-09T18:34:29.422Z' created_by: elastic id: 7f24737d-1da8-4626-a568-33070591bb4e list_id: keyword_list tie_breaker_id: 2108ced2-5e5d-401e-a88e-4dd69fc5fa27 type: keyword updated_at: '2025-01-09T18:34:29.422Z' updated_by: elastic value: zeek schema: $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: uri [/api/lists/items] with method [post] exists but is not available with the current configuration statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: listNotFound: value: message: 'list id: \"ip_list\" does not exist' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: examples: alreadyExists: value: message: 'list item id: \"ip_item\" already exists' status_code: 409 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item already exists response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Create a value list item tags: - Security Lists API put: description: | Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. > info > You cannot modify the `id` value. operationId: UpdateListItem requestBody: content: application/json: example: id: ip_item value: 255.255.255.255 schema: type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id - value description: Value list item's properties required: true responses: '200': content: application/json: examples: ip: value: _version: WzIwLDFd '@timestamp': '2025-01-08T05:15:05.159Z' created_at: '2025-01-08T05:15:05.159Z' created_by: elastic id: pd1WRJQBs4HAK3VQeHFI list_id: ip_list tie_breaker_id: eee41dc7-1666-4876-982f-8b0f7b59eca3 type: ip updated_at: '2025-01-08T05:44:14.009Z' updated_by: elastic value: 255.255.255.255 schema: $ref: '#/components/schemas/Security_Lists_API_ListItem' description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request message: '[request body]: id: Expected string, received number' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: examples: notFound: value: message: 'list item id: \"foo\" not found' status_code: 404 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List item not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Update a value list item tags: - Security Lists API /api/lists/items/_export: post: description: Export list item values from the specified value list. operationId: ExportListItems parameters: - description: Value list's `id` to export. in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' responses: '200': content: application/ndjson: schema: description: A `.txt` file containing list items from the specified list example: | 127.0.0.1 127.0.0.2 127.0.0.3 127.0.0.4 127.0.0.5 127.0.0.6 127.0.0.7 127.0.0.8 127.0.0.9 format: binary type: string description: Successful response '400': content: application/json: examples: badRequest: value: error: 'Bad Request","message":"[request query]: list_id: Required' statusCode: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '404': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List not found response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Export value list items tags: - Security Lists API /api/lists/items/_find: get: description: Get all value list items in the specified list. operationId: FindListItems parameters: - in: query name: list_id required: true schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: The page number to return. in: query name: page required: false schema: example: 1 type: integer - description: The number of list items to return per page. in: query name: per_page required: false schema: example: 20 type: integer - description: Determines which field is used to sort the results. in: query name: sort_field required: false schema: example: value format: nonempty minLength: 1 type: string - description: Determines the sort order, which can be `desc` or `asc` in: query name: sort_order required: false schema: enum: - desc - asc example: asc type: string - in: query name: cursor required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - description: | Filters the returned results according to the value of the specified field, using the <field name>:<field value> syntax. in: query name: filter required: false schema: $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' responses: '200': content: application/json: examples: ip: value: cursor: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d data: - _version: WzAsMV0= '@timestamp': '2025-01-08T04:59:06.154Z' created_at: '2025-01-08T04:59:06.154Z' created_by: elastic id: 21b01cfb-058d-44b9-838c-282be16c91cc list_id: ip_list tie_breaker_id: b57c762c-3036-465c-9bfb-7bfb5e6e515a type: ip updated_at: '2025-01-08T04:59:06.154Z' updated_by: elastic value: 127.0.0.1 page: 1 per_page: 20 total: 1 schema: type: object properties: cursor: $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' data: items: $ref: '#/components/schemas/Security_Lists_API_ListItem' type: array page: minimum: 0 type: integer per_page: minimum: 0 type: integer total: minimum: 0 type: integer required: - data - page - per_page - total - cursor description: Successful response '400': content: application/json: examples: badRequest: value: error: Bad Request, message: '[request query]: list_id: Required' statusCode: 400, schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value list items tags: - Security Lists API /api/lists/items/_import: post: description: | Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. You can import items to a new or existing list. operationId: ImportListItems parameters: - description: | List's id. Required when importing to an existing list. in: query name: list_id required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListId' - description: | Type of the importing list. Required when importing a new list whose list `id` is not specified. examples: ip: value: ip in: query name: type required: false schema: $ref: '#/components/schemas/Security_Lists_API_ListType' - description: | Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups: - `(?<value>.+)` - Single value item types, such as ip, long, date, keyword, and text. - `(?<gte>.+)-(?<lte>.+)|(?<value>.+)` - Range value item types, such as `date_range`, `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`. in: query name: serializer required: false schema: example: (?<value>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)) type: string - description: | Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions: - `{{{value}}}` - Single value item types, such as `ip`, `long`, `date`, `keyword`, and `text`. - `{{{gte}}}-{{{lte}}}` - Range value item types, such as `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`. - `{{{gte}}},{{{lte}}}` - Date range values. in: query name: deserializer required: false schema: example: '{{value}}' type: string - description: Determines when changes made by the request are made visible to search. in: query name: refresh required: false schema: enum: - 'true' - 'false' - wait_for example: true type: string requestBody: content: multipart/form-data: schema: type: object properties: file: description: A `.txt` or `.csv` file containing newline separated list items. example: | 127.0.0.1 127.0.0.2 127.0.0.3 127.0.0.4 127.0.0.5 127.0.0.6 127.0.0.7 127.0.0.8 127.0.0.9 format: binary type: string required: true responses: '200': content: application/json: examples: ip: value: _version: WzAsMV0= '@timestamp': '2025-01-08T04:47:34.273Z' created_at: '2025-01-08T04:47:34.273Z' created_by: elastic description: This list describes bad internet ip id: ip_list immutable: false name: Simple list with an ip tie_breaker_id: f5508188-b1e9-4e6e-9662-d039a7d89899 type: ip updated_at: '2025-01-08T04:47:34.273Z' updated_by: elastic version: 1 schema: $ref: '#/components/schemas/Security_Lists_API_List' description: Successful response '400': content: application/json: examples: badRequest: value: message: Either type or list_id need to be defined in the query status_code: 400 schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '409': content: application/json: schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: List with specified list_id does not exist response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Import value list items tags: - Security Lists API /api/lists/privileges: get: operationId: ReadListPrivileges responses: '200': content: application/json: examples: privileges: value: is_authenticated: true listItems: application: {} cluster: all: true manage: true manage_api_key: true manage_index_templates: true manage_ml: true manage_own_api_key: true manage_pipeline: true manage_security: true manage_transform: true monitor: true monitor_ml: true monitor_transform: true has_all_requested: true index: .items-default: all: true create: true create_doc: true create_index: true delete: true delete_index: true index: true maintenance: true manage: true monitor: true read: true view_index_metadata: true write: true username: elastic lists: application: {} cluster: all: true manage: true manage_api_key: true manage_index_templates: true manage_ml: true manage_own_api_key: true manage_pipeline: true manage_security: true manage_transform: true monitor: true monitor_ml: true monitor_transform: true has_all_requested: true index: .lists-default: all: true create: true create_doc: true create_index: true delete: true delete_index: true index: true maintenance: true manage: true monitor: true read: true view_index_metadata: true write: true username: elastic schema: type: object properties: is_authenticated: type: boolean listItems: $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' lists: $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' required: - lists - listItems - is_authenticated description: Successful response '400': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Invalid input data response '401': content: application/json: examples: unauthorized: value: error: Unauthorized message: '[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]' statusCode: 401 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Unsuccessful authentication response '403': content: application/json: examples: forbidden: value: error: Forbidden message: API [GET /api/lists/privileges] is unauthorized for user, this action is granted by the Kibana privileges [lists-read] statusCode: 403 schema: $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' description: Not enough privileges response '500': content: application/json: examples: serverError: value: message: Internal Server Error status_code: 500 schema: $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' description: Internal server error response summary: Get value list privileges tags: - Security Lists API /api/logstash/pipeline/{id}: delete: description: | Delete a centrally-managed Logstash pipeline. If your Elasticsearch cluster is protected with basic authentication, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. externalDocs: description: Secure your connection url: https://www.elastic.co/guide/en/logstash/current/ls-security.html operationId: delete-logstash-pipeline parameters: - description: An identifier for the pipeline. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call summary: Delete a Logstash pipeline tags: - logstash x-state: Technical Preview get: description: | Get information for a centrally-managed Logstash pipeline. To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. externalDocs: description: Secure your connection url: https://www.elastic.co/guide/en/logstash/current/ls-security.html operationId: get-logstash-pipeline parameters: - description: An identifier for the pipeline. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getLogstashPipelineResponseExample1: value: |- { "id": "hello-world", "description": "Just a simple pipeline", "username": "elastic", "pipeline": "input { stdin {} } output { stdout {} }", "settings": { "queue.type": "persistent" } } schema: type: object description: Indicates a successful call summary: Get a Logstash pipeline tags: - logstash x-state: Technical Preview put: description: | Create a centrally-managed Logstash pipeline or update a pipeline. To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. externalDocs: description: Secure your connection url: https://www.elastic.co/guide/en/logstash/current/ls-security.html operationId: put-logstash-pipeline parameters: - description: | An identifier for the pipeline. Only alphanumeric characters, hyphens, and underscores are supported. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: putLogstashPipelineRequestExample1: value: |- { "pipeline": "input { stdin {} } output { stdout {} }", "settings": { "queue.type": "persisted" } } schema: type: object properties: description: description: A description of the pipeline. type: string pipeline: description: A definition for the pipeline. type: string settings: description: | Supported settings, represented as object keys, include the following: - `pipeline.workers` - `pipeline.batch.size` - `pipeline.batch.delay` - `pipeline.ecs_compatibility` - `pipeline.ordered` - `queue.type` - `queue.max_bytes` - `queue.checkpoint.writes` type: object required: - pipeline responses: '204': description: Indicates a successful call summary: Create or update a Logstash pipeline tags: - logstash x-state: Technical Preview /api/logstash/pipelines: get: description: | Get a list of all centrally-managed Logstash pipelines. To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. > info > Limit the number of pipelines to 10,000 or fewer. As the number of pipelines nears and surpasses 10,000, you may see performance issues on Kibana. The `username` property appears in the response when security is enabled and depends on when the pipeline was created or last updated. externalDocs: description: Secure your connection url: https://www.elastic.co/guide/en/logstash/current/ls-security.html operationId: get-logstash-pipelines responses: '200': content: application/json: examples: getLogstashPipelinesResponseExample1: value: |- { "pipelines": [ { "id": "hello-world", "description": "Just a simple pipeline", "last_modified": "2018-04-14T12:23:29.772Z", "username": "elastic" }, { "id": "sleepy-pipeline", "description": "", "last_modified": "2018-03-24T03:41:30.554Z" } ] } schema: type: object description: Indicates a successful call summary: Get all Logstash pipelines tags: - logstash x-state: Technical Preview /api/ml/saved_objects/sync: get: description: | Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. operationId: mlSync parameters: - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' responses: '200': content: application/json: examples: syncExample: $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' schema: $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' description: Indicates a successful call '401': content: application/json: schema: $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' description: Authorization information is missing or invalid. summary: Sync saved objects in the default space tags: - ml /api/note: delete: description: Delete a note from a Timeline using the note ID. operationId: DeleteNote requestBody: content: application/json: schema: oneOf: - nullable: true type: object properties: noteId: type: string required: - noteId - nullable: true type: object properties: noteIds: items: type: string nullable: true type: array required: - noteIds description: The ID of the note to delete. required: true responses: '200': content: application/json: schema: type: object properties: data: type: object description: Indicates the note was successfully deleted. summary: Delete a note tags: - Security Timeline API get: description: Get all notes for a given document. operationId: GetNotes parameters: - in: query name: documentIds schema: $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - in: query name: savedObjectIds schema: $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - in: query name: page schema: nullable: true type: string - in: query name: perPage schema: nullable: true type: string - in: query name: search schema: nullable: true type: string - in: query name: sortField schema: nullable: true type: string - in: query name: sortOrder schema: nullable: true type: string - in: query name: filter schema: nullable: true type: string - in: query name: createdByFilter schema: nullable: true type: string - in: query name: associatedFilter schema: $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' responses: '200': content: application/json: schema: oneOf: - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' - type: object description: Indicates the requested notes were returned. summary: Get notes tags: - Security Timeline API patch: description: Add a note to a Timeline or update an existing note. operationId: PersistNoteRoute requestBody: content: application/json: schema: type: object properties: note: $ref: '#/components/schemas/Security_Timeline_API_BareNote' description: The note to add or update. noteId: description: The `savedObjectId` of the note example: 709f99c6-89b6-4953-9160-35945c8e174e nullable: true type: string version: description: The version of the note example: WzQ2LDFd nullable: true type: string required: - note description: The note to add or update, along with additional metadata. required: true responses: '200': content: application/json: schema: type: object properties: data: type: object properties: persistNote: $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' required: - persistNote required: - data description: Indicates the note was successfully created. summary: Add or update a note tags: - Security Timeline API /api/osquery/live_queries: get: description: Get a list of all live queries. operationId: OsqueryFindLiveQueries parameters: - in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' description: OK summary: Get live queries tags: - Security Osquery API post: description: Create and run a live query. operationId: OsqueryCreateLiveQuery requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' description: OK summary: Create a live query tags: - Security Osquery API /api/osquery/live_queries/{id}: get: description: Get the details of a live query using the query ID. operationId: OsqueryGetLiveQueryDetails parameters: - in: path name: id required: true schema: description: The ID of the live query result you want to retrieve. example: 3c42c847-eb30-4452-80e0-728584042334 type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' description: OK summary: Get live query details tags: - Security Osquery API /api/osquery/live_queries/{id}/results/{actionId}: get: description: Get the results of a live query using the query action ID. operationId: OsqueryGetLiveQueryResults parameters: - in: path name: id required: true schema: description: The ID of the live query result you want to retrieve. example: 3c42c847-eb30-4452-80e0-728584042334 type: string - in: path name: actionId required: true schema: description: The ID of the query action that generated the live query results. example: 609c4c66-ba3d-43fa-afdd-53e244577aa0 type: string - in: query name: kuery required: false schema: $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' description: OK summary: Get live query results tags: - Security Osquery API /api/osquery/packs: get: description: Get a list of all query packs. operationId: OsqueryFindPacks parameters: - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' description: OK summary: Get packs tags: - Security Osquery API post: description: Create a query pack. operationId: OsqueryCreatePacks requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' description: OK summary: Create a pack tags: - Security Osquery API /api/osquery/packs/{id}: delete: description: Delete a query pack using the pack ID. operationId: OsqueryDeletePacks parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: schema: example: {} type: object properties: {} description: OK summary: Delete a pack tags: - Security Osquery API get: description: Get the details of a query pack using the pack ID. operationId: OsqueryGetPacksDetails parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' description: OK summary: Get pack details tags: - Security Osquery API put: description: | Update a query pack using the pack ID. > info > You cannot update a prebuilt pack. operationId: OsqueryUpdatePacks parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_PackId' requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' description: OK summary: Update a pack tags: - Security Osquery API /api/osquery/saved_queries: get: description: Get a list of all saved queries. operationId: OsqueryFindSavedQueries parameters: - in: query name: page required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - in: query name: pageSize required: false schema: $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - in: query name: sort required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - in: query name: sortOrder required: false schema: $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' description: OK summary: Get saved queries tags: - Security Osquery API post: description: Create and run a saved query. operationId: OsqueryCreateSavedQuery requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' description: OK summary: Create a saved query tags: - Security Osquery API /api/osquery/saved_queries/{id}: delete: description: Delete a saved query using the query ID. operationId: OsqueryDeleteSavedQuery parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' description: OK summary: Delete a saved query tags: - Security Osquery API get: description: Get the details of a saved query using the query ID. operationId: OsqueryGetSavedQueryDetails parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' description: OK summary: Get saved query details tags: - Security Osquery API put: description: | Update a saved query using the query ID. > info > You cannot update a prebuilt saved query. operationId: OsqueryUpdateSavedQuery parameters: - in: path name: id required: true schema: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' description: OK summary: Update a saved query tags: - Security Osquery API /api/pinned_event: patch: description: Pin/unpin an event to/from an existing Timeline. operationId: PersistPinnedEventRoute requestBody: content: application/json: schema: type: object properties: eventId: description: The `_id` of the associated event for this pinned event. example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc type: string pinnedEventId: description: The `savedObjectId` of the pinned event you want to unpin. example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 nullable: true type: string timelineId: description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - eventId - timelineId description: The pinned event to add or unpin, along with additional metadata. required: true responses: '200': content: application/json: schema: type: object properties: data: type: object properties: persistPinnedEventOnTimeline: $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' required: - persistPinnedEventOnTimeline required: - data description: Indicates the event was successfully pinned to or unpinned from the Timeline. summary: Pin/unpin an event tags: - Security Timeline API /api/risk_score/engine/dangerously_delete_data: delete: description: Cleaning up the the Risk Engine by removing the indices, mapping and transforms operationId: CleanUpRiskEngine responses: '200': content: application/json: schema: type: object properties: cleanup_successful: type: boolean description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' description: Task manager is unavailable default: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' description: Unexpected error summary: Cleanup the Risk Engine tags: - Security Entity Analytics API /api/risk_score/engine/saved_object/configure: patch: description: Configuring the Risk Engine Saved Object operationId: ConfigureRiskEngineSavedObject requestBody: content: application/json: schema: type: object properties: exclude_alert_statuses: items: type: string type: array exclude_alert_tags: items: type: string type: array range: type: object properties: end: type: string start: type: string required: true responses: '200': content: application/json: schema: type: object properties: risk_engine_saved_object_configured: type: boolean description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' description: Task manager is unavailable default: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' description: Unexpected error summary: Configure the Risk Engine Saved Object tags: - Security Entity Analytics API /api/risk_score/engine/schedule_now: post: description: Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. operationId: ScheduleRiskEngineNow requestBody: content: application/json: {} responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' description: Successful response '400': content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' description: Task manager is unavailable default: content: application/json: schema: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' description: Unexpected error summary: Run the risk scoring engine tags: - Security Entity Analytics API /api/saved_objects/_bulk_create: post: deprecated: true operationId: bulkCreateSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - description: When true, overwrites the document with the same identifier. in: query name: overwrite schema: type: boolean requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Create saved objects tags: - saved objects /api/saved_objects/_bulk_delete: post: deprecated: true description: | WARNING: When you delete a saved object, it cannot be recovered. operationId: bulkDeleteSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - description: | When true, force delete objects that exist in multiple namespaces. Note that the option applies to the whole request. Use the delete object API to specify per-object deletion behavior. TIP: Use this if you attempted to delete objects and received an HTTP 400 error with the following message: "Unable to delete saved object that exists in multiple namespaces, use the force option to delete it anyway". WARNING: When you bulk delete objects that exist in multiple namespaces, the API also deletes legacy url aliases that reference the object. These requests are batched to minimise the impact but they can place a heavy load on Kibana. Make sure you limit the number of objects that exist in multiple namespaces in a single bulk delete operation. in: query name: force schema: type: boolean requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: | Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Delete saved objects tags: - saved objects /api/saved_objects/_bulk_get: post: deprecated: true operationId: bulkGetSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Get saved objects tags: - saved objects /api/saved_objects/_bulk_resolve: post: deprecated: true description: | Retrieve multiple Kibana saved objects by identifier using any legacy URL aliases if they exist. Under certain circumstances when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved by the bulk resolve API using either its new ID or its old ID. operationId: bulkResolveSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: | Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Resolve saved objects tags: - saved objects /api/saved_objects/_bulk_update: post: deprecated: true description: Update the attributes for multiple Kibana saved objects. operationId: bulkUpdateSavedObjects parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' requestBody: content: application/json: schema: items: type: object type: array required: true responses: '200': content: application/json: schema: type: object description: | Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Update saved objects tags: - saved objects /api/saved_objects/_export: post: description: | Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. operationId: exportSavedObjectsDefault parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' requestBody: content: application/json: examples: exportSavedObjectsRequest: $ref: '#/components/examples/Saved_objects_export_objects_request' schema: type: object properties: excludeExportDetails: default: false description: Do not add export details entry at the end of the stream. type: boolean includeReferencesDeep: description: Includes all of the referenced objects in the exported objects. type: boolean objects: description: A list of objects to export. items: type: object type: array type: description: The saved object types to include in the export. Use `*` to export all the types. oneOf: - type: string - items: type: string type: array required: true responses: '200': content: application/x-ndjson: examples: exportSavedObjectsResponse: $ref: '#/components/examples/Saved_objects_export_objects_response' schema: additionalProperties: true type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request. summary: Export saved objects tags: - saved objects /api/saved_objects/_find: get: deprecated: true description: Retrieve a paginated set of Kibana saved objects. operationId: findSavedObjects parameters: - description: | An aggregation structure, serialized as a string. The field format is similar to filter, meaning that to use a saved object type attribute in the aggregation, the `savedObjectType.attributes.title: "myTitle"` format must be used. For root fields, the syntax is `savedObjectType.rootField`. NOTE: As objects change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data. in: query name: aggs schema: type: string - description: The default operator to use for the `simple_query_string`. in: query name: default_search_operator schema: type: string - description: The fields to return in the attributes key of the response. in: query name: fields schema: oneOf: - type: string - type: array - description: | The filter is a KQL string with the caveat that if you filter with an attribute from your saved object type, it should look like that: `savedObjectType.attributes.title: "myTitle"`. However, if you use a root attribute of a saved object such as `updated_at`, you will have to define your filter like that: `savedObjectType.updated_at > 2018-12-22`. in: query name: filter schema: type: string - description: Filters to objects that do not have a relationship with the type and identifier combination. in: query name: has_no_reference schema: type: object - description: The operator to use for the `has_no_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. in: query name: has_no_reference_operator schema: type: string - description: Filters to objects that have a relationship with the type and ID combination. in: query name: has_reference schema: type: object - description: The operator to use for the `has_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. in: query name: has_reference_operator schema: type: string - description: The page of objects to return. in: query name: page schema: type: integer - description: The number of objects to return per page. in: query name: per_page schema: type: integer - description: An Elasticsearch `simple_query_string` query that filters the objects in the response. in: query name: search schema: type: string - description: The fields to perform the `simple_query_string` parsed query against. in: query name: search_fields schema: oneOf: - type: string - type: array - description: | Sorts the response. Includes "root" and "type" fields. "root" fields exist for all saved objects, such as "updated_at". "type" fields are specific to an object type, such as fields returned in the attributes key of the response. When a single type is defined in the type parameter, the "root" and "type" fields are allowed, and validity checks are made in that order. When multiple types are defined in the type parameter, only "root" fields are allowed. in: query name: sort_field schema: type: string - description: The saved object types to include. in: query name: type required: true schema: oneOf: - type: string - type: array responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request summary: Search for saved objects tags: - saved objects /api/saved_objects/_import: post: description: | Create sets of Kibana saved objects from a file created by the export API. Saved objects can be imported only into the same version, a newer minor on the same major, or the next major. Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. operationId: importSavedObjectsDefault parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - description: | Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options. in: query name: createNewCopies required: false schema: type: boolean - description: | Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option. in: query name: overwrite required: false schema: type: boolean - description: | Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option. in: query name: compatibilityMode required: false schema: type: boolean requestBody: content: multipart/form-data: examples: importObjectsRequest: $ref: '#/components/examples/Saved_objects_import_objects_request' schema: type: object properties: file: description: | A file exported using the export API. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported. required: true responses: '200': content: application/json: examples: importObjectsResponse: $ref: '#/components/examples/Saved_objects_import_objects_response' schema: type: object properties: errors: description: | Indicates the import was unsuccessful and specifies the objects that failed to import. NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. items: type: object type: array success: description: | Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. type: boolean successCount: description: Indicates the number of successfully imported records. type: integer successResults: description: | Indicates the objects that are successfully imported, with any metadata if applicable. NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. items: type: object type: array description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request. summary: Import saved objects tags: - saved objects x-codeSamples: - label: Import with createNewCopies lang: cURL source: | curl \ -X POST api/saved_objects/_import?createNewCopies=true -H "kbn-xsrf: true" --form file=@file.ndjson /api/saved_objects/_resolve_import_errors: post: description: | To resolve errors from the Import objects API, you can: * Retry certain saved objects * Overwrite specific saved objects * Change references to different saved objects operationId: resolveImportErrors parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - description: | Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. When enabled during the initial import, also enable when resolving import errors. This option cannot be used with the `createNewCopies` option. in: query name: compatibilityMode required: false schema: type: boolean - description: | Creates copies of the saved objects, regenerates each object ID, and resets the origin. When enabled during the initial import, also enable when resolving import errors. in: query name: createNewCopies required: false schema: type: boolean requestBody: content: multipart/form-data: examples: resolveImportErrorsRequest: $ref: '#/components/examples/Saved_objects_resolve_missing_reference_request' schema: type: object properties: file: description: The same file given to the import API. format: binary type: string retries: description: The retry operations, which can specify how to resolve different types of errors. items: type: object properties: destinationId: description: Specifies the destination ID that the imported object should have, if different from the current ID. type: string id: description: The saved object ID. type: string ignoreMissingReferences: description: When set to `true`, ignores missing reference errors. When set to `false`, does nothing. type: boolean overwrite: description: When set to `true`, the source object overwrites the conflicting destination object. When set to `false`, does nothing. type: boolean replaceReferences: description: A list of `type`, `from`, and `to` used to change the object references. items: type: object properties: from: type: string to: type: string type: type: string type: array type: description: The saved object type. type: string required: - type - id type: array required: - retries required: true responses: '200': content: application/json: examples: resolveImportErrorsResponse: $ref: '#/components/examples/Saved_objects_resolve_missing_reference_response' schema: type: object properties: errors: description: | Specifies the objects that failed to resolve. NOTE: One object can result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and a `conflict` error. items: type: object type: array success: description: | Indicates a successful import. When set to `false`, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. type: boolean successCount: description: | Indicates the number of successfully resolved records. type: number successResults: description: | Indicates the objects that are successfully imported, with any metadata if applicable. NOTE: Objects are only created when all resolvable errors are addressed, including conflict and missing references. items: type: object type: array description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request. summary: Resolve import errors tags: - saved objects /api/saved_objects/{type}: post: deprecated: true description: Create a Kibana saved object with a randomly generated identifier. operationId: createSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - $ref: '#/components/parameters/Saved_objects_saved_object_type' - description: If true, overwrites the document with the same identifier. in: query name: overwrite schema: type: boolean requestBody: content: application/json: schema: type: object properties: attributes: $ref: '#/components/schemas/Saved_objects_attributes' initialNamespaces: $ref: '#/components/schemas/Saved_objects_initial_namespaces' references: $ref: '#/components/schemas/Saved_objects_references' required: - attributes required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '409': content: application/json: schema: type: object description: Indicates a conflict error. summary: Create a saved object tags: - saved objects /api/saved_objects/{type}/{id}: get: deprecated: true description: Retrieve a single Kibana saved object by identifier. operationId: getSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request. summary: Get a saved object tags: - saved objects post: deprecated: true description: Create a Kibana saved object and specify its identifier instead of using a randomly generated ID. operationId: createSavedObjectId parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' - description: If true, overwrites the document with the same identifier. in: query name: overwrite schema: type: boolean requestBody: content: application/json: schema: type: object properties: attributes: $ref: '#/components/schemas/Saved_objects_attributes' initialNamespaces: $ref: '#/components/schemas/Saved_objects_initial_namespaces' references: $ref: '#/components/schemas/Saved_objects_initial_namespaces' required: - attributes required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '409': content: application/json: schema: type: object description: Indicates a conflict error. summary: Create a saved object tags: - saved objects put: deprecated: true description: Update the attributes for Kibana saved objects. operationId: updateSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' requestBody: content: application/json: schema: type: object required: true responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '404': content: application/json: schema: type: object description: Indicates the object was not found. '409': content: application/json: schema: type: object description: Indicates a conflict error. summary: Update a saved object tags: - saved objects /api/saved_objects/resolve/{type}/{id}: get: deprecated: true description: | Retrieve a single Kibana saved object by identifier using any legacy URL alias if it exists. Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved using either its new ID or its old ID. operationId: resolveSavedObject parameters: - $ref: '#/components/parameters/Saved_objects_saved_object_id' - $ref: '#/components/parameters/Saved_objects_saved_object_type' responses: '200': content: application/json: schema: type: object description: Indicates a successful call. '400': content: application/json: schema: $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request. summary: Resolve a saved object tags: - saved objects /api/security_ai_assistant/anonymization_fields/_bulk_action: post: description: Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. operationId: PerformAnonymizationFieldsBulkAction requestBody: content: application/json: schema: type: object properties: create: items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' type: array delete: type: object properties: ids: description: Array of anonymization fields IDs items: type: string minItems: 1 type: array query: description: Query to filter anonymization fields type: string update: items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' type: array responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' description: Indicates a successful call. '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Apply a bulk action to anonymization fields tags: - Security AI Assistant API /api/security_ai_assistant/anonymization_fields/_find: get: description: Get a list of all anonymization fields. operationId: FindAnonymizationFields parameters: - in: query name: fields required: false schema: items: type: string type: array - description: Search query in: query name: filter required: false schema: type: string - description: Field to sort by in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' - description: Sort order in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - description: Page number in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: AnonymizationFields per page in: query name: per_page required: false schema: default: 20 minimum: 0 type: integer responses: '200': content: application/json: schema: type: object properties: data: items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array page: type: integer perPage: type: integer total: type: integer required: - page - perPage - total - data description: Successful response '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Get anonymization fields tags: - Security AI Assistant API /api/security_ai_assistant/chat/complete: post: description: Create a model response for the given chat conversation. operationId: ChatComplete requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' required: true responses: '200': content: application/octet-stream: schema: format: binary type: string description: Indicates a successful call. '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Create a model response tags: - Security AI Assistant API /api/security_ai_assistant/current_user/conversations: post: description: Create a new Security AI Assistant conversation. operationId: CreateConversation requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Create a conversation tags: - Security AI Assistant API /api/security_ai_assistant/current_user/conversations/_find: get: description: Get a list of all conversations for the current user. operationId: FindConversations parameters: - in: query name: fields required: false schema: items: type: string type: array - description: Search query in: query name: filter required: false schema: type: string - description: Field to sort by in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' - description: Sort order in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - description: Page number in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: Conversations per page in: query name: per_page required: false schema: default: 20 minimum: 0 type: integer responses: '200': content: application/json: schema: type: object properties: data: items: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' type: array page: type: integer perPage: type: integer total: type: integer required: - page - perPage - total - data description: Successful response '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Get conversations tags: - Security AI Assistant API /api/security_ai_assistant/current_user/conversations/{id}: delete: description: Delete an existing conversation using the conversation ID. operationId: DeleteConversation parameters: - description: The conversation's `id` value. in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Delete a conversation tags: - Security AI Assistant API get: description: Get the details of an existing conversation using the conversation ID. operationId: ReadConversation parameters: - description: The conversation's `id` value. in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Get a conversation tags: - Security AI Assistant API put: description: Update an existing conversation using the conversation ID. operationId: UpdateConversation parameters: - description: The conversation's `id` value. in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' description: Indicates a successful call. '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Update a conversation tags: - Security AI Assistant API /api/security_ai_assistant/knowledge_base/{resource}: get: description: Read a single KB operationId: ReadKnowledgeBase parameters: - description: The KnowledgeBase `resource` value. in: path name: resource schema: type: string responses: '200': content: application/json: schema: type: object properties: elser_exists: type: boolean is_setup_available: type: boolean is_setup_in_progress: type: boolean product_documentation_status: type: string security_labs_exists: type: boolean user_data_exists: type: boolean description: Indicates a successful call. '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Read a KnowledgeBase tags: - Security AI Assistant API post: description: Create a KnowledgeBase operationId: CreateKnowledgeBase parameters: - description: The KnowledgeBase `resource` value. in: path name: resource schema: type: string - description: Optional ELSER modelId to use when setting up the Knowledge Base in: query name: modelId required: false schema: type: string - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base in: query name: ignoreSecurityLabs required: false schema: default: false type: boolean responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' description: Indicates a successful call. '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Create a KnowledgeBase tags: - Security AI Assistant API /api/security_ai_assistant/knowledge_base/entries: post: description: Create a Knowledge Base Entry operationId: CreateKnowledgeBaseEntry requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' description: Successful request returning Knowledge Base Entries '400': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: Generic Error summary: Create a Knowledge Base Entry tags: - Security AI Assistant API /api/security_ai_assistant/knowledge_base/entries/_bulk_action: post: description: The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs operationId: PerformKnowledgeBaseEntryBulkAction requestBody: content: application/json: schema: type: object properties: create: items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' type: array delete: type: object properties: ids: description: Array of Knowledge base Entry IDs items: type: string minItems: 1 type: array query: description: Query to filter Knowledge Base Entries type: string update: items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' type: array responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' description: Successful bulk operation request '400': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: Generic Error summary: Applies a bulk action to multiple Knowledge Base Entries tags: - Security AI Assistant API /api/security_ai_assistant/knowledge_base/entries/_find: get: description: Finds Knowledge Base Entries that match the given query. operationId: FindKnowledgeBaseEntries parameters: - in: query name: fields required: false schema: items: type: string type: array - description: Search query in: query name: filter required: false schema: type: string - description: Field to sort by in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' - description: Sort order in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - description: Page number in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: Knowledge Base Entries per page in: query name: per_page required: false schema: default: 20 minimum: 0 type: integer responses: '200': content: application/json: schema: type: object properties: data: items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array page: type: integer perPage: type: integer total: type: integer required: - page - perPage - total - data description: Successful response '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Finds Knowledge Base Entries that match the given query. tags: - Security AI Assistant API /api/security_ai_assistant/knowledge_base/entries/{id}: delete: description: Deletes a single Knowledge Base Entry using the `id` field operationId: DeleteKnowledgeBaseEntry parameters: - description: The Knowledge Base Entry's `id` value in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' description: Successful request returning the deleted Knowledge Base Entry's ID '400': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: Generic Error summary: Deletes a single Knowledge Base Entry using the `id` field tags: - Security AI Assistant API get: description: Read a Knowledge Base Entry operationId: ReadKnowledgeBaseEntry parameters: - description: The Knowledge Base Entry's `id` value. in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' description: Successful request returning a Knowledge Base Entry '400': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: Generic Error summary: Read a Knowledge Base Entry tags: - Security AI Assistant API put: description: Update a Knowledge Base Entry operationId: UpdateKnowledgeBaseEntry parameters: - description: The Knowledge Base Entry's `id` value in: path name: id required: true schema: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' requestBody: content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' description: Successful request returning the updated Knowledge Base Entry '400': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' description: Generic Error summary: Update a Knowledge Base Entry tags: - Security AI Assistant API /api/security_ai_assistant/prompts/_bulk_action: post: description: Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. operationId: PerformPromptsBulkAction requestBody: content: application/json: schema: type: object properties: create: items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' type: array delete: type: object properties: ids: description: Array of prompts IDs items: type: string minItems: 1 type: array query: description: Query to filter promps type: string update: items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' type: array responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' description: Indicates a successful call. '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Apply a bulk action to prompts tags: - Security AI Assistant API /api/security_ai_assistant/prompts/_find: get: description: Get a list of all prompts. operationId: FindPrompts parameters: - in: query name: fields required: false schema: items: type: string type: array - description: Search query in: query name: filter required: false schema: type: string - description: Field to sort by in: query name: sort_field required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' - description: Sort order in: query name: sort_order required: false schema: $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - description: Page number in: query name: page required: false schema: default: 1 minimum: 1 type: integer - description: Prompts per page in: query name: per_page required: false schema: default: 20 minimum: 0 type: integer responses: '200': content: application/json: schema: type: object properties: data: items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array page: type: integer perPage: type: integer total: type: integer required: - page - perPage - total - data description: Successful response '400': content: application/json: schema: type: object properties: error: type: string message: type: string statusCode: type: number description: Generic Error summary: Get prompts tags: - Security AI Assistant API /api/security/role: get: operationId: get-security-role parameters: - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query name: replaceDeprecatedPrivileges required: false schema: type: boolean responses: '200': description: Indicates a successful call. content: application/json: examples: getRolesResponse1: $ref: '#/components/examples/get_roles_response1' summary: Get all roles tags: - roles /api/security/role/_query: post: operationId: post-security-role-query parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: filters: additionalProperties: false type: object properties: showReservedRoles: type: boolean from: type: number query: type: string size: type: number sort: additionalProperties: false type: object properties: direction: enum: - asc - desc type: string field: type: string required: - field - direction responses: '200': description: Indicates a successful call. summary: Query roles tags: [] /api/security/role/{name}: delete: operationId: delete-security-role-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - in: path name: name required: true schema: minLength: 1 type: string responses: '204': description: Indicates a successful call. summary: Delete a role tags: - roles get: operationId: get-security-role-name parameters: - description: The role name. in: path name: name required: true schema: minLength: 1 type: string - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. in: query name: replaceDeprecatedPrivileges required: false schema: type: boolean responses: '200': description: Indicates a successful call. content: application/json: examples: getRoleResponse1: $ref: '#/components/examples/get_role_response1' summary: Get a role tags: - roles put: description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. operationId: put-security-role-name parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The role name. in: path name: name required: true schema: maxLength: 1024 minLength: 1 type: string - description: When true, a role is not overwritten if it already exists. in: query name: createOnly required: false schema: default: false type: boolean requestBody: content: application/json: schema: additionalProperties: false type: object properties: description: description: A description for the role. maxLength: 2048 type: string elasticsearch: additionalProperties: false type: object properties: cluster: items: description: Cluster privileges that define the cluster level actions that users can perform. type: string type: array indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. type: boolean field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string type: array type: object names: items: description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). type: string minItems: 1 type: array privileges: items: description: The index level privileges that the role members have for the data streams and indices. type: string minItems: 1 type: array query: description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. type: string required: - names - privileges type: array remote_cluster: items: additionalProperties: false type: object properties: clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string minItems: 1 type: array privileges: items: description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. type: string minItems: 1 type: array required: - privileges - clusters type: array remote_indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. type: boolean clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string minItems: 1 type: array field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string type: array type: object names: items: description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). type: string minItems: 1 type: array privileges: items: description: The index level privileges that role members have for the specified indices. type: string minItems: 1 type: array query: description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' type: string required: - clusters - names - privileges type: array run_as: items: description: A user name that the role member can impersonate. type: string type: array kibana: items: additionalProperties: false type: object properties: base: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - items: description: A base privilege that grants applies to all spaces. type: string type: array - items: description: A base privilege that applies to specific spaces. type: string type: array feature: additionalProperties: items: description: The privileges that the role member has for the feature. type: string type: array type: object spaces: anyOf: - items: enum: - '*' type: string maxItems: 1 minItems: 1 type: array - items: description: A space that the privilege applies to. type: string type: array default: - '*' required: - base type: array metadata: additionalProperties: {} type: object required: - elasticsearch examples: createRoleRequest1: $ref: '#/components/examples/create_role_request1' createRoleRequest2: $ref: '#/components/examples/create_role_request2' createRoleRequest3: $ref: '#/components/examples/create_role_request3' createRoleRequest4: $ref: '#/components/examples/create_role_request4' responses: '204': description: Indicates a successful call. summary: Create or update a role tags: - roles /api/security/roles: post: operationId: post-security-roles parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: roles: additionalProperties: additionalProperties: false type: object properties: description: description: A description for the role. maxLength: 2048 type: string elasticsearch: additionalProperties: false type: object properties: cluster: items: description: Cluster privileges that define the cluster level actions that users can perform. type: string type: array indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. type: boolean field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string type: array type: object names: items: description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). type: string minItems: 1 type: array privileges: items: description: The index level privileges that the role members have for the data streams and indices. type: string minItems: 1 type: array query: description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. type: string required: - names - privileges type: array remote_cluster: items: additionalProperties: false type: object properties: clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string minItems: 1 type: array privileges: items: description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. type: string minItems: 1 type: array required: - privileges - clusters type: array remote_indices: items: additionalProperties: false type: object properties: allow_restricted_indices: description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. type: boolean clusters: items: description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. type: string minItems: 1 type: array field_security: additionalProperties: items: description: The document fields that the role members have read access to. type: string type: array type: object names: items: description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). type: string minItems: 1 type: array privileges: items: description: The index level privileges that role members have for the specified indices. type: string minItems: 1 type: array query: description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' type: string required: - clusters - names - privileges type: array run_as: items: description: A user name that the role member can impersonate. type: string type: array kibana: items: additionalProperties: false type: object properties: base: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - items: description: A base privilege that grants applies to all spaces. type: string type: array - items: description: A base privilege that applies to specific spaces. type: string type: array feature: additionalProperties: items: description: The privileges that the role member has for the feature. type: string type: array type: object spaces: anyOf: - items: enum: - '*' type: string maxItems: 1 minItems: 1 type: array - items: description: A space that the privilege applies to. type: string type: array default: - '*' required: - base type: array metadata: additionalProperties: {} type: object required: - elasticsearch type: object required: - roles responses: '200': description: Indicates a successful call. summary: Create or update roles tags: - roles /api/security/session/_invalidate: post: description: | Invalidate user sessions that match a query. To use this API, you must be a superuser. operationId: post-security-session-invalidate parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: examples: invalidateRequestExample1: description: Run `POST api/security/session/_invalidate` to invalidate all existing sessions. summary: Invalidate all sessions value: |- { "match" : "all" } invalidateRequestExample2: description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any SAML authentication provider. summary: Invalidate all SAML sessions value: |- { "match" : "query", "query": { "provider" : { "type": "saml" } } } invalidateRequestExample3: description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by the SAML authentication provider named `saml1`. summary: Invalidate sessions for a provider value: |- { "match" : "query", "query": { "provider" : { "type": "saml", "name": "saml1" } } } invalidateRequestExample4: description: Run `POST api/security/session/_invalidate` to invalidate sessions that were created by any OpenID Connect authentication provider for the user with the username `user@my-oidc-sso.com`. summary: Invalidate sessions for a user value: |- { "match" : "query", "query": { "provider" : { "type": "oidc" }, "username": "user@my-oidc-sso.com" } } schema: type: object properties: match: description: | The method Kibana uses to determine which sessions to invalidate. If it is `all`, all existing sessions will be invalidated. If it is `query`, only the sessions that match the query will be invalidated. enum: - all - query type: string query: description: | The query that Kibana uses to match the sessions to invalidate when the `match` parameter is set to `query`. type: object properties: provider: description: The authentication providers that will have their user sessions invalidated. type: object properties: name: description: The authentication provider name. type: string type: description: | The authentication provide type. For example: `basic`, `token`, `saml`, `oidc`, `kerberos`, or `pki`. type: string required: - type username: description: The username that will have its sessions invalidated. type: string required: - provider required: - match responses: '200': content: application/json: schema: type: object properties: total: description: The number of sessions that were successfully invalidated. type: integer description: Indicates a successful call '403': description: Indicates that the user may not be authorized to invalidate sessions for other users. summary: Invalidate user sessions tags: - user session x-state: Technical Preview /api/short_url: post: description: | Kibana URLs may be long and cumbersome, short URLs are much easier to remember and share. Short URLs are created by specifying the locator ID and locator parameters. When a short URL is resolved, the locator ID and locator parameters are used to redirect user to the right Kibana page. operationId: post-url requestBody: content: application/json: schema: type: object properties: humanReadableSlug: description: | When the `slug` parameter is omitted, the API will generate a random human-readable slug if `humanReadableSlug` is set to true. type: boolean locatorId: description: The identifier for the locator. type: string params: description: | An object which contains all necessary parameters for the given locator to resolve to a Kibana location. > warn > When you create a short URL, locator params are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. type: object slug: description: | A custom short URL slug. The slug is the part of the short URL that identifies it. You can provide a custom slug which consists of latin alphabet letters, numbers, and `-._` characters. The slug must be at least 3 characters long, but no longer than 255 characters. type: string required: - locatorId - params required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. summary: Create a short URL tags: - short url x-state: Technical Preview /api/short_url/_slug/{slug}: get: description: | Resolve a Kibana short URL by its slug. operationId: resolve-url parameters: - description: The slug of the short URL. in: path name: slug required: true schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. summary: Resolve a short URL tags: - short url x-state: Technical Preview /api/short_url/{id}: delete: description: | Delete a Kibana short URL. operationId: delete-url parameters: - $ref: '#/components/parameters/Short_URL_APIs_idParam' responses: '200': description: Indicates a successful call. summary: Delete a short URL tags: - short url x-state: Technical Preview get: description: | Get a single Kibana short URL. operationId: get-url parameters: - $ref: '#/components/parameters/Short_URL_APIs_idParam' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Short_URL_APIs_urlResponse' description: Indicates a successful call. summary: Get a short URL tags: - short url x-state: Technical Preview /api/spaces/_copy_saved_objects: post: description: 'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.<br/><br/>[Required authorization] Route required privileges: ALL of [copySavedObjectsToSpaces].' operationId: post-spaces-copy-saved-objects parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: compatibilityMode: default: false description: Apply various adjustments to the saved objects that are being copied to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with copied saved objects. This option cannot be used with the `createNewCopies` option. type: boolean createNewCopies: default: true description: Create new copies of saved objects, regenerate each object identifier, and reset the origin. When used, potential conflict errors are avoided. This option cannot be used with the `overwrite` and `compatibilityMode` options. type: boolean includeReferences: default: false description: When set to true, all saved objects related to the specified saved objects will also be copied into the target spaces. type: boolean objects: items: additionalProperties: false type: object properties: id: description: The identifier of the saved object to copy. type: string type: description: The type of the saved object to copy. type: string required: - type - id type: array overwrite: default: false description: When set to true, all conflicts are automatically overridden. When a saved object with a matching type and identifier exists in the target space, that version is replaced with the version from the source space. This option cannot be used with the `createNewCopies` option. type: boolean spaces: items: description: The identifiers of the spaces where you want to copy the specified objects. type: string type: array required: - spaces - objects examples: copySavedObjectsRequestExample1: $ref: '#/components/examples/copy_saved_objects_request1' copySavedObjectsRequestExample2: $ref: '#/components/examples/copy_saved_objects_request2' responses: '200': content: application/json: examples: copySavedObjectsResponseExample1: $ref: '#/components/examples/copy_saved_objects_response1' copySavedObjectsResponseExample2: $ref: '#/components/examples/copy_saved_objects_response2' copySavedObjectsResponseExample3: $ref: '#/components/examples/copy_saved_objects_response3' copySavedObjectsResponseExample4: $ref: '#/components/examples/copy_saved_objects_response4' summary: Copy saved objects between spaces tags: - spaces /api/spaces/_disable_legacy_url_aliases: post: operationId: post-spaces-disable-legacy-url-aliases parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: aliases: items: additionalProperties: false type: object properties: sourceId: description: The alias source object identifier. This is the legacy object identifier. type: string targetSpace: description: The space where the alias target object exists. type: string targetType: description: 'The type of alias target object. ' type: string required: - targetSpace - targetType - sourceId type: array required: - aliases examples: disableLegacyURLRequestExample1: $ref: '#/components/examples/disable_legacy_url_request1' responses: {} summary: Disable legacy URL aliases tags: - spaces /api/spaces/_get_shareable_references: post: description: Collect references and space contexts for saved objects. operationId: post-spaces-get-shareable-references parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: objects: items: additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id type: array required: - objects responses: {} summary: Get shareable references tags: - spaces /api/spaces/_resolve_copy_saved_objects_errors: post: description: 'Overwrite saved objects that are returned as errors from the copy saved objects to space API.<br/><br/>[Required authorization] Route required privileges: ALL of [copySavedObjectsToSpaces].' operationId: post-spaces-resolve-copy-saved-objects-errors parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: compatibilityMode: default: false type: boolean createNewCopies: default: true type: boolean includeReferences: default: false type: boolean objects: items: additionalProperties: false type: object properties: id: type: string type: type: string required: - type - id type: array retries: additionalProperties: items: additionalProperties: false type: object properties: createNewCopy: description: Creates new copies of the saved objects, regenerates each object ID, and resets the origin. type: boolean destinationId: description: Specifies the destination identifier that the copied object should have, if different from the current identifier. type: string id: description: The saved object identifier. type: string ignoreMissingReferences: description: When set to true, any missing references errors are ignored. type: boolean overwrite: default: false description: When set to true, the saved object from the source space overwrites the conflicting object in the destination space. type: boolean type: description: The saved object type. type: string required: - type - id type: array type: object required: - retries - objects examples: resolveCopySavedObjectsRequestExample1: $ref: '#/components/examples/resolve_copy_saved_objects_request1' resolveCopySavedObjectsRequestExample2: $ref: '#/components/examples/resolve_copy_saved_objects_request2' responses: '200': content: application/json: examples: resolveCopySavedObjectsResponseExample1: $ref: '#/components/examples/copy_saved_objects_response1' resolveCopySavedObjectsResponseExample2: $ref: '#/components/examples/copy_saved_objects_response2' summary: Resolve conflicts copying saved objects tags: [] /api/spaces/_update_objects_spaces: post: description: Update one or more saved objects to add or remove them from some spaces. operationId: post-spaces-update-objects-spaces parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: objects: items: additionalProperties: false type: object properties: id: description: The identifier of the saved object to update. type: string type: description: The type of the saved object to update. type: string required: - type - id type: array spacesToAdd: items: description: The identifiers of the spaces the saved objects should be added to or removed from. type: string type: array spacesToRemove: items: description: The identifiers of the spaces the saved objects should be added to or removed from. type: string type: array required: - objects - spacesToAdd - spacesToRemove examples: updateObjectSpacesRequestExample1: $ref: '#/components/examples/update_saved_objects_spaces_request1' responses: '200': content: application/json: examples: updateObjectSpacesResponseExample1: $ref: '#/components/examples/update_saved_objects_spaces_response1' summary: Update saved objects in spaces tags: - spaces /api/spaces/space: get: operationId: get-spaces-space parameters: - description: Specifies which authorization checks are applied to the API call. The default value is `any`. in: query name: purpose required: false schema: enum: - any - copySavedObjectsIntoSpace - shareSavedObjectsIntoSpace type: string - description: When enabled, the API returns any spaces that the user is authorized to access in any capacity and each space will contain the purposes for which the user is authorized. This can be useful to determine which spaces a user can read but not take a specific action in. If the security plugin is not enabled, this parameter has no effect, since no authorization checks take place. This parameter cannot be used in with the `purpose` parameter. in: query name: include_authorized_purposes required: true schema: anyOf: - items: {} type: array - type: boolean - type: number - type: object - type: string nullable: true oneOf: - enum: - false type: boolean x-oas-optional: true - type: boolean x-oas-optional: true responses: '200': description: Indicates a successful call. content: application/json: examples: getSpacesResponseExample1: $ref: '#/components/examples/get_spaces_response1' getSpacesResponseExample2: $ref: '#/components/examples/get_spaces_response2' summary: Get all spaces tags: - spaces post: operationId: post-spaces-space parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: _reserved: type: boolean color: description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string description: description: A description for the space. type: string disabledFeatures: default: [] items: description: The list of features that are turned off in the space. type: string type: array id: description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. type: string imageUrl: description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. type: string initials: description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. maxLength: 2 type: string name: description: 'The display name for the space. ' minLength: 1 type: string solution: enum: - security - oblt - es - classic type: string required: - id - name examples: createSpaceRequest: $ref: '#/components/examples/create_space_request' responses: '200': description: Indicates a successful call. summary: Create a space tags: - spaces /api/spaces/space/{id}: delete: description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. operationId: delete-spaces-space-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The space identifier. in: path name: id required: true schema: type: string responses: '204': description: Indicates a successful call. '404': description: Indicates that the request failed. summary: Delete a space tags: - spaces get: operationId: get-spaces-space-id parameters: - description: The space identifier. in: path name: id required: true schema: type: string responses: '200': description: Indicates a successful call. content: application/json: examples: getSpaceResponseExample: $ref: '#/components/examples/get_space_response' summary: Get a space tags: - spaces put: operationId: put-spaces-space-id parameters: - description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string - description: The space identifier. You are unable to change the ID with the update operation. in: path name: id required: true schema: type: string requestBody: content: application/json: schema: additionalProperties: false type: object properties: _reserved: type: boolean color: description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. type: string description: description: A description for the space. type: string disabledFeatures: default: [] items: description: The list of features that are turned off in the space. type: string type: array id: description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. type: string imageUrl: description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. type: string initials: description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. maxLength: 2 type: string name: description: 'The display name for the space. ' minLength: 1 type: string solution: enum: - security - oblt - es - classic type: string required: - id - name examples: updateSpaceRequest: $ref: '#/components/examples/update_space_request' responses: '200': description: Indicates a successful call. summary: Update a space tags: - spaces /api/status: get: operationId: get-status parameters: - description: Set to "true" to get the response in v7 format. in: query name: v7format required: false schema: type: boolean - description: Set to "true" to get the response in v8 format. in: query name: v8format required: false schema: type: boolean responses: '200': content: application/json: schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' description: Kibana's operational status. A minimal response is sent for unauthorized users. description: Overall status is OK and Kibana should be functioning normally. '503': content: application/json: schema: anyOf: - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' description: Kibana's operational status. A minimal response is sent for unauthorized users. description: Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable. summary: Get Kibana's current status tags: - system /api/synthetics/monitors: get: description: | Get a list of monitors. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: get-synthetic-monitors parameters: - description: Additional filtering criteria. in: query name: filter schema: type: string - description: The locations to filter by. in: query name: locations schema: oneOf: - type: string - type: array - description: The monitor types to filter. in: query name: monitorTypes schema: oneOf: - enum: - browser - http - icmp - tcp type: string - type: array - description: The page number for paginated results. in: query name: page schema: type: integer - description: The number of items to return per page. in: query name: per_page schema: type: integer - description: The projects to filter by. in: query name: projects schema: oneOf: - type: string - type: array - description: A free-text query string. in: query name: query schema: type: string - description: The schedules to filter by. in: query name: schedules schema: oneOf: - type: array - type: string - description: The field to sort the results by. in: query name: sortField schema: enum: - name - createdAt - updatedAt - status type: string - description: The sort order. in: query name: sortOrder schema: enum: - asc - desc type: string - description: The status to filter by. in: query name: status schema: oneOf: - type: array - type: string - description: Tags to filter monitors. in: query name: tags schema: oneOf: - type: string - type: array responses: '200': content: application/json: examples: getSyntheticMonitorsResponseExample1: description: A successful response from `GET /api/synthetics/monitors?tags=prod&monitorTypes=http&locations=us-east-1&projects=project1&status=up`. value: |- { "page": 1, "total": 24, "monitors": [ { "type": "icmp", "enabled": false, "alert": { "status": { "enabled": true }, "tls": { "enabled": true } }, "schedule": { "number": "3", "unit": "m" }, "config_id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", "timeout": "16", "name": "8.8.8.8:80", "locations": [ { "id": "us_central", "label": "North America - US Central", "geo": { "lat": 41.25, "lon": -95.86 }, "isServiceManaged": true } ], "namespace": "default", "origin": "ui", "id": "e59142e5-1fe3-4aae-b0b0-19d6345e65a1", "max_attempts": 2, "wait": "7", "revision": 3, "mode": "all", "ipv4": true, "ipv6": true, "created_at": "2023-11-07T09:57:04.152Z", "updated_at": "2023-12-04T19:19:34.039Z", "host": "8.8.8.8:80" } ], "absoluteTotal": 24, "perPage": 10, } schema: type: object description: A successful response. summary: Get monitors tags: - synthetics post: description: | Create a new monitor with the specified attributes. A monitor can be one of the following types: HTTP, TCP, ICMP, or Browser. The required and default fields may vary based on the monitor type. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: post-synthetic-monitors requestBody: content: application/json: examples: postSyntheticMonitorsRequestExample1: description: Create an HTTP monitor to check a website's availability. summary: HTTP monitor value: |- { "type": "http", "name": "Website Availability", "url": "https://example.com", "tags": ["website", "availability"], "locations": ["united_kingdom"] } postSyntheticMonitorsRequestExample2: description: Create a TCP monitor to monitor a server's availability. summary: TCP monitor value: |- { "type": "tcp", "name": "Server Availability", "host": "example.com", "private_locations": ["my_private_location"] } postSyntheticMonitorsRequestExample3: description: Create an ICMP monitor to perform ping checks. summary: ICMP monitor value: |- { "type": "icmp", "name": "Ping Test", "host": "example.com", "locations": ["united_kingdom"] } postSyntheticMonitorsRequestExample4: description: Create a browser monitor to check a website. summary: Browser monitor value: |- { "type": "browser", "name": "Example journey", "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", "locations": ["united_kingdom"] } schema: description: | The request body should contain the attributes of the monitor you want to create. The required and default fields differ depending on the monitor type. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' required: true responses: '200': description: A successful response. summary: Create a monitor tags: - synthetics /api/synthetics/monitors/_bulk_delete: post: description: | Delete multiple monitors by sending a list of config IDs. operationId: delete-synthetic-monitors requestBody: content: application/json: examples: bulkDeleteRequestExample1: description: Run `POST /api/synthetics/monitors/_bulk_delete` to delete a list of monitors. value: |- { "ids": [ "monitor1-id", "monitor2-id" ] } schema: type: object properties: ids: description: An array of monitor IDs to delete. items: type: string type: array required: - ids required: true responses: '200': content: application/json: examples: deleteMonitorsResponseExample1: description: A response from successfully deleting multiple monitors. value: |- [ { "id": "monitor1-id", "deleted": true }, { "id": "monitor2-id", "deleted": true } ] schema: items: description: The API response includes information about the deleted monitors. type: object properties: deleted: description: | If it is `true`, the monitor was successfully deleted If it is `false`, the monitor was not deleted. type: boolean ids: description: The unique identifier of the deleted monitor. type: string type: array summary: Delete monitors tags: - synthetics /api/synthetics/monitors/{id}: delete: description: | Delete a monitor from the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: delete-synthetic-monitor parameters: - description: The identifier for the monitor that you want to delete. in: path name: id required: true schema: type: string summary: Delete a monitor tags: - synthetics get: operationId: get-synthetic-monitor parameters: - description: The ID of the monitor. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getSyntheticMonitorResponseExample1: description: A successful response from `GET /api/synthetics/monitors/<id>`. value: |- { "type": "http", "enabled": true, "alert": { "status": { "enabled": true }, "tls": { "enabled": true } }, "schedule": { "number": "3", "unit": "m" }, "config_id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", "timeout": "16", "name": "am i something", "locations": [ { "id": "us_central", "label": "North America - US Central", "geo": { "lat": 41.25, "lon": -95.86 }, "isServiceManaged": true } ], "namespace": "default", "origin": "ui", "id": "a8188705-d01e-4bb6-87a1-64fa5e4b07ec", "max_attempts": 2, "__ui": { "is_tls_enabled": false }, "max_redirects": "0", "response.include_body": "on_error", "response.include_headers": true, "check.request.method": "GET", "mode": "any", "response.include_body_max_bytes": "1024", "ipv4": true, "ipv6": true, "ssl.verification_mode": "full", "ssl.supported_protocols": [ "TLSv1.1", "TLSv1.2", "TLSv1.3" ], "revision": 13, "created_at": "2023-11-08T08:45:29.334Z", "updated_at": "2023-12-18T20:31:44.770Z", "url": "https://fast.com" } schema: type: object '404': description: If the monitor is not found, the API returns a 404 error. summary: Get a monitor tags: - synthetics put: description: | Update a monitor with the specified attributes. The required and default fields may vary based on the monitor type. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. You can also partially update a monitor. This will only update the fields that are specified in the request body. All other fields are left unchanged. The specified fields should conform to the monitor type. For example, you can't update the `inline_scipt` field of a HTTP monitor. operationId: put-synthetic-monitor parameters: - description: The identifier for the monitor that you want to update. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: putSyntheticMonitorsRequestExample1: description: Update an HTTP monitor that checks a website's availability. summary: HTTP monitor value: |- { "type": "http", "name": "Website Availability", "url": "https://example.com", "tags": ["website", "availability"], "locations": ["united_kingdom"] } putSyntheticMonitorsRequestExample2: description: Update a TCP monitor that monitors a server's availability. summary: TCP monitor value: |- { "type": "tcp", "name": "Server Availability", "host": "example.com", "private_locations": ["my_private_location"] } putSyntheticMonitorsRequestExample3: description: Update an ICMP monitor that performs ping checks. summary: ICMP monitor value: |- { "type": "icmp", "name": "Ping Test", "host": "example.com", "locations": ["united_kingdom"] } putSyntheticMonitorsRequestExample4: description: Update a browser monitor that checks a website. summary: Browser monitor value: |- { "type": "browser", "name": "Example journey", "inline_script": "step('Go to https://google.com.co', () => page.goto('https://www.google.com'))", "locations": ["united_kingdom"] } schema: description: | The request body should contain the attributes of the monitor you want to update. The required and default fields differ depending on the monitor type. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Synthetics_browserMonitorFields' - $ref: '#/components/schemas/Synthetics_httpMonitorFields' - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' type: object required: true summary: Update a monitor tags: - synthetics /api/synthetics/params: get: description: | Get a list of all parameters. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: get-parameters responses: '200': content: application/json: examples: getParametersResponseExample1: description: A successful response for a user with read-only permissions to get a list of parameters. summary: Read access value: |- [ { "id": "param1-id", "key": "param1", "description": "Description for param1", "tags": ["tag1", "tag2"], "namespaces": ["namespace1"] }, { "id": "param2-id", "key": "param2", "description": "Description for param2", "tags": ["tag3"], "namespaces": ["namespace2"] } ] getParametersResponseExample2: description: A successful response for a user with write permissions to get a list of parameters. summary: Write access value: |- [ { "id": "param1-id", "key": "param1", "description": "Description for param1", "tags": ["tag1", "tag2"], "namespaces": ["namespace1"], "value": "value1" }, { "id": "param2-id", "key": "param2", "description": "Description for param2", "tags": ["tag3"], "namespaces": ["namespace2"], "value": "value2" } ] schema: items: - $ref: '#/components/schemas/Synthetics_getParameterResponse' type: array description: A successful response. summary: Get parameters tags: - synthetics post: description: | Add one or more parameters to the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: post-parameters requestBody: content: application/json: examples: postParametersRequestExample1: description: Add a single parameter. summary: Single parameter value: |- { "key": "your-key-name", "value": "your-parameter-value", "description": "Param to use in browser monitor", "tags": ["authentication", "security"], "share_across_spaces": true } postParametersRequestExample2: description: Add multiple parameters. summary: Multiple parameters value: |- [ { "key": "param1", "value": "value1" }, { "key": "param2", "value": "value2" } ] schema: oneOf: - items: $ref: '#/components/schemas/Synthetics_parameterRequest' type: array - $ref: '#/components/schemas/Synthetics_parameterRequest' description: The request body can contain either a single parameter object or an array of parameter objects. required: true responses: '200': content: application/json: examples: postParametersResponseExample1: description: A successful response for a single added parameter. summary: Single parameter value: |- { "id": "unique-parameter-id", "key": "your-key-name", "value": "your-param-value", "description": "Param to use in browser monitor", "tags": ["authentication", "security"], "share_across_spaces": true } postParametersResponseExample2: description: A successful response for multiple added parameters. summary: Multiple parameters value: |- [ { "id": "param1-id", "key": "param1", "value": "value1" }, { "id": "param2-id", "key": "param2", "value": "value2" } ] schema: oneOf: - items: $ref: '#/components/schemas/Synthetics_postParameterResponse' type: array - $ref: '#/components/schemas/Synthetics_postParameterResponse' description: A successful response. summary: Add parameters tags: - synthetics /api/synthetics/params/_bulk_delete: delete: description: | Delete parameters from the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: delete-parameters requestBody: content: application/json: examples: deleteParametersRequestExample1: description: Run `POST /api/synthetics/params/_bulk_delete` to delete multiple parameters. value: |- { "ids": ["param1-id", "param2-id"] } schema: property: ids: description: An array of parameter IDs to delete. items: type: string type: array type: object required: true responses: '200': content: application/json: examples: deleteParametersResponseExample1: value: |- [ { "id": "param1-id", "deleted": true } ] schema: items: type: object properties: deleted: description: | Indicates whether the parameter was successfully deleted. It is `true` if it was deleted. It is `false` if it was not deleted. type: boolean id: description: The unique identifier for the deleted parameter. type: string type: array description: A successful response. summary: Delete parameters tags: - synthetics /api/synthetics/params/{id}: delete: description: | Delete a parameter from the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: delete-parameter parameters: - description: The ID for the parameter to delete. in: path name: id required: true schema: type: string summary: Delete a parameter tags: - synthetics get: description: | Get a parameter from the Synthetics app. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: get-parameter parameters: - description: The unique identifier for the parameter. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getParameterResponseExample1: description: A successful response for a user with read-only permissions to get a single parameter. summary: Read access value: |- { "id": "unique-parameter-id", "key": "your-api-key", "description": "Param to use in browser monitor", "tags": ["authentication", "security"], "namespaces": ["namespace1", "namespace2"] } getParameterResponseExample2: description: A successful response for a user with write permissions to get a single parameter. summary: Write access value: |- { "id": "unique-parameter-id", "key": "your-param-key", "description": "Param to use in browser monitor", "tags": ["authentication", "security"], "namespaces": ["namespace1", "namespace2"], "value": "your-param-value" } schema: $ref: '#/components/schemas/Synthetics_getParameterResponse' description: A successful response. summary: Get a parameter tags: - synthetics put: description: | Update a parameter in the Synthetics app. You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. operationId: put-parameter parameters: - description: The unique identifier for the parameter. in: path name: id required: true schema: type: string requestBody: content: application/json: examples: putParameterRequestExample1: value: |- { "key": "updated_param_key", "value": "updated-param-value", "description": "Updated Param to be used in browser monitor", "tags": ["authentication", "security", "updated"] } schema: type: object properties: description: description: The updated description of the parameter. type: string key: description: The key of the parameter. type: string tags: description: An array of updated tags to categorize the parameter. items: type: string type: array value: description: The updated value associated with the parameter. type: string description: The request body cannot be empty; at least one attribute is required. required: true responses: '200': content: application/json: examples: putParameterResponseExample1: value: |- { "id": "param_id1", "key": "updated_param_key", "value": "updated-param-value", "description": "Updated Param to be used in browser monitor", "tags": ["authentication", "security", "updated"] } schema: type: object description: A successful response. summary: Update a parameter tags: - synthetics /api/synthetics/private_locations: get: description: | Get a list of private locations. You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. operationId: get-private-locations responses: '200': content: application/json: examples: getPrivateLocationsResponseExample1: value: |- [ { "label": "Test private location", "id": "fleet-server-policy", "agentPolicyId": "fleet-server-policy", "isInvalid": false, "geo": { "lat": 0, "lon": 0 }, "namespace": "default" }, { "label": "Test private location 2", "id": "691225b0-6ced-11ee-8f5a-376306ee85ae", "agentPolicyId": "691225b0-6ced-11ee-8f5a-376306ee85ae", "isInvalid": false, "geo": { "lat": 0, "lon": 0 }, "namespace": "test" } ] schema: items: $ref: '#/components/schemas/Synthetics_getPrivateLocation' type: array description: A successful response. summary: Get private locations tags: - synthetics post: description: You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. operationId: post-private-location requestBody: content: application/json: examples: postPrivateLocationRequestExample1: description: Run `POST /api/private_locations` to create a private location. value: |- { "label": "Private Location 1", "agentPolicyId": "abcd1234", "tags": ["private", "testing"], "geo": { "lat": 40.7128, "lon": -74.0060 } "spaces": ["default"] } schema: type: object properties: agentPolicyId: description: The ID of the agent policy associated with the private location. type: string geo: description: Geographic coordinates (WGS84) for the location. type: object properties: lat: description: The latitude of the location. type: number lon: description: The longitude of the location. type: number required: - lat - lon label: description: A label for the private location. type: string spaces: description: | An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces. items: type: string type: array tags: description: An array of tags to categorize the private location. items: type: string type: array required: - agentPolicyId - label required: true responses: '200': content: application/json: examples: postPrivateLocationResponseExample1: value: |- { "id": "abcd1234", "label": "Private Location 1", "agentPolicyId": "abcd1234", "tags": ["private", "testing"], "geo": { "lat": 40.7128, "lon": -74.0060 } } schema: type: object description: A successful response. '400': description: If the `agentPolicyId` is already used by an existing private location or if the `label` already exists, the API will return a 400 Bad Request response with a corresponding error message. summary: Create a private location tags: - synthetics /api/synthetics/private_locations/{id}: delete: description: | You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. The API does not return a response body for deletion, but it will return an appropriate status code upon successful deletion. A location cannot be deleted if it has associated monitors in use. You must delete all monitors associated with the location before deleting the location. operationId: delete-private-location parameters: - description: The unique identifier of the private location to be deleted. in: path name: id required: true schema: maxLength: 1024 minLength: 1 type: string summary: Delete a private location tags: - synthetics get: description: | You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. operationId: get-private-location parameters: - description: A private location identifier or label. in: path name: id required: true schema: type: string responses: '200': content: application/json: examples: getPrivateLocationResponseExample1: value: |- { "label": "Test private location", "id": "test-private-location-id", "agentPolicyId": "test-private-location-id", "isServiceManaged": false, "isInvalid": false, "geo": { "lat": 0, "lon": 0 }, "namespace": "default" } schema: $ref: '#/components/schemas/Synthetics_getPrivateLocation' description: A successful response. summary: Get a private location tags: - synthetics /api/task_manager/_health: get: description: | Get the health status of the Kibana task manager. operationId: task-manager-health responses: '200': content: application/json: examples: taskManagerHealthResponse1: $ref: '#/components/examples/Task_manager_health_APIs_health_200response' schema: $ref: '#/components/schemas/Task_manager_health_APIs_health_response' description: Indicates a successful call summary: Get the task manager health tags: - task manager /api/timeline: delete: description: Delete one or more Timelines or Timeline templates. operationId: DeleteTimelines requestBody: content: application/json: schema: type: object properties: savedObjectIds: description: The list of IDs of the Timelines or Timeline templates to delete example: - 15c1929b-0af7-42bd-85a8-56e234cc7c4e items: type: string type: array searchIds: description: Saved search IDs that should be deleted alongside the timelines example: - 23f3-43g34g322-e5g5hrh6h-45454 - 6ce1b592-84e3-4b4a-9552-f189d4b82075 items: type: string type: array required: - savedObjectIds description: The IDs of the Timelines or Timeline templates to delete. required: true responses: '200': content: application/json: schema: type: object properties: data: type: object properties: deleteTimeline: type: boolean required: - deleteTimeline required: - data description: Indicates the Timeline was successfully deleted. summary: Delete Timelines or Timeline templates tags: - Security Timeline API get: description: Get the details of an existing saved Timeline or Timeline template. operationId: GetTimeline parameters: - description: The `savedObjectId` of the template timeline to retrieve in: query name: template_timeline_id schema: type: string - description: The `savedObjectId` of the Timeline to retrieve. in: query name: id schema: type: string responses: '200': content: application/json: schema: oneOf: - type: object properties: data: type: object properties: getOneTimeline: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' required: - getOneTimeline required: - data - additionalProperties: false type: object description: Indicates that the (template) Timeline was found and returned. summary: Get Timeline or Timeline template details tags: - Security Timeline API patch: description: Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. operationId: PatchTimeline requestBody: content: application/json: schema: type: object properties: timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' description: The timeline object of the Timeline or Timeline template that you’re updating. timelineId: description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e nullable: true type: string version: description: The version of the Timeline or Timeline template that you’re updating. example: WzE0LDFd nullable: true type: string required: - timelineId - version - timeline description: The Timeline updates, along with the Timeline ID and version. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' description: Indicates that the Timeline was successfully updated. '405': content: application/json: schema: type: object properties: body: description: The error message example: update timeline error type: string statusCode: example: 405 type: number description: Indicates that the user does not have the required access to create a Timeline. summary: Update a Timeline tags: - Security Timeline API post: description: Create a new Timeline or Timeline template. operationId: CreateTimelines requestBody: content: application/json: schema: type: object properties: status: $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true templateTimelineId: description: A unique identifier for the Timeline template. example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string templateTimelineVersion: description: Timeline template version number. example: 12 nullable: true type: number timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' timelineId: description: A unique identifier for the Timeline. example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true version: nullable: true type: string required: - timeline description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' description: Indicates the Timeline was successfully created. '405': content: application/json: schema: type: object properties: body: description: The error message example: update timeline error type: string statusCode: example: 405 type: number description: Indicates that there was an error in the Timeline creation. summary: Create a Timeline or Timeline template tags: - Security Timeline API /api/timeline/_copy: get: description: | Copies and returns a timeline or timeline template. operationId: CopyTimeline requestBody: content: application/json: schema: type: object properties: timeline: $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' timelineIdToCopy: type: string required: - timeline - timelineIdToCopy required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' description: Indicates that the timeline has been successfully copied. summary: Copies timeline or timeline template tags: - Security Timeline API /api/timeline/_draft: get: description: Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. operationId: GetDraftTimelines parameters: - in: query name: timelineType required: true schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' description: Indicates that the draft Timeline was successfully retrieved. '403': content: application:json: schema: type: object properties: message: type: string status_code: type: number description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. '409': content: application:json: schema: type: object properties: message: type: string status_code: type: number description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. summary: Get draft Timeline or Timeline template details tags: - Security Timeline API post: description: | Create a clean draft Timeline or Timeline template for the current user. > info > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. operationId: CleanDraftTimelines requestBody: content: application/json: schema: type: object properties: timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' required: - timelineType description: The type of Timeline to create. Valid values are `default` and `template`. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' description: Indicates that the draft Timeline was successfully created. In the event the user already has a draft Timeline, the existing draft Timeline is cleared and returned. '403': content: application:json: schema: type: object properties: message: type: string status_code: type: number description: Indicates that the user does not have the required permissions to create a draft Timeline. '409': content: application:json: schema: type: object properties: message: type: string status_code: type: number description: Indicates that there is already a draft Timeline with the given `timelineId`. summary: Create a clean draft Timeline or Timeline template tags: - Security Timeline API /api/timeline/_export: post: description: Export Timelines as an NDJSON file. operationId: ExportTimelines parameters: - description: The name of the file to export in: query name: file_name required: true schema: type: string requestBody: content: application/json: schema: type: object properties: ids: items: type: string nullable: true type: array description: The IDs of the Timelines to export. required: true responses: '200': content: application/ndjson: schema: description: NDJSON of the exported Timelines type: string description: Indicates the Timelines were successfully exported. '400': content: application/ndjson: schema: type: object properties: body: type: string statusCode: type: number description: Indicates that the export size limit was exceeded. summary: Export Timelines tags: - Security Timeline API /api/timeline/_favorite: patch: description: Favorite a Timeline or Timeline template for the current user. operationId: PersistFavoriteRoute requestBody: content: application/json: schema: type: object properties: templateTimelineId: nullable: true type: string templateTimelineVersion: nullable: true type: number timelineId: nullable: true type: string timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true required: - timelineId - templateTimelineId - templateTimelineVersion - timelineType description: The required fields used to favorite a (template) Timeline. required: true responses: '200': content: application/json: schema: type: object properties: data: type: object properties: persistFavorite: $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' required: - persistFavorite required: - data description: Indicates the favorite status was successfully updated. '403': content: application:json: schema: type: object properties: body: type: string statusCode: type: number description: Indicates the user does not have the required permissions to persist the favorite status. summary: Favorite a Timeline or Timeline template tags: - Security Timeline API /api/timeline/_import: post: description: Import Timelines. operationId: ImportTimelines requestBody: content: application/json: schema: type: object properties: file: {} isImmutable: description: Whether the Timeline should be immutable enum: - 'true' - 'false' type: string required: - file description: The Timelines to import as a readable stream. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' description: Indicates the import of Timelines was successful. '400': content: application/json: schema: type: object properties: body: description: The error message example: Invalid file extension type: string statusCode: example: 400 type: number description: Indicates the import of Timelines was unsuccessful because of an invalid file extension. '404': content: application/json: schema: type: object properties: body: description: The error message example: Unable to find saved object client type: string statusCode: example: 404 type: number description: Indicates that we were unable to locate the saved object client necessary to handle the import. '409': content: application/json: schema: type: object properties: body: description: The error message example: Could not import timelines type: string statusCode: example: 409 type: number description: Indicates the import of Timelines was unsuccessful. summary: Import Timelines tags: - Security Timeline API /api/timeline/_prepackaged: post: description: Install or update prepackaged Timelines. operationId: InstallPrepackedTimelines requestBody: content: application/json: schema: type: object properties: prepackagedTimelines: items: $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' nullable: true type: array timelinesToInstall: items: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' nullable: true type: array timelinesToUpdate: items: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' nullable: true type: array required: - timelinesToInstall - timelinesToUpdate - prepackagedTimelines description: The Timelines to install or update. required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' description: Indicates the installation of prepackaged Timelines was successful. '500': content: application:json: schema: type: object properties: body: type: string statusCode: type: number description: Indicates the installation of prepackaged Timelines was unsuccessful. summary: Install prepackaged Timelines tags: - Security Timeline API /api/timeline/resolve: get: operationId: ResolveTimeline parameters: - description: The ID of the template timeline to resolve in: query name: template_timeline_id schema: type: string - description: The ID of the timeline to resolve in: query name: id schema: type: string responses: '200': content: application/json: schema: oneOf: - type: object properties: data: $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' required: - data - additionalProperties: false type: object description: The (template) Timeline has been found '400': description: The request is missing parameters '404': description: The (template) Timeline was not found summary: Get an existing saved Timeline or Timeline template tags: - Security Timeline API /api/timelines: get: description: Get a list of all saved Timelines or Timeline templates. operationId: GetTimelines parameters: - description: If true, only timelines that are marked as favorites by the user are returned. in: query name: only_user_favorite schema: enum: - 'true' - 'false' nullable: true type: string - in: query name: timeline_type schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true - in: query name: sort_field schema: $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - description: Whether to sort the results `ascending` or `descending` in: query name: sort_order schema: enum: - asc - desc type: string - description: How many results should returned at once in: query name: page_size schema: nullable: true type: string - description: How many pages should be skipped in: query name: page_index schema: nullable: true type: string - description: Allows to search for timelines by their title in: query name: search schema: nullable: true type: string - in: query name: status schema: $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true responses: '200': content: application/json: schema: type: object properties: customTemplateTimelineCount: description: The amount of custom Timeline templates in the results example: 2 type: number defaultTimelineCount: description: The amount of `default` type Timelines in the results example: 90 type: number elasticTemplateTimelineCount: description: The amount of Elastic's Timeline templates in the results example: 8 type: number favoriteCount: description: The amount of favorited Timelines example: 5 type: number templateTimelineCount: description: The amount of Timeline templates in the results example: 10 type: number timeline: items: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' type: array totalCount: description: The total amount of results example: 100 type: number required: - timeline - totalCount description: Indicates that the (template) Timelines were found and returned. '400': content: application:json: schema: type: object properties: body: description: The error message example: get timeline error type: string statusCode: example: 405 type: number description: Bad request. The user supplied invalid data. summary: Get Timelines or Timeline templates tags: - Security Timeline API /api/upgrade_assistant/reindex/{index}: get: description: | Check the status of the reindex task. operationId: get-upgrade-reindex parameters: - description: The name of the index that is reindexing. in: path name: index required: true schema: type: string responses: '200': content: application/json: examples: getUpgradeReindexResponseExample1: value: |- { "reindexOp": { "indexName": ".ml-state", "newIndexName": ".reindexed-v7-ml-state", "status": 0, "lastCompletedStep": 40, "reindexTaskId": "QprwvTMzRQ2MLWOW22oQ4Q:11819", "reindexTaskPercComplete": 0.3, "errorMessage": null }, "warnings": [], "hasRequiredPrivileges": true } schema: type: object properties: hasRequiredPrivileges: description: | Specifies whether the user has sufficient privileges to reindex this index. When security is unavailable or disabled, it is `true`. type: boolean reindexOp: type: object properties: errorMessage: $ref: '#/components/schemas/Upgrade_assistant_APIs_errorMessage' indexName: $ref: '#/components/schemas/Upgrade_assistant_APIs_indexName' lastCompletedStep: $ref: '#/components/schemas/Upgrade_assistant_APIs_lastCompletedStep' newIndexName: $ref: '#/components/schemas/Upgrade_assistant_APIs_newIndexName' reindexTaskId: $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskId' reindexTaskPercComplete: $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskPercComplete' status: $ref: '#/components/schemas/Upgrade_assistant_APIs_status' warnings: description: | An array of any warning codes that explain what changes are required for this reindex. For example: - `0` specifies to remove the `_all` meta field. - `1` specifies to convert any coerced boolean values in the source document. For example, `yes`, `1`, and `off`. - `2` specifies to convert documents to support Elastic Common Schema. Applies only to APM indices created in 6.x. type: array description: Indicates a successful call. summary: Get the reindex status tags: - upgrade x-state: Technical Preview post: description: | Start a new reindex or resume a paused reindex. The following steps are performed during a reindex task: 1. Set the index to read-only. 1. Create a new index. 1. Reindex documents into the new index. 1. Create an index alias for the new index. 1. Delete the old index. operationId: start-upgrade-reindex parameters: - description: The name of the index to reindex. in: path name: index required: true schema: type: string responses: '200': content: application/json: examples: startUpgradeReindexResponseExample1: value: |- { "indexName": ".ml-state", "newIndexName": ".reindexed-v7-ml-state", "status": 0, "lastCompletedStep": 0, "reindexTaskId": null, "reindexTaskPercComplete": null, "errorMessage": null } schema: type: object properties: errorMessage: $ref: '#/components/schemas/Upgrade_assistant_APIs_errorMessage' indexName: $ref: '#/components/schemas/Upgrade_assistant_APIs_indexName' lastCompletedStep: $ref: '#/components/schemas/Upgrade_assistant_APIs_lastCompletedStep' newIndexName: $ref: '#/components/schemas/Upgrade_assistant_APIs_newIndexName' reindexTaskId: $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskId' reindexTaskPercComplete: $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskPercComplete' status: $ref: '#/components/schemas/Upgrade_assistant_APIs_status' description: Indicates a successful call. summary: Start or resume reindexing tags: - upgrade x-state: Technical Preview /api/upgrade_assistant/reindex/{index}/cancel: post: description: | Cancel reindexes that are waiting for the Elasticsearch reindex task to complete. For example, cancel reindexing if the `lastCompletedStep` has the value `40`. operationId: cancel-upgrade-reindex parameters: - description: The name of the index that was reindexing. in: path name: index required: true schema: type: string responses: '200': content: application/json: examples: cancelUpgradeReindexResponseExample1: value: |- { "acknowledged": true } schema: type: object properties: acknowledged: type: boolean description: Indicates a successful call. summary: Cancel reindexing tags: - upgrade x-state: Technical Preview /api/upgrade_assistant/reindex/batch: post: description: | Start or resume multiple reindexing tasks in one request. Additionally, reindexing tasks started or resumed via the batch endpoint will be placed on a queue and run one-by-one, which ensures that minimal cluster resources are consumed over time. operationId: batch-start-upgrade-reindex requestBody: content: application/json: schema: type: object properties: indexNames: description: | The list of index names to be reindexed. The order of the indices determines the order that the reindex tasks are run. items: type: string type: array required: - indexNames required: true responses: '200': content: application/json: examples: batchStartUpgradeReindexResponseExample1: value: |- { "enqueued": [ { "indexName": "index1", "newIndexName": "reindexed-v8-index1", "status": 3, "lastCompletedStep": 0, "locked": null, "reindexTaskId": null, "reindexTaskPercComplete": null, "errorMessage": null, "runningReindexCount": null, "reindexOptions": { "queueSettings": { "queuedAt": 1583406985489 } } } ], "errors": [ { "indexName": "index2", "message": "Something went wrong!" } ] } schema: type: object properties: enqueued: description: | A list of reindex tasks created. The order in the array indicates the order in which tasks will be run. items: type: object properties: errorMessage: $ref: '#/components/schemas/Upgrade_assistant_APIs_errorMessage' indexName: $ref: '#/components/schemas/Upgrade_assistant_APIs_indexName' lastCompletedStep: $ref: '#/components/schemas/Upgrade_assistant_APIs_lastCompletedStep' locked: $ref: '#/components/schemas/Upgrade_assistant_APIs_locked' reindexOptions: $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexOptions' reindexTaskId: $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskId' reindexTaskPercComplete: $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskPercComplete' runningReindexCount: $ref: '#/components/schemas/Upgrade_assistant_APIs_runningReindexCount' type: array errors: description: | A list of errors that may have occurred preventing the reindex task from being created. items: - type: object type: array description: Indicates a successful call. summary: Batch start or resume reindexing tags: - upgrade x-state: Technical Preview /api/upgrade_assistant/reindex/batch/queue: get: description: | Check the current reindex batch queue. operationId: get-batch-upgrade-reindex responses: '200': content: application/json: examples: getBatchUpgradeReindexResponseExample1: value: |- { "queue": [ { "indexName": "index1", "newIndexName": "reindexed-v8-index2", "status": 3, "lastCompletedStep": 0, "locked": null, "reindexTaskId": null, "reindexTaskPercComplete": null, "errorMessage": null, "runningReindexCount": null, "reindexOptions": { "queueSettings": { "queuedAt": 1583406985489 } } }, { "indexName": "index2", "newIndexName": "reindexed-v8-index2", "status": 3, "lastCompletedStep": 0, "locked": null, "reindexTaskId": null, "reindexTaskPercComplete": null, "errorMessage": null, "runningReindexCount": null, "reindexOptions": { "queueSettings": { "queuedAt": 1583406987334 } } } ] } schema: type: object properties: queue: description: | Items in this array indicate reindex tasks at a given point in time and the order in which they will be run. items: type: object properties: errorMessage: $ref: '#/components/schemas/Upgrade_assistant_APIs_errorMessage' indexName: $ref: '#/components/schemas/Upgrade_assistant_APIs_indexName' lastCompletedStep: $ref: '#/components/schemas/Upgrade_assistant_APIs_lastCompletedStep' locked: $ref: '#/components/schemas/Upgrade_assistant_APIs_locked' reindexOptions: $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexOptions' reindexTaskId: $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskId' reindexTaskPercComplete: $ref: '#/components/schemas/Upgrade_assistant_APIs_reindexTaskPercComplete' runningReindexCount: $ref: '#/components/schemas/Upgrade_assistant_APIs_runningReindexCount' type: array description: Indicates a successful call. summary: Get the batch reindex queue tags: - upgrade x-state: Technical Preview /api/upgrade_assistant/status: get: description: Check the status of your cluster. operationId: get-upgrade-status responses: '200': content: application/json: examples: getUpgradeStatusResponseExample1: value: |- { "readyForUpgrade": false, "cluster": [ { "message": "Cluster deprecated issue", "details":"You have 2 system indices that must be migrated and 5 Elasticsearch deprecation issues and 0 Kibana deprecation issues that must be resolved before upgrading." } ] } description: Indicates a successful call. summary: Get the upgrade readiness status tags: - upgrade x-state: Technical Preview /api/uptime/settings: get: description: | You must have `read` privileges for the uptime feature in the Observability section of the Kibana feature privileges. operationId: get-uptime-settings responses: '200': content: application/json: examples: getUptimeSettingsResponseExample1: value: |- { "heartbeatIndices": "heartbeat-8*", "certExpirationThreshold": 30, "certAgeThreshold": 730, "defaultConnectors": [ "08990f40-09c5-11ee-97ae-912b222b13d4", "db25f830-2318-11ee-9391-6b0c030836d6" ], "defaultEmail": { "to": [], "cc": [], "bcc": [] } } schema: type: object description: Indicates a successful call summary: Get uptime settings tags: - uptime put: description: | Update uptime setting attributes like `heartbeatIndices`, `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or `defaultEmail`. You must have `all` privileges for the uptime feature in the Observability section of the Kibana feature privileges. A partial update is supported, provided settings keys will be merged with existing settings. operationId: put-uptime-settings requestBody: content: application/json: examples: putUptimeSettingsRequestExample1: description: Run `PUT api/uptime/settings` to update multiple Uptime settings. summary: Update multiple settings value: |- { "heartbeatIndices": "heartbeat-8*", "certExpirationThreshold": 30, "certAgeThreshold": 730, "defaultConnectors": [ "08990f40-09c5-11ee-97ae-912b222b13d4", "db25f830-2318-11ee-9391-6b0c030836d6" ], "defaultEmail": { "to": [], "cc": [], "bcc": [] } } putUptimeSettingsRequestExample2: description: Run `PUT api/uptime/settings` to update a single Uptime setting. summary: Update a setting value: |- { "heartbeatIndices": "heartbeat-8*", } schema: type: object properties: certAgeThreshold: default: 730 description: The number of days after a certificate is created to trigger an alert. type: number certExpirationThreshold: default: 30 description: The number of days before a certificate expires to trigger an alert. type: number defaultConnectors: default: [] description: A list of connector IDs to be used as default connectors for new alerts. type: array defaultEmail: description: | The default email configuration for new alerts. type: object properties: bcc: default: [] items: - type: string type: array cc: default: [] items: - type: string type: array to: default: [] items: - type: string type: array heartbeatIndices: default: heartbeat-* description: | An index pattern string to be used within the Uptime app and alerts to query Heartbeat data. type: string responses: '200': content: application/json: examples: putUptimeSettingsResponseExample1: description: A successful response from `PUT api/uptime/settings`. value: |- { "heartbeatIndices": "heartbeat-8*", "certExpirationThreshold": 30, "certAgeThreshold": 730, "defaultConnectors": [ "08990f40-09c5-11ee-97ae-912b222b13d4", "db25f830-2318-11ee-9391-6b0c030836d6" ], "defaultEmail": { "to": [], "cc": [], "bcc": [] } } schema: type: object description: Indicates a successful call summary: Update uptime settings tags: - uptime /s/{spaceId}/api/observability/slos: get: description: | You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: findSlosOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - description: A valid kql query to filter the SLO with example: 'slo.name:latency* and slo.tags : "prod"' in: query name: kqlQuery schema: type: string - description: The page to use for pagination, must be greater or equal than 1 example: 1 in: query name: page schema: default: 1 type: integer - description: Number of SLOs returned by page example: 25 in: query name: perPage schema: default: 25 maximum: 5000 type: integer - description: Sort by field example: status in: query name: sortBy schema: default: status enum: - sli_value - status - error_budget_consumed - error_budget_remaining type: string - description: Sort order example: asc in: query name: sortDirection schema: default: asc enum: - asc - desc type: string - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings in: query name: hideStale schema: type: boolean responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_find_slo_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Get a paginated list of SLOs tags: - slo post: description: | You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: createSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: schema: $ref: '#/components/schemas/SLOs_create_slo_request' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_create_slo_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '409': content: application/json: schema: $ref: '#/components/schemas/SLOs_409_response' description: Conflict - The SLO id already exists summary: Create an SLO tags: - slo /s/{spaceId}/api/observability/slos/_delete_instances: post: description: | The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloInstancesOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' requestBody: content: application/json: schema: $ref: '#/components/schemas/SLOs_delete_slo_instances_request' required: true responses: '204': description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response summary: Batch delete rollup and summary data tags: - slo /s/{spaceId}/api/observability/slos/{sloId}: delete: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: deleteSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '204': description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Delete an SLO tags: - slo get: description: | You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: getSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' - description: the specific instanceId used by the summary calculation example: host-abcde in: query name: instanceId schema: type: string responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_slo_with_summary_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Get an SLO tags: - slo put: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: updateSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' requestBody: content: application/json: schema: $ref: '#/components/schemas/SLOs_update_slo_request' required: true responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_slo_definition_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Update an SLO tags: - slo /s/{spaceId}/api/observability/slos/{sloId}/_reset: post: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: resetSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '200': content: application/json: schema: $ref: '#/components/schemas/SLOs_slo_definition_response' description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Reset an SLO tags: - slo /s/{spaceId}/api/observability/slos/{sloId}/disable: post: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: disableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '204': description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Disable an SLO tags: - slo /s/{spaceId}/api/observability/slos/{sloId}/enable: post: description: | You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. operationId: enableSloOp parameters: - $ref: '#/components/parameters/SLOs_kbn_xsrf' - $ref: '#/components/parameters/SLOs_space_id' - $ref: '#/components/parameters/SLOs_slo_id' responses: '204': description: Successful request '400': content: application/json: schema: $ref: '#/components/schemas/SLOs_400_response' description: Bad request '401': content: application/json: schema: $ref: '#/components/schemas/SLOs_401_response' description: Unauthorized response '403': content: application/json: schema: $ref: '#/components/schemas/SLOs_403_response' description: Unauthorized response '404': content: application/json: schema: $ref: '#/components/schemas/SLOs_404_response' description: Not found response summary: Enable an SLO tags: - slo components: examples: Alerting_get_health_response: summary: Retrieve information about the health of the alerting framework. value: alerting_framework_health: decryption_health: status: ok timestamp: '2023-01-13T01:28:00.280Z' execution_health: status: ok timestamp: '2023-01-13T01:28:00.280Z' read_health: status: ok timestamp: '2023-01-13T01:28:00.280Z' has_permanent_encryption_key: true is_sufficiently_secure: true Alerting_get_rule_types_response: summary: Retrieve rule types associated with Kibana machine learning features value: - action_groups: - id: anomaly_score_match name: Anomaly score matched the condition - id: recovered name: Recovered action_variables: context: - description: The bucket timestamp of the anomaly name: timestamp - description: The bucket time of the anomaly in ISO8601 format name: timestampIso8601 - description: List of job IDs that triggered the alert name: jobIds - description: Alert info message name: message - description: Indicate if top hits contain interim results name: isInterim - description: Anomaly score at the time of the notification action name: score - description: Top records name: topRecords - description: Top influencers name: topInfluencers - description: URL to open in the Anomaly Explorer name: anomalyExplorerUrl useWithTripleBracesInTemplates: true params: [] state: [] alerts: context: ml.anomaly-detection mappings: fieldMap: kibana.alert.anomaly_score: array: false type: double required: false kibana.alert.anomaly_timestamp: array: false type: date required: false kibana.alert.is_interim: array: false type: boolean required: false kibana.alert.job_id: array: false type: keyword required: true kibana.alert.top_influencers: array: true dynamic: false type: object properties: influencer_field_name: type: keyword influencer_field_value: type: keyword influencer_score: type: double initial_influencer_score: type: double is_interim: type: boolean job_id: type: keyword timestamp: type: date required: false kibana.alert.top_records: array: true dynamic: false type: object properties: actual: type: double by_field_name: type: keyword by_field_value: type: keyword detector_index: type: integer field_name: type: keyword function: type: keyword initial_record_score: type: double is_interim: type: boolean job_id: type: keyword over_field_name: type: keyword over_field_value: type: keyword partition_field_name: type: keyword partition_field_value: type: keyword record_score: type: double timestamp: type: date typical: type: double required: false shouldWrite: true authorized_consumers: alerts: all: true read: true apm: all: true read: true discover: all: true read: true infrastructure: all: true read: true logs: all: true read: true ml: all: true read: true monitoring: all: true read: true siem: all: true read: true slo: all: true read: true stackAlerts: all: true read: true uptime: all: true read: true category: management default_action_group_id: anomaly_score_match does_set_recovery_context: true enabled_in_license: true has_alerts_mappings: true has_fields_for_a_a_d: false id: xpack.ml.anomaly_detection_alert is_exportable: true minimum_license_required: platinum name: Anomaly detection alert producer: ml recovery_action_group: id: recovered name: Recovered rule_task_timeout: 5m - action_groups: - id: anomaly_detection_realtime_issue name: Issue detected - id: recovered name: Recovered action_variables: context: - description: Results of the rule execution name: results - description: Alert info message name: message params: [] state: [] authorized_consumers: alerts: all: true read: true apm: all: true read: true discover: all: true read: true infrastructure: all: true read: true logs: all: true read: true ml: all: true read: true monitoring: all: true read: true siem: all: true read: true slo: all: true read: true stackAlerts: all: true read: true uptime: all: true read: true category: management default_action_group_id: anomaly_detection_realtime_issue does_set_recovery_context: true enabled_in_license: true has_alerts_mappings: false has_fields_for_a_a_d: false id: xpack.ml.anomaly_detection_jobs_health is_exportable: true minimum_license_required: platinum name: Anomaly detection jobs health producer: ml recovery_action_group: id: recovered name: Recovered rule_task_timeout: 5m Cases_add_comment_request: summary: Adds a comment to a case. value: comment: A new comment. owner: cases type: user Cases_add_comment_response: summary: The add comment to case API returns a JSON object that contains details about the case and its comments. value: assignees: [] category: null closed_at: null closed_by: null comments: - comment: A new comment. created_at: '2022-10-02T00:49:47.716Z' created_by: email: null full_name: null username: elastic id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 owner: cases type: user version: WzIwNDMxLDFd connector: fields: null id: none name: none type: .none created_at: '2022-03-24T00:37:03.906Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: Field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: true description: A case description. duration: null external_service: null id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 owner: cases settings: syncAlerts: false severity: low status: open tags: - tag 1 title: Case title 1 totalAlerts: 0 totalComment: 1 updated_at: '2022-06-03T00:49:47.716Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzIzMzgsMV0= Cases_create_case_request: summary: Create a security case that uses a Jira connector. value: connector: fields: issueType: '10006' parent: null priority: High id: 131d4448-abe0-4789-939d-8ef60680b498 name: My connector type: .jira customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value description: A case description. owner: cases settings: syncAlerts: true tags: - tag-1 title: Case title 1 Cases_create_case_response: summary: The create case API returns a JSON object that contains details about the case. value: assignees: [] closed_at: null closed_by: null comments: [] connector: fields: issueType: '10006' parent: null priority: High id: 131d4448-abe0-4789-939d-8ef60680b498 name: My connector type: .jira created_at: '2022-10-13T15:33:50.604Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: null description: A case description. duration: null external_service: null id: 66b9aa00-94fa-11ea-9f74-e7e108796192 owner: cases settings: syncAlerts: true severity: low status: open tags: - tag 1 title: Case title 1 totalAlerts: 0 totalComment: 0 updated_at: null updated_by: null version: WzUzMiwxXQ== Cases_find_case_activity_response: summary: Retrieves all activity for a case value: page: 1 perPage: 20 total: 3 userActions: - action: create comment_id: null created_at: '2023-10-20T01:17:22.150Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: b4cd0770-07c9-11ed-a5fd-47154cb8767e owner: cases payload: assignees: [] category: null connector: fields: null id: none name: none type: .none customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: null description: A case description. owner: cases settings: syncAlerts: false severity: low status: open tags: - tag 1 title: Case title 1 type: create_case version: WzM1ODg4LDFd - action: create comment_id: 578608d0-03b1-11ed-920c-974bfa104448 created_at: '2023-10-14T20:12:53.354Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 57af14a0-03b1-11ed-920c-974bfa104448 owner: cases payload: comment: A new comment owner: cases type: user type: comment version: WzM1ODg4LDFa - action: add comment_id: null created_at: '2023-10-20T01:10:28.238Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 573c6980-6123-11ed-aa41-81a0a61fe447 owner: cases payload: assignees: uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 type: assignees version: WzM1ODg4LDFb Cases_find_case_response: summary: Retrieve the first five cases with the `tag-1` tag, in ascending order by last update time. value: cases: - assignees: [] category: null closed_at: null closed_by: null comments: [] connector: fields: null id: none name: none type: .none created_at: '2023-10-12T00:16:36.371Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: null description: Case description duration: null external_service: null id: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 owner: cases settings: syncAlerts: true severity: low status: open tags: - tag-1 title: Case title totalAlerts: 0 totalComment: 1 updated_at: '2023-10-12T00:27:58.162Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzExMCwxXQ== count_closed_cases: 0 count_in_progress_cases: 0 count_open_cases: 1 page: 1 per_page: 5 total: 1 Cases_find_connector_response: summary: Retrieve information about the connectors and their settings. value: - actionTypeId: .jira config: apiUrl: https://elastic.atlassian.net/ projectKey: ES id: 61787f53-4eee-4741-8df6-8fe84fa616f7 isDeprecated: false isMissingSecrets: false isPreconfigured: false name: my-Jira referencedByCount: 0 Cases_get_case_alerts_response: summary: Retrieves all alerts attached to a case value: - attached_at: '2022-07-25T20:09:40.963Z' id: f6a7d0c3-d52d-432c-b2e6-447cd7fce04d index: .alerts-observability.logs.alerts-default Cases_get_case_configuration_response: summary: Get the case configuration. value: - closure_type: close-by-user connector: fields: null id: none name: none type: .none created_at: '2024-07-01T17:07:17.767Z' created_by: email: null full_name: null username: elastic customFields: - defaultValue: Custom text field value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: false error: null id: 856ee650-6c82-11ee-a20a-6164169afa58 mappings: [] owner: cases templates: - caseFields: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 category: Default-category connector: fields: null id: none name: none type: .none customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: Default text field value. description: A default description for cases. settings: syncAlerts: false tags: - Default case tag title: Default case title description: A description of the template. key: 505932fe-ee3a-4960-a661-c781b5acdb05 name: template-1 tags: - Template tag 1 updated_at: null updated_by: null version: WzEyLDNd Cases_get_case_observability_response: summary: Retrieves information about an Observability case including its alerts and comments. value: assignees: - uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 category: null closed_at: null closed_by: null comments: - alertId: - a6e12ac4-7bce-457b-84f6-d7ce8deb8446 created_at: '2023-11-06T19:29:38.424Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 59d438d0-79a9-4864-8d4b-e63adacebf6e index: - .internal.alerts-observability.logs.alerts-default-000001 owner: observability pushed_at: null pushed_by: null rule: id: 03e4eb87-62ca-4e5d-9570-3d7625e9669d name: Observability rule type: alert updated_at: null updated_by: null version: WzY3LDJd - comment: The first comment. created_at: '2023-11-06T19:29:57.812Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: d99342d3-3aa3-4b80-90ec-a702607604f5 owner: observability pushed_at: null pushed_by: null type: user updated_at: null updated_by: null version: WzcyLDJd connector: fields: null id: none name: none type: .none created_at: '2023-11-06T19:29:04.086Z' created_by: email: null full_name: null username: elastic customFields: [] description: An Observability case description. duration: null external_service: null id: c3ff7550-def1-4e90-b6bc-c9969a4a09b1 owner: observability settings: syncAlerts: false severity: low status: in-progress tags: - observability - tag 1 title: Observability case title 1 totalAlerts: 1 totalComment: 1 updated_at: '2023-11-06T19:47:55.662Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzI0NywyXQ== Cases_get_case_response: summary: Retrieves information about a case including its comments. value: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 category: null closed_at: null closed_by: null comments: - comment: A new comment created_at: '2023-10-13T15:40:32.335Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 2134c1d0-02c2-11ed-85f2-4f7c222ca2fa owner: cases pushed_at: null pushed_by: null type: user updated_at: null updated_by: null version: WzM3LDFd connector: fields: null id: none name: none type: .none created_at: '2023-10-13T15:33:50.604Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: null description: A case description duration: null external_service: null id: 31cdada0-02c1-11ed-85f2-4f7c222ca2fa owner: cases settings: syncAlerts: true severity: low status: open tags: - tag 1 title: Case title 1 totalAlerts: 0 totalComment: 1 updated_at: '2023-10-13T15:40:32.335Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzM2LDFd Cases_get_comment_response: summary: A single user comment retrieved from a case value: comment: A new comment created_at: '2023-10-07T19:32:13.104Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 8048b460-fe2b-11ec-b15d-779a7c8bbcc3 owner: cases pushed_at: null pushed_by: null type: user updated_at: null updated_by: null version: WzIzLDFd Cases_get_reporters_response: summary: A list of two users that opened cases value: - email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic - email: jdoe@example.com full_name: Jane Doe profile_uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 username: jdoe Cases_get_tags_response: summary: A list of tags that are used in cases value: - observability - security - tag 1 - tag 2 Cases_push_case_response: summary: The push case API returns a JSON object with details about the case and the external service. value: closed_at: null closed_by: null comments: [] connector: fields: issueType: '10006' parent: null priority: Low id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 name: My connector type: .jira created_at: '2022-07-29T00:59:39.444Z' created_by: email: null full_name: null username: elastic description: A case description. duration: null external_service: connector_id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 connector_name: My connector external_id: '71926' external_title: ES-554 external_url: https://cases.jira.com pushed_at: '2022-07-29T01:20:58.436Z' pushed_by: email: null full_name: null username: elastic id: b917f300-0ed9-11ed-bd18-65557fe66949 owner: cases settings: syncAlerts: true severity: low status: open tags: - tag 1 title: Case title 1 totalAlerts: 0 totalComment: 0 updated_at: '2022-07-29T01:20:58.436Z' updated_by: email: null full_name: null username: elastic version: WzE3NjgsM10= Cases_set_case_configuration_request: summary: Set the closure type, custom fields, and default connector for Stack Management cases. value: closure_type: close-by-user connector: fields: null id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 name: my-jira-connector type: .jira customFields: - defaultValue: My custom field default value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: false owner: cases templates: - caseFields: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 category: Default-category customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: A text field value for the template. description: A default description for cases. tags: - Default case tag title: Default case title description: A description of the template. key: 505932fe-ee3a-4960-a661-c781b5acdb05 name: template-1 tags: - Template tag 1 Cases_set_case_configuration_response: summary: This is an example response for case settings. value: closure_type: close-by-user connector: fields: null id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 name: my-jira-connector type: .jira created_at: '2024-07-01T17:07:17.767Z' created_by: email: null, full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - defaultValue: My custom field default value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: false error: null id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 mappings: - action_type: overwrite source: title target: summary - action_type: overwrite source: description target: description - action_type: append source: comments target: comments - action_type: overwrite source: tags target: labels owner: cases templates: - caseFields: assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 category: Default-category customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: A text field value for the template. description: A default description for cases. tags: - Default case tag title: Default case title description: A description of the template. key: 505932fe-ee3a-4960-a661-c781b5acdb05 name: template-1 tags: - Template tag 1 updated_at: null updated_by: null version: WzIwNzMsMV0= Cases_update_case_configuration_request: summary: Update the case settings. value: closure_type: close-by-user connector: fields: null id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 name: my-jira-connector type: .jira customFields: - defaultValue: A new default value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: true - key: fcc6840d-eb14-42df-8aaf-232201a705ec label: my-toggle type: toggle required: false version: WzExOSw0XQ== Cases_update_case_configuration_response: summary: This is an example response when the case configuration was updated. value: closure_type: close-by-user connector: fields: null id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 name: my-jira-connector type: .jira created_at: '2024-07-01T17:07:17.767Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - defaultValue: A new default value. key: d312efda-ec2b-42ec-9e2c-84981795c581 label: my-text-field type: text required: true - key: fcc6840d-eb14-42df-8aaf-232201a705ec label: my-toggle type: toggle required: false error: null id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 mappings: - action_type: overwrite source: title target: summary - action_type: overwrite source: description target: description - action_type: overwrite source: tags target: labels - action_type: append source: comments target: comments owner: cases templates: [] updated_at: '2024-07-19T00:52:42.401Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzI2LDNd Cases_update_case_request: summary: Update the case description, tags, and connector. value: cases: - connector: fields: issueType: '10006' parent: null priority: null id: 131d4448-abe0-4789-939d-8ef60680b498 name: My connector type: .jira customFields: - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: false - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My new field value description: A case description. id: a18b38a0-71b0-11ea-a0b2-c51ea50a58e2 settings: syncAlerts: true tags: - tag-1 version: WzIzLDFd Cases_update_case_response: summary: This is an example response when the case description, tags, and connector were updated. value: - assignees: [] category: null closed_at: null closed_by: null comments: [] connector: fields: issueType: '10006' parent: null priority: null id: 131d4448-abe0-4789-939d-8ef60680b498 name: My connector type: .jira created_at: '2023-10-13T09:16:17.416Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My new field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: false description: A case description. duration: null external_service: connector_id: 05da469f-1fde-4058-99a3-91e4807e2de8 connector_name: Jira external_id: '10003' external_title: IS-4 external_url: https://hms.atlassian.net/browse/IS-4 pushed_at: '2023-10-13T09:20:40.672Z' pushed_by: email: null full_name: null username: elastic id: 66b9aa00-94fa-11ea-9f74-e7e108796192 owner: cases settings: syncAlerts: true severity: low status: open tags: - tag-1 title: Case title 1 totalAlerts: 0 totalComment: 0 updated_at: '2023-10-13T09:48:33.043Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzU0OCwxXQ== Cases_update_comment_request: summary: Updates a comment of a case. value: comment: An updated comment. id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 owner: cases type: user version: Wzk1LDFd Cases_update_comment_response: summary: The add comment to case API returns a JSON object that contains details about the case and its comments. value: assignees: [] category: null closed_at: null closed_by: null comments: - comment: An updated comment. created_at: '2023-10-24T00:37:10.832Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 owner: cases pushed_at: null pushed_by: null type: user updated_at: '2023-10-24T01:27:06.210Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzIwNjM3LDFd connector: fields: null id: none name: none type: .none created_at: '2023-10-24T00:37:03.906Z' created_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic customFields: - key: d312efda-ec2b-42ec-9e2c-84981795c581 type: text value: My new field value - key: fcc6840d-eb14-42df-8aaf-232201a705ec type: toggle value: false description: A case description. duration: null external_service: null id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 owner: cases settings: syncAlerts: false severity: low status: open tags: - tag 1 title: Case title 1 totalAlerts: 0 totalComment: 1 updated_at: '2023-10-24T01:27:06.210Z' updated_by: email: null full_name: null profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 username: elastic version: WzIwNjM2LDFd Data_views_create_data_view_request: summary: Create a data view with runtime fields. value: data_view: name: My Logstash data view runtimeFieldMap: runtime_shape_name: script: source: emit(doc['shape_name'].value) type: keyword title: logstash-* Data_views_create_runtime_field_request: summary: Create a runtime field. value: name: runtimeFoo runtimeField: script: source: emit(doc["foo"].value) type: long Data_views_get_data_view_response: summary: The get data view API returns a JSON object that contains information about the data view. value: data_view: allowNoIndex: false fieldAttrs: products.manufacturer: count: 1 products.price: count: 1 products.product_name: count: 1 total_quantity: count: 1 fieldFormats: products.base_price: id: number params: pattern: $0,0.00 products.base_unit_price: id: number params: pattern: $0,0.00 products.min_price: id: number params: pattern: $0,0.00 products.price: id: number params: pattern: $0,0.00 products.taxful_price: id: number params: pattern: $0,0.00 products.taxless_price: id: number params: pattern: $0,0.00 taxful_total_price: id: number params: pattern: $0,0.[00] taxless_total_price: id: number params: pattern: $0,0.00 fields: _id: aggregatable: false count: 0 esTypes: - _id format: id: string isMapped: true name: _id readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _index: aggregatable: true count: 0 esTypes: - _index format: id: string isMapped: true name: _index readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _score: aggregatable: false count: 0 format: id: number isMapped: true name: _score readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: number _source: aggregatable: false count: 0 esTypes: - _source format: id: _source isMapped: true name: _source readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: _source category: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: category readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string category.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: category.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: category type: string currency: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: currency readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string customer_birth_date: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: customer_birth_date readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date customer_first_name: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: customer_first_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string customer_first_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_first_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: customer_first_name type: string customer_full_name: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: customer_full_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string customer_full_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_full_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: customer_full_name type: string customer_gender: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_gender readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string customer_id: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_id readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string customer_last_name: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: customer_last_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string customer_last_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_last_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: customer_last_name type: string customer_phone: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: customer_phone readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string day_of_week: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: day_of_week readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string day_of_week_i: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: day_of_week_i readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number email: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: email readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string event.dataset: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: event.dataset readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.city_name: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.city_name readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.continent_name: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.continent_name readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.country_iso_code: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.country_iso_code readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string geoip.location: aggregatable: true count: 0 esTypes: - geo_point format: id: geo_point params: transform: wkt isMapped: true name: geoip.location readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: geo_point geoip.region_name: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: geoip.region_name readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string manufacturer: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: manufacturer readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string manufacturer.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: manufacturer.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: manufacturer type: string order_date: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: order_date readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date order_id: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: order_id readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string products._id: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: products._id readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products._id.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products._id.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products._id type: string products.base_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.base_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.base_unit_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.base_unit_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.category: aggregatable: false count: 0 esTypes: - text format: id: string isMapped: true name: products.category readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products.category.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.category.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products.category type: string products.created_on: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: products.created_on readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date products.discount_amount: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.discount_amount readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.discount_percentage: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.discount_percentage readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.manufacturer: aggregatable: false count: 1 esTypes: - text format: id: string isMapped: true name: products.manufacturer readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products.manufacturer.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.manufacturer.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products.manufacturer type: string products.min_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.min_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.price: aggregatable: true count: 1 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.product_id: aggregatable: true count: 0 esTypes: - long format: id: number isMapped: true name: products.product_id readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.product_name: aggregatable: false count: 1 esTypes: - text format: id: string isMapped: true name: products.product_name readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string products.product_name.keyword: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.product_name.keyword readFromDocValues: true scripted: false searchable: true shortDotsEnable: false subType: multi: parent: products.product_name type: string products.quantity: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: products.quantity readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.sku: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: products.sku readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string products.tax_amount: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.tax_amount readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.taxful_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.taxful_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.taxless_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: products.taxless_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number products.unit_discount_amount: aggregatable: true count: 0 esTypes: - half_float format: id: number isMapped: true name: products.unit_discount_amount readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number sku: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: sku readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string taxful_total_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.[00] isMapped: true name: taxful_total_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number taxless_total_price: aggregatable: true count: 0 esTypes: - half_float format: id: number params: pattern: $0,0.00 isMapped: true name: taxless_total_price readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number total_quantity: aggregatable: true count: 1 esTypes: - integer format: id: number isMapped: true name: total_quantity readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number total_unique_products: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: total_unique_products readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number type: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: type readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string user: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: user readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string id: ff959d40-b880-11e8-a6d9-e546fe2bba5f name: Kibana Sample Data eCommerce namespaces: - default runtimeFieldMap: {} sourceFilters: [] timeFieldName: order_date title: kibana_sample_data_ecommerce typeMeta: {} version: WzUsMV0= Data_views_get_data_views_response: summary: The get all data views API returns a list of data views. value: data_view: - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f name: Kibana Sample Data eCommerce namespaces: - default title: kibana_sample_data_ecommerce typeMeta: {} - id: d3d7af60-4c81-11e8-b3d7-01146121b73d name: Kibana Sample Data Flights namespaces: - default title: kibana_sample_data_flights - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: Kibana Sample Data Logs namespaces: - default title: kibana_sample_data_logs Data_views_get_default_data_view_response: summary: The get default data view API returns the default data view identifier. value: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f Data_views_get_runtime_field_response: summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). value: data_view: allowNoIndex: false fieldAttrs: {} fieldFormats: AvgTicketPrice: id: number params: pattern: $0,0.[00] hour_of_day: id: number params: pattern: '00' fields: _id: aggregatable: false count: 0 esTypes: - _id format: id: string isMapped: true name: _id readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _index: aggregatable: true count: 0 esTypes: - _index format: id: string isMapped: true name: _index readFromDocValues: false scripted: false searchable: true shortDotsEnable: false type: string _score: aggregatable: false count: 0 format: id: number isMapped: true name: _score readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: number _source: aggregatable: false count: 0 esTypes: - _source format: id: _source isMapped: true name: _source readFromDocValues: false scripted: false searchable: false shortDotsEnable: false type: _source AvgTicketPrice: aggregatable: true count: 0 esTypes: - float format: id: number params: pattern: $0,0.[00] isMapped: true name: AvgTicketPrice readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number Cancelled: aggregatable: true count: 0 esTypes: - boolean format: id: boolean isMapped: true name: Cancelled readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: boolean Carrier: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: Carrier readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string dayOfWeek: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: dayOfWeek readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number Dest: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: Dest readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestAirportID: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestAirportID readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestCityName: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestCityName readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestCountry: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestCountry readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestLocation: aggregatable: true count: 0 esTypes: - geo_point format: id: geo_point params: transform: wkt isMapped: true name: DestLocation readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: geo_point DestRegion: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestRegion readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DestWeather: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: DestWeather readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string DistanceKilometers: aggregatable: true count: 0 esTypes: - float format: id: number isMapped: true name: DistanceKilometers readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number DistanceMiles: aggregatable: true count: 0 esTypes: - float format: id: number isMapped: true name: DistanceMiles readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number FlightDelay: aggregatable: true count: 0 esTypes: - boolean format: id: boolean isMapped: true name: FlightDelay readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: boolean FlightDelayMin: aggregatable: true count: 0 esTypes: - integer format: id: number isMapped: true name: FlightDelayMin readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number FlightDelayType: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: FlightDelayType readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string FlightNum: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: FlightNum readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string FlightTimeHour: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: FlightTimeHour readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string FlightTimeMin: aggregatable: true count: 0 esTypes: - float format: id: number isMapped: true name: FlightTimeMin readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: number hour_of_day: aggregatable: true count: 0 esTypes: - long format: id: number params: pattern: '00' name: hour_of_day readFromDocValues: false runtimeField: script: source: emit(doc['timestamp'].value.getHour()); type: long scripted: false searchable: true shortDotsEnable: false type: number Origin: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: Origin readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginAirportID: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginAirportID readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginCityName: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginCityName readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginCountry: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginCountry readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginLocation: aggregatable: true count: 0 esTypes: - geo_point format: id: geo_point params: transform: wkt isMapped: true name: OriginLocation readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: geo_point OriginRegion: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginRegion readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string OriginWeather: aggregatable: true count: 0 esTypes: - keyword format: id: string isMapped: true name: OriginWeather readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: string timestamp: aggregatable: true count: 0 esTypes: - date format: id: date isMapped: true name: timestamp readFromDocValues: true scripted: false searchable: true shortDotsEnable: false type: date id: d3d7af60-4c81-11e8-b3d7-01146121b73d name: Kibana Sample Data Flights runtimeFieldMap: hour_of_day: script: source: emit(doc['timestamp'].value.getHour()); type: long sourceFilters: [] timeFieldName: timestamp title: kibana_sample_data_flights version: WzM2LDJd fields: - aggregatable: true count: 0 esTypes: - long name: hour_of_day readFromDocValues: false runtimeField: script: source: emit(doc['timestamp'].value.getHour()); type: long scripted: false searchable: true shortDotsEnable: false type: number Data_views_preview_swap_data_view_request: summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". value: fromId: abcd-efg toId: xyz-123 Data_views_set_default_data_view_request: summary: Set the default data view identifier. value: data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f force: true Data_views_swap_data_view_request: summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced. value: delete: true fromId: abcd-efg toId: xyz-123 Data_views_update_data_view_request: summary: Update some properties for a data view. value: data_view: allowNoIndex: false name: Kibana Sample Data eCommerce timeFieldName: order_date title: kibana_sample_data_ecommerce refresh_fields: true Data_views_update_field_metadata_request: summary: Update metadata for multiple fields. value: fields: field1: count: 123 customLabel: Field 1 label field2: customDescription: Field 2 description customLabel: Field 2 label Data_views_update_runtime_field_request: summary: Update an existing runtime field on a data view. value: runtimeField: script: source: emit(doc["bar"].value) Machine_learning_APIs_mlSyncExample: summary: Two anomaly detection jobs required synchronization in this example. value: datafeedsAdded: {} datafeedsRemoved: {} savedObjectsCreated: anomaly-detector: myjob1: success: true myjob2: success: true savedObjectsDeleted: {} Saved_objects_export_objects_request: summary: Export a specific saved object. value: excludeExportDetails: true includeReferencesDeep: false objects: - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 type: map Saved_objects_export_objects_response: summary: The export objects API response contains a JSON record for each exported object. value: attributes: description: '' layerListJSON: '[{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total Requests by Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web logs count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total Requests and Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web logs count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}]' mapStateJSON: '{"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}}' title: '[Logs] Total Requests and Bytes' uiStateJSON: '{"isDarkMode":false}' coreMigrationVersion: 8.8.0 created_at: '2023-08-23T20:03:32.204Z' id: de71f4f0-1902-11e9-919b-ffe5949a18d2 managed: false references: - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: layer_1_join_0_index_pattern type: index-pattern - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: layer_2_source_index_pattern type: index-pattern - id: 90943e30-9a47-11e8-b64d-95841ca0b247 name: layer_3_source_index_pattern type: index-pattern type: map typeMigrationVersion: 8.4.0 updated_at: '2023-08-23T20:03:32.204Z' version: WzEzLDFd Saved_objects_import_objects_request: value: file: file.ndjson Saved_objects_import_objects_response: summary: The import objects API response indicates a successful import and the objects are created. Since these objects are created as new copies, each entry in the successResults array includes a destinationId attribute. value: success: true successCount: 1 successResults: - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 id: 90943e30-9a47-11e8-b64d-95841ca0b247 managed: false meta: icon: indexPatternApp title: Kibana Sample Data Logs type: index-pattern Saved_objects_key_rotation_response: summary: Encryption key rotation using default parameters. value: failed: 0 successful: 300 total: 1000 Saved_objects_resolve_missing_reference_request: value: file: file.ndjson retries: - id: my-pattern overwrite: true type: index-pattern - destinationId: another-vis id: my-vis overwrite: true type: visualization - destinationId: yet-another-canvas id: my-canvas overwrite: true type: canvas - id: my-dashboard type: dashboard Saved_objects_resolve_missing_reference_response: summary: Resolve missing reference errors. value: success: true successCount: 3 successResults: - id: my-vis meta: icon: visualizeApp title: Look at my visualization type: visualization - id: my-search meta: icon: searchApp title: Look at my search type: search - id: my-dashboard meta: icon: dashboardApp title: Look at my dashboard type: dashboard Task_manager_health_APIs_health_200response: description: A successful response from `GET api/task_manager/_health`. value: |- { "id": "330bbc6a-56cd-44d5-88e3-e3229f14d619", "timestamp": "2025-03-21T21:30:04.780Z", "status": "OK", "last_update": "2025-03-21T21:30:04.455Z", "stats": { "configuration": { "timestamp": "2025-03-21T21:26:10.002Z", "value": { "request_capacity": 1000, "monitored_aggregated_stats_refresh_rate": 60000, "monitored_stats_running_average_window": 50, "monitored_task_execution_thresholds": { "custom": {}, "default": { "error_threshold": 90, "warn_threshold": 80 } }, "claim_strategy": "mget", "poll_interval": 500, "capacity": { "config": 10, "as_workers": 10, "as_cost": 20 } }, "status": "OK" }, "runtime": { "timestamp": "2025-03-21T21:30:04.455Z", "value": { "polling": { "last_successful_poll": "2025-03-21T21:30:04.455Z", "last_polling_delay": "2025-03-21T21:26:10.001Z", "claim_duration": { "p50": 17, "p90": 22, "p95": 25, "p99": 27 }, "duration": { "p50": 19, "p90": 25.5, "p95": 28, "p99": 28 }, "claim_conflicts": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "claim_mismatches": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "claim_stale_tasks": { "p50": 0, "p90": 0, "p95": 0, "p99": 0 }, "result_frequency_percent_as_number": { "Failed": 0, "NoAvailableWorkers": 0, "NoTasksClaimed": 100, "RanOutOfCapacity": 0, "RunningAtCapacity": 0, "PoolFilled": 0 }, "persistence": { "recurring": 88, "non_recurring": 12 } }, "drift": { "p50": 2089, "p90": 3037, "p95": 3037, "p99": 3037 }, "drift_by_type": { "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { "p50": 2082, "p90": 2082, "p95": 2082, "p99": 2082 }, "fleet:check-deleted-files-task": { "p50": 2080, "p90": 2080, "p95": 2080, "p99": 2080 }, "osquery:telemetry-saved-queries": { "p50": 2080, "p90": 2080, "p95": 2080, "p99": 2080 }, "task_manager:mark_removed_tasks_as_unrecognized": { "p50": 2089, "p90": 2089, "p95": 2089, "p99": 2089 }, "task_manager:delete_inactive_background_task_nodes": { "p50": 336.5, "p90": 2089, "p95": 2089, "p99": 2089 }, "alerts_invalidate_api_keys": { "p50": 2086, "p90": 2086, "p95": 2086, "p99": 2086 }, "fleet:unenroll-inactive-agents-task": { "p50": 2080, "p90": 2080, "p95": 2080, "p99": 2080 }, "alerting_health_check": { "p50": 2086, "p90": 2086, "p95": 2086, "p99": 2086 }, "Fleet-Usage-Sender": { "p50": 2079, "p90": 2079, "p95": 2079, "p99": 2079 }, "security:endpoint-diagnostics": { "p50": 2525, "p90": 2525, "p95": 2525, "p99": 2525 }, "logs-data-telemetry": { "p50": 2525, "p90": 2525, "p95": 2525, "p99": 2525 }, "security:telemetry-lists": { "p50": 2525, "p90": 2525, "p95": 2525, "p99": 2525 }, "security:telemetry-timelines": { "p50": 2526, "p90": 2526, "p95": 2526, "p99": 2526 }, "cases-telemetry-task": { "p50": 2083, "p90": 2083, "p95": 2083, "p99": 2083 }, "osquery:telemetry-packs": { "p50": 2530, "p90": 2530, "p95": 2530, "p99": 2530 }, "Fleet-Metrics-Task": { "p50": 133.5, "p90": 2530, "p95": 2530, "p99": 2530 }, "fleet:delete-unenrolled-agents-task": { "p50": 2530, "p90": 2530, "p95": 2530, "p99": 2530 }, "osquery:telemetry-configs": { "p50": 2529, "p90": 2529, "p95": 2529, "p99": 2529 }, "endpoint:complete-external-response-actions": { "p50": 519, "p90": 2526, "p95": 2526, "p99": 2526 }, "security:telemetry-detection-rules": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:telemetry-prebuilt-rule-alerts": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:endpoint-meta-telemetry": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:telemetry-filterlist-artifact": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:telemetry-diagnostic-timelines": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:telemetry-configuration": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "security:indices-metadata-telemetry": { "p50": 3037, "p90": 3037, "p95": 3037, "p99": 3037 }, "Fleet-Usage-Logger": { "p50": 2190, "p90": 2190, "p95": 2190, "p99": 2190 }, "obs-ai-assistant:knowledge-base-migration": { "p50": 2189, "p90": 2189, "p95": 2189, "p99": 2189 }, "dashboard_telemetry": { "p50": 2452, "p90": 2452, "p95": 2452, "p99": 2452 }, "session_cleanup": { "p50": 2569, "p90": 2569, "p95": 2569, "p99": 2569 }, "ProductDocBase:EnsureUpToDate": { "p50": 2452, "p90": 2452, "p95": 2452, "p99": 2452 }, "apm-telemetry-task": { "p50": 2591, "p90": 2591, "p95": 2591, "p99": 2591 }, "ML:saved-objects-sync": { "p50": 2475, "p90": 2475, "p95": 2475, "p99": 2475 }, "apm-source-map-migration-task": { "p50": 1603.5, "p90": 2987, "p95": 2987, "p99": 2987 }, "actions_telemetry": { "p50": 771, "p90": 771, "p95": 771, "p99": 771 }, "alerting_telemetry": { "p50": 768, "p90": 768, "p95": 768, "p99": 768 }, "endpoint:metadata-check-transforms-task": { "p50": 834, "p90": 834, "p95": 834, "p99": 834 }, "endpoint:user-artifact-packager": { "p50": 529.5, "p90": 835, "p95": 835, "p99": 835 }, "fleet:bump_agent_policies": { "p50": 361, "p90": 361, "p95": 361, "p99": 361 } }, "load": { "p50": 10, "p90": 100, "p95": 100, "p99": 100 }, "execution": { "duration": { "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { "p50": 24, "p90": 24, "p95": 24, "p99": 24 }, "fleet:check-deleted-files-task": { "p50": 24, "p90": 24, "p95": 24, "p99": 24 }, "osquery:telemetry-saved-queries": { "p50": 25, "p90": 25, "p95": 25, "p99": 25 }, "task_manager:mark_removed_tasks_as_unrecognized": { "p50": 28, "p90": 28, "p95": 28, "p99": 28 }, "task_manager:delete_inactive_background_task_nodes": { "p50": 7.5, "p90": 29, "p95": 29, "p99": 29 }, "alerts_invalidate_api_keys": { "p50": 34, "p90": 34, "p95": 34, "p99": 34 }, "fleet:unenroll-inactive-agents-task": { "p50": 39, "p90": 39, "p95": 39, "p99": 39 }, "alerting_health_check": { "p50": 42, "p90": 42, "p95": 42, "p99": 42 }, "Fleet-Usage-Sender": { "p50": 78, "p90": 78, "p95": 78, "p99": 78 }, "security:endpoint-diagnostics": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "logs-data-telemetry": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:telemetry-lists": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:telemetry-timelines": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "cases-telemetry-task": { "p50": 458, "p90": 458, "p95": 458, "p99": 458 }, "osquery:telemetry-packs": { "p50": 10, "p90": 10, "p95": 10, "p99": 10 }, "Fleet-Metrics-Task": { "p50": 5, "p90": 10, "p95": 10, "p99": 10 }, "fleet:delete-unenrolled-agents-task": { "p50": 11, "p90": 11, "p95": 11, "p99": 11 }, "osquery:telemetry-configs": { "p50": 12, "p90": 12, "p95": 12, "p99": 12 }, "endpoint:complete-external-response-actions": { "p50": 7, "p90": 11, "p95": 11, "p99": 11 }, "security:telemetry-detection-rules": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:telemetry-prebuilt-rule-alerts": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:endpoint-meta-telemetry": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "security:telemetry-filterlist-artifact": { "p50": 5, "p90": 5, "p95": 5, "p99": 5 }, "security:telemetry-diagnostic-timelines": { "p50": 5, "p90": 5, "p95": 5, "p99": 5 }, "security:telemetry-configuration": { "p50": 5, "p90": 5, "p95": 5, "p99": 5 }, "security:indices-metadata-telemetry": { "p50": 5, "p90": 5, "p95": 5, "p99": 5 }, "Fleet-Usage-Logger": { "p50": 18, "p90": 18, "p95": 18, "p99": 18 }, "obs-ai-assistant:knowledge-base-migration": { "p50": 8, "p90": 8, "p95": 8, "p99": 8 }, "dashboard_telemetry": { "p50": 12, "p90": 12, "p95": 12, "p99": 12 }, "session_cleanup": { "p50": 58, "p90": 58, "p95": 58, "p99": 58 }, "ProductDocBase:EnsureUpToDate": { "p50": 147, "p90": 147, "p95": 147, "p99": 147 }, "apm-telemetry-task": { "p50": 543, "p90": 543, "p95": 543, "p99": 543 }, "ML:saved-objects-sync": { "p50": 544, "p90": 544, "p95": 544, "p99": 544 }, "apm-source-map-migration-task": { "p50": 1649, "p90": 3282, "p95": 3282, "p99": 3282 }, "actions_telemetry": { "p50": 19, "p90": 19, "p95": 19, "p99": 19 }, "alerting_telemetry": { "p50": 64, "p90": 64, "p95": 64, "p99": 64 }, "endpoint:metadata-check-transforms-task": { "p50": 6, "p90": 6, "p95": 6, "p99": 6 }, "endpoint:user-artifact-packager": { "p50": 10, "p90": 13, "p95": 13, "p99": 13 }, "fleet:bump_agent_policies": { "p50": 9, "p90": 9, "p95": 9, "p99": 9 } }, "duration_by_persistence": { "recurring": { "p50": 9, "p90": 63.39999999999999, "p95": 474.99999999999966, "p99": 544 }, "non_recurring": { "p50": 14, "p90": 2968.500000000001, "p95": 3282, "p99": 3282 } }, "persistence": { "recurring": 88, "non_recurring": 12 }, "result_frequency_percent_as_number": { "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "fleet:check-deleted-files-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "osquery:telemetry-saved-queries": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "task_manager:mark_removed_tasks_as_unrecognized": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "task_manager:delete_inactive_background_task_nodes": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "alerts_invalidate_api_keys": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "fleet:unenroll-inactive-agents-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "alerting_health_check": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "Fleet-Usage-Sender": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:endpoint-diagnostics": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "logs-data-telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-lists": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-timelines": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "cases-telemetry-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "osquery:telemetry-packs": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "Fleet-Metrics-Task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "fleet:delete-unenrolled-agents-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "osquery:telemetry-configs": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "endpoint:complete-external-response-actions": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-detection-rules": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-prebuilt-rule-alerts": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:endpoint-meta-telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-filterlist-artifact": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-diagnostic-timelines": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:telemetry-configuration": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "security:indices-metadata-telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "Fleet-Usage-Logger": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "obs-ai-assistant:knowledge-base-migration": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "dashboard_telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "session_cleanup": { "Success": 0, "RetryScheduled": 100, "Failed": 0, "status": "OK" }, "ProductDocBase:EnsureUpToDate": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "apm-telemetry-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "ML:saved-objects-sync": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "apm-source-map-migration-task": { "Success": 50, "RetryScheduled": 50, "Failed": 0, "status": "OK" }, "actions_telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "alerting_telemetry": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "endpoint:metadata-check-transforms-task": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "endpoint:user-artifact-packager": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" }, "fleet:bump_agent_policies": { "Success": 100, "RetryScheduled": 0, "Failed": 0, "status": "OK" } } } }, "status": "OK" }, "workload": { "timestamp": "2025-03-21T21:29:10.367Z", "value": { "count": 35, "cost": 70, "task_types": { "Fleet-Metrics-Task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "Fleet-Usage-Logger": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "Fleet-Usage-Sender": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "ML:saved-objects-sync": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "SLO:ORPHAN_SUMMARIES-CLEANUP-TASK": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "actions_telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "alerting_health_check": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "alerting_telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "alerts_invalidate_api_keys": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "apm-telemetry-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "cases-telemetry-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "dashboard_telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "endpoint:complete-external-response-actions": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "endpoint:metadata-check-transforms-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "endpoint:user-artifact-packager": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:check-deleted-files-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:delete-unenrolled-agents-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "fleet:unenroll-inactive-agents-task": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "logs-data-telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "osquery:telemetry-configs": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "osquery:telemetry-packs": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "osquery:telemetry-saved-queries": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:endpoint-diagnostics": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:endpoint-meta-telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:indices-metadata-telemetry": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-configuration": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-detection-rules": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-diagnostic-timelines": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-filterlist-artifact": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-lists": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-prebuilt-rule-alerts": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "security:telemetry-timelines": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "session_cleanup": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "task_manager:delete_inactive_background_task_nodes": { "count": 1, "cost": 2, "status": { "idle": 1 } }, "task_manager:mark_removed_tasks_as_unrecognized": { "count": 1, "cost": 2, "status": { "idle": 1 } } }, "non_recurring": 1, "non_recurring_cost": 2, "schedule": [ [ "1m", 2 ], [ "60s", 2 ], [ "5m", 2 ], [ "10m", 1 ], [ "15m", 1 ], [ "45m", 1 ], [ "1h", 9 ], [ "3600s", 1 ], [ "60m", 1 ], [ "2h", 1 ], [ "720m", 2 ], [ "24h", 7 ], [ "1d", 3 ], [ "1440m", 1 ] ], "overdue": 0, "overdue_cost": 0, "overdue_non_recurring": 0, "estimated_schedule_density": [ 0, 0, 0, 1, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 ], "capacity_requirements": { "per_minute": 4, "per_hour": 46, "per_day": 27 } }, "status": "OK" }, "capacity_estimation": { "status": "OK", "reason": "Task Manager is healthy, the assumedRequiredThroughputPerMinutePerKibana (148.78541666666666) < capacityPerMinutePerKibana (1200)", "timestamp": "2025-03-21T21:30:04.780Z", "value": { "observed": { "observed_kibana_instances": 1, "max_throughput_per_minute_per_kibana": 1200, "max_throughput_per_minute": 1200, "minutes_to_drain_overdue": 0, "avg_recurring_required_throughput_per_minute": 5, "avg_recurring_required_throughput_per_minute_per_kibana": 5, "avg_required_throughput_per_minute": 149, "avg_required_throughput_per_minute_per_kibana": 149 }, "proposed": { "provisioned_kibana": 2, "min_required_kibana": 1, "avg_recurring_required_throughput_per_minute_per_kibana": 3, "avg_required_throughput_per_minute_per_kibana": 75 } } } } } get_connector_types_generativeai_response: summary: A list of connector types for the `generativeAI` feature. value: - id: .gen-ai name: OpenAI enabled: true enabled_in_config: true enabled_in_license: true minimum_license_required: enterprise supported_feature_ids: - generativeAIForSecurity - generativeAIForObservability - generativeAIForSearchPlayground is_system_action_type: false - id: .bedrock name: AWS Bedrock enabled: true enabled_in_config: true enabled_in_license: true minimum_license_required: enterprise supported_feature_ids: - generativeAIForSecurity - generativeAIForObservability - generativeAIForSearchPlayground is_system_action_type: false - id: .gemini name: Google Gemini enabled: true enabled_in_config: true enabled_in_license: true minimum_license_required: enterprise supported_feature_ids: - generativeAIForSecurity is_system_action_type: false get_connector_response: summary: Get connector details. value: id: df770e30-8b8b-11ed-a780-3b746c987a81 name: my_server_log_connector config: {} connector_type_id: .server-log is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false update_index_connector_request: summary: Update an index connector. value: name: updated-connector config: index: updated-index create_email_connector_request: summary: Create an email connector. value: name: email-connector-1 connector_type_id: .email config: from: tester@example.com hasAuth: true host: https://example.com port: 1025 secure: false service: other secrets: user: username password: password create_index_connector_request: summary: Create an index connector. value: name: my-connector connector_type_id: .index config: index: test-index create_webhook_connector_request: summary: Create a webhook connector with SSL authentication. value: name: my-webhook-connector connector_type_id: .webhook config: method: post url: https://example.com authType: webhook-authentication-ssl certType: ssl-crt-key secrets: crt: QmFnIEF0dH... key: LS0tLS1CRUdJ... password: my-passphrase create_xmatters_connector_request: summary: Create an xMatters connector with URL authentication. value: name: my-xmatters-connector connector_type_id: .xmatters config: usesBasic: false secrets: secretsUrl: https://example.com?apiKey=xxxxx create_email_connector_response: summary: A new email connector. value: id: 90a82c60-478f-11ee-a343-f98a117c727f connector_type_id: .email name: email-connector-1 config: from: tester@example.com service: other host: https://example.com port: 1025 secure: false hasAuth: true tenantId: null clientId: null oauthTokenUrl: null is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false create_index_connector_response: summary: A new index connector. value: id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad connector_type_id: .index name: my-connector config: index: test-index refresh: false executionTimeField: null is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false create_webhook_connector_response: summary: A new webhook connector. value: id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd name: my-webhook-connector config: method: post url: https://example.com authType: webhook-authentication-ssl certType: ssl-crt-key verificationMode: full headers: null hasAuth: true connector_type_id: .webhook is_preconfigured: false is_deprecated: false is_missing_secrets: false is_system_action: false run_index_connector_request: summary: Run an index connector. value: params: documents: - id: my_doc_id name: my_doc_name message: hello, world run_jira_connector_request: summary: Run a Jira connector to retrieve the list of issue types. value: params: subAction: issueTypes run_servicenow_itom_connector_request: summary: Run a ServiceNow ITOM connector to retrieve the list of choices. value: params: subAction: getChoices subActionParams: fields: - severity - urgency run_slack_api_connector_request: summary: Run a Slack connector that uses the web API method to post a message on a channel. value: params: subAction: postMessage subActionParams: channelIds: - C123ABC456 text: A test message. run_swimlane_connector_request: summary: Run a Swimlane connector to create an incident. value: params: subAction: pushToService subActionParams: comments: - commentId: 1 comment: A comment about the incident. incident: caseId: '1000' caseName: Case name description: Description of the incident. run_index_connector_response: summary: Response from running an index connector. value: connector_id: fd38c600-96a5-11ed-bb79-353b74189cba data: errors: false items: - create: _id: 4JtvwYUBrcyxt2NnfW3y _index: my-index _primary_term: 1 _seq_no: 0 _shards: failed: 0 successful: 1 total: 2 _version: 1 result: created status: 201 took: 135 status: ok run_jira_connector_response: summary: Response from retrieving the list of issue types for a Jira connector. value: connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 data: - id: 10024 name: Improvement - id: 10006 name: Task - id: 10007 name: Sub-task - id: 10025 name: New Feature - id: 10023 name: Bug - id: 10000 name: Epic status: ok run_server_log_connector_response: summary: Response from running a server log connector. value: connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 status: ok run_servicenow_itom_connector_response: summary: Response from retrieving the list of choices for a ServiceNow ITOM connector. value: connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 data: - dependent_value: '' element: severity label: Critical value: 1 - dependent_value: '' element: severity label: Major value: 2 - dependent_value: '' element: severity label: Minor value: 3 - dependent_value: '' element: severity label: Warning value: 4 - dependent_value: '' element: severity label: OK value: 5 - dependent_value: '' element: severity label: Clear value: 0 - dependent_value: '' element: urgency label: 1 - High value: 1 - dependent_value: '' element: urgency label: 2 - Medium value: 2 - dependent_value: '' element: urgency label: 3 - Low value: 3 status: ok run_slack_api_connector_response: summary: Response from posting a message with a Slack connector. value: status: ok data: ok: true channel: C123ABC456 ts: '1234567890.123456' message: bot_id: B12BCDEFGHI type: message text: A test message user: U12A345BC6D ts: '1234567890.123456' app_id: A01BC2D34EF blocks: - type: rich_text block_id: /NXe elements: - type: rich_text_section elements: - type: text text: A test message. team: T01ABCDE2F bot_profile: id: B12BCDEFGHI app_id: A01BC2D34EF name: test icons: image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png deleted: false updated: 1672169705 team_id: T01ABCDE2F connector_id: .slack_api run_swimlane_connector_response: summary: Response from creating a Swimlane incident. value: connector_id: a4746470-2f94-11ed-b0e0-87533c532698 data: id: aKPmBHWzmdRQtx6Mx title: TEST-457 url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx pushedDate: '2022-09-08T16:52:27.866Z' comments: - commentId: 1 pushedDate: '2022-09-08T16:52:27.865Z' status: ok get_connectors_response: summary: A list of connectors value: - id: preconfigured-email-connector name: my-preconfigured-email-notification connector_type_id: .email is_preconfigured: true is_deprecated: false referenced_by_count: 0 is_system_action: false - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 name: my-index-connector config: index: test-index refresh: false executionTimeField: null connector_type_id: .index is_preconfigured: false is_deprecated: false referenced_by_count: 2 is_missing_secrets: false is_system_action: false update_rule_request: summary: Index threshold rule description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met. value: actions: - frequency: summary: false notify_when: onActionGroupChange group: threshold met id: 96b668d0-a1b6-11ed-afdf-d39a49596974 params: level: info message: |- Rule {{rule.name}} is active for group {{context.group}}: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} params: aggField: sheet.version aggType: avg index: - .updated-index groupBy: top termField: name.keyword termSize: 6 threshold: - 1000 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 5 timeWindowUnit: m name: new name schedule: interval: 1m tags: [] update_rule_response: summary: Index threshold rule description: The response for successfully updating an index threshold rule. value: id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 consumer: alerts tags: [] name: new name enabled: true throttle: null revision: 1 running: false schedule: interval: 1m params: index: - .updated-index timeField: '@timestamp' groupBy: top aggType: avg timeWindowSize: 5 timeWindowUnit: m thresholdComparator: '>' threshold: - 1000 aggField: sheet.version termField: name.keyword termSize: 6 api_key_owner: elastic created_by: elastic updated_by: elastic rule_type_id: .index-threshold scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea created_at: '2024-03-26T23:13:20.985Z' updated_at: '2024-03-26T23:22:59.949Z' mute_all: false muted_alert_ids: [] execution_status: status: ok last_execution_date: '2024-03-26T23:22:51.390Z' last_duration: 52 actions: - group: threshold met params: level: info message: |- Rule {{rule.name}} is active for group {{context.group}}: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date} id: 96b668d0-a1b6-11ed-afdf-d39a49596974 uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d connector_type_id: .server-log frequency: summary: false throttle: null notify_when: onActionGroupChange last_run: alerts_count: new: 0 ignored: 0 recovered: 0 active: 0 outcome_msg: null warning: null outcome: succeeded next_run: '2024-03-26T23:23:51.316Z' api_key_created_by_user: false create_es_query_esql_rule_request: summary: Elasticsearch query rule (ES|QL) description: | Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications. value: name: my Elasticsearch query ESQL rule params: searchType: esqlQuery esqlQuery: esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10 timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d size: 0 thresholdComparator: '>' threshold: - 0 consumer: stackAlerts rule_type_id: .es-query schedule: interval: 1d actions: - group: query matched id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 params: level: info message: |- Elasticsearch query rule '{{rule.name}}' is active: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} frequency: summary: false notify_when: onActiveAlert create_es_query_rule_request: summary: Elasticsearch query rule (DSL) description: | Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications. value: actions: - group: query matched params: level: info message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. id: fdbece50-406c-11ee-850e-c71febc4ca7f frequency: throttle: 1d summary: true notify_when: onThrottleInterval - group: recovered params: level: info message: Recovered id: fdbece50-406c-11ee-850e-c71febc4ca7f frequency: summary: false notify_when: onActionGroupChange consumer: alerts name: my Elasticsearch query rule params: esQuery: '"""{"query":{"match_all" : {}}}"""' index: - kibana_sample_data_logs size: 100 threshold: - 100 thresholdComparator: '>' timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d rule_type_id: .es-query schedule: interval: 1d create_es_query_kql_rule_request: summary: Elasticsearch query rule (KQL) description: Create an Elasticsearch query rule that uses Kibana query language (KQL). value: consumer: alerts name: my Elasticsearch query KQL rule params: aggType: count excludeHitsFromPreviousRun: true groupBy: all searchConfiguration: query: query: '""geo.src : "US" ""' language: kuery index: 90943e30-9a47-11e8-b64d-95841ca0b247 searchType: searchSource size: 100 threshold: - 1000 thresholdComparator: '>' timeWindowSize: 5 timeWindowUnit: m rule_type_id: .es-query schedule: interval: 1m create_index_threshold_rule_request: summary: Index threshold rule description: | Create an index threshold rule that uses a server log connector to send notifications when the threshold is met. value: actions: - id: 48de3460-f401-11ed-9f8e-399c75a2deeb frequency: notify_when: onActionGroupChange summary: false group: threshold met params: level: info message: |- Rule '{{rule.name}}' is active for group '{{context.group}}': - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} alert_delay: active: 3 consumer: alerts name: my rule params: aggType: avg termSize: 6 thresholdComparator: '>' timeWindowSize: 5 timeWindowUnit: m groupBy: top threshold: - 1000 index: - .test-index timeField: '@timestamp' aggField: sheet.version termField: name.keyword rule_type_id: .index-threshold schedule: interval: 1m tags: - cpu create_tracking_containment_rule_request: summary: Tracking containment rule description: | Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary. value: consumer: alerts name: my tracking rule params: index: kibana_sample_data_logs dateField": '@timestamp' geoField: geo.coordinates entity: agent.keyword boundaryType: entireIndex boundaryIndexTitle: boundary* boundaryGeoField: location boundaryNameField: name indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc rule_type_id: .geo-containment schedule: interval: 1h create_es_query_esql_rule_response: summary: Elasticsearch query rule (ES|QL) description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL). value: id: e0d62360-78e8-11ee-9177-f7d404c8c945 enabled: true name: my Elasticsearch query ESQL rule tags: [] rule_type_id: .es-query consumer: stackAlerts schedule: interval: 1d actions: - group: query matched id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 params: level: info message: |- Elasticsearch query rule '{{rule.name}}' is active: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}} connector_type_id: .server-log frequency: summary: false notify_when: onActiveAlert throttle: null uuid: bfe370a3-531b-4855-bbe6-ad739f578844 params: searchType: esqlQuery esqlQuery: esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10 timeField: '@timestamp' timeWindowSize: 1 timeWindowUnit: d size: 0 thresholdComparator: '>' threshold: - 0 excludeHitsFromPreviousRun": true, aggType: count groupBy: all scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 created_by: elastic updated_by: elastic", created_at: '2023-11-01T19:00:10.453Z' updated_at: '2023-11-01T19:00:10.453Z' api_key_owner: elastic api_key_created_by_user: false throttle: null mute_all: false notify_when: null muted_alert_ids: [] execution_status: status: pending last_execution_date: '2023-11-01T19:00:10.453Z' revision: 0 running: false create_es_query_rule_response: summary: Elasticsearch query rule (DSL) description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL). value: id: 58148c70-407f-11ee-850e-c71febc4ca7f enabled: true name: my Elasticsearch query rule tags: [] rule_type_id: .es-query consumer: alerts schedule: interval: 1d actions: - group: query matched id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts. connector_type_id: .server-log frequency: summary: true notify_when: onThrottleInterval throttle: 1d uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 - group: recovered id: fdbece50-406c-11ee-850e-c71febc4ca7f params: level: info message: Recovered connector_type_id: .server-log frequency: summary: false notify_when: onActionGroupChange throttle: null uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 params: thresholdComparator: '>' timeWindowSize: 1 timeWindowUnit: d threshold: - 100 size: 100 timeField: '@timestamp' index: - kibana_sample_data_logs esQuery: '"""{"query":{"match_all" : {}}}"""' excludeHitsFromPreviousRun: true aggType: count groupBy: all searchType: esQuery scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f created_by: elastic updated_by: elastic created_at: '2023-08-22T00:03:38.263Z' updated_at: '2023-08-22T00:03:38.263Z' api_key_owner: elastic api_key_created_by_user: false throttle: null mute_all: false notify_when: null muted_alert_ids: [] execution_status: status: pending last_execution_date: '2023-08-22T00:03:38.263Z' revision: 0 running: false create_es_query_kql_rule_response: summary: Elasticsearch query rule (KQL) description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL). value: id: 7bd506d0-2284-11ee-8fad-6101956ced88 enabled: true name: my Elasticsearch query KQL rule" tags: [] rule_type_id: .es-query consumer: alerts schedule: interval: 1m actions: [] params: searchConfiguration: query: query: '""geo.src : "US" ""' language: kuery index: 90943e30-9a47-11e8-b64d-95841ca0b247 searchType: searchSource timeWindowSize: 5 timeWindowUnit: m threshold: - 1000 thresholdComparator: '>' size: 100 aggType: count groupBy: all excludeHitsFromPreviousRun: true created_by: elastic updated_by: elastic created_at: '2023-07-14T20:24:50.729Z' updated_at: '2023-07-14T20:24:50.729Z' api_key_owner: elastic api_key_created_by_user: false throttle: null notify_when: null mute_all: false muted_alert_ids: [] scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 execution_status: status: pending last_execution_date: '2023-07-14T20:24:50.729Z' revision: 0 running: false create_index_threshold_rule_response: summary: Index threshold rule description: The response for successfully creating an index threshold rule. value: actions: - group: threshold met id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d connector_type_id: .server-log frequency: notify_when: onActionGroupChange summary: false throttle: null params: level: info message: |- Rule {{rule.name}} is active for group {{context.group} : - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} alert_delay: active: 3 api_key_created_by_user: false api_key_owner: elastic consumer: alerts created_at: '2022-06-08T17:20:31.632Z' created_by: elastic enabled: true execution_status: last_execution_date: '2022-06-08T17:20:31.632Z' status: pending id: 41893910-6bca-11eb-9e0d-85d233e3ee35 muted_alert_ids: [] mute_all: false name: my rule notify_when: null params: aggType: avg termSize: 6 thresholdComparator: '>' timeWindowSize: 5 timeWindowUnit: m groupBy: top threshold: - 1000 index: - .test-index timeField: '@timestamp' aggField: sheet.version termField: name.keyword revision: 0 rule_type_id: .index-threshold running: false schedule: interval: 1m scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 tags: - cpu throttle: null updated_at: '2022-06-08T17:20:31.632Z' updated_by: elastic create_tracking_containment_rule_response: summary: Tracking containment rule description: The response for successfully creating a tracking containment rule. value: id: b6883f9d-5f70-4758-a66e-369d7c26012f name: my tracking rule tags: [] enabled: true consumer: alerts throttle: null revision: 1 running: false schedule: interval: 1h params: index: kibana_sample_data_logs dateField: '@timestamp' geoField: geo.coordinates entity: agent.keyword boundaryType: entireIndex boundaryIndexTitle: boundary* boundaryGeoField: location boundaryNameField: name indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc rule_type_id: .geo-containment created_by: elastic updated_by: elastic created_at: '2024-02-14T19:52:55.920Z' updated_at: '2024-02-15T03:24:32.574Z' api_key_owner: elastic notify_when: null mute_all: false muted_alert_ids: [] scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f execution_status: status: ok last_execution_date: '2024-02-15T03:25:38.125Z' last_duration: 74 actions: [] last_run: alerts_count: active: 0 new: 0 recovered: 0 ignored: 0 outcome_msg: null outcome_order: 0 outcome: succeeded warning: null next_run: '2024-02-15T03:26:38.033Z' api_key_created_by_user: false find_rules_response: summary: Index threshold rule description: A response that contains information about an index threshold rule. value: page: 1 total: 1 per_page: 10 data: - id: 3583a470-74f6-11ed-9801-35303b735aef consumer: alerts tags: - cpu name: my alert enabled: true throttle: null schedule: interval: 1m params: aggType: avg termSize: 6 thresholdComparator: '>' timeWindowSize: 5 timeWindowUnit: m groupBy: top threshold: - 1000 index: - test-index timeField: '@timestamp' aggField: sheet.version termField: name.keyword revision: 1 rule_type_id: .index-threshold created_by: elastic updated_by: elastic created_at: '2022-12-05T23:40:33.132Z' updated_at: '2022-12-05T23:40:33.132Z' api_key_owner: elastic mute_all: false muted_alert_ids: [] scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef execution_status: status: ok last_execution_date: '2022-12-06T01:44:23.983Z' last_duration: 48 actions: - id: 9dca3e00-74f5-11ed-9801-35303b735aef group: threshold met uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 params: level: info message: |- Rule {{rule.name}} is active for group {{context.group}}: - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} connector_type_id: .server-log frequency: summary: false notify_when: onActionGroupChange throttle: null last_run: alerts_count: new: 0 ignored: 0 recovered: 0 active: 0 outcome_msg: null warning: null outcome: succeeded next_run: '2022-12-06T01:45:23.912Z' api_key_created_by_user: false find_rules_response_conditional_action: summary: Security rule description: A response that contains information about a security rule that has conditional actions. value: page: 1 total: 1 per_page: 10 data: - id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb name: security_rule consumer: siem enabled: true tags: [] throttle: null revision: 1 running: false schedule: interval: 1m params: author: [] description: A security threshold rule. ruleId: an_internal_rule_id falsePositives: [] from: now-3660s immutable: false license: '' outputIndex: '' meta: from: 1h kibana_siem_app_url: https://localhost:5601/app/security maxSignals: 100 riskScore: 21 riskScoreMapping: [] severity: low severityMapping: [] threat: [] to: now references: [] version: 1 exceptionsList: [] type: threshold language: kuery index: - kibana_sample_data_logs query: '*' filters: [] threshold: field: - bytes value: 1 cardinality: [] rule_type_id: siem.thresholdRule created_by: elastic updated_by: elastic created_at: '2023-05-16T15:50:28.358Z' updated_at: '2023-05-16T20:25:42.559Z' api_key_owner: elastic notify_when: null mute_all: false muted_alert_ids: [] scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb execution_status: status: ok last_execution_date: '2023-05-16T20:26:49.590Z' last_duration: 166 actions: - group: default id: 49eae970-f401-11ed-9f8e-399c75a2deeb params: documents: - rule_id: '[object Object]': null rule_name: '[object Object]': null alert_id: '[object Object]': null context_message: '[object Object]': null connector_type_id: .index frequency: summary: true notify_when: onActiveAlert throttle: null uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 alerts_filter: timeframe: days: - 7 timezone: UTC hours: start: '08:00' end: '17:00' query: kql: '' filters: - meta: disabled: false negate: false alias: null index: c4bdca79-e69e-4d80-82a1-e5192c621bea key: client.geo.region_iso_code field: client.geo.region_iso_code params: query: CA-QC type: phrase $state: store: appState query: match_phrase: client.geo.region_iso_code: CA-QC last_run: alerts_count: new: 0 ignored: 0 recovered: 0 active: 0 outcome_msg: - Rule execution completed successfully outcome_order: 0 warning: null outcome: succeeded next_run: '2023-05-16T20:27:49.507Z' api_key_created_by_user: false get_roles_response1: summary: Get all role details value: - name: my_kibana_role description: My kibana role description metadata: version: 1 transient_metadata: enabled: true elasticsearch: indices: [] cluster: [] run_as: [] kibana: - base: - all feature: {} spaces: - '*' - name: my_admin_role description: My admin role description metadata: version: 1 transient_metadata: enabled: true elasticsearch: cluster: - all indices: - names: - index1 - index2 privileges: - all field_security: grant: - title - body query: '{\"match\": {\"title\": \"foo\"}}' kibana: [] get_role_response1: summary: Get role details value: name: my_kibana_role description: Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space. metadata: version: 1 transient_metadata: enabled: true elasticsearch: cluster: - all remote_cluster: - privileges: - monitor_enrich clusters: - remote_cluster1 indices: - names: - index1 - index2 privileges: - all allow_restricted_indices: false remote_indices: - names: - remote_index1 - remote_index2 privileges: - all allow_restricted_indices: false clusters: - remote_cluster1 run_as: [] kibana: - base: - all feature: {} spaces: - default _transform_error: [] _unrecognized_applications: [] create_role_request1: summary: Feature privileges in multiple spaces description: Grant access to various features in some spaces. value: description: Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces. metadata: version: 1 elasticsearch: cluster: [] indices: [] kibana: - base: [] feature: discover: - all dashboard: - all spaces: - default - base: - read spaces: - marketing - sales create_role_request2: summary: Dashboard privileges in a space description: Grant access to dashboard features in a Marketing space. value: description: Grant dashboard access in the Marketing space. metadata: version: 1 elasticsearch: cluster: [] indices: [] kibana: - base: [] feature: dashboard: - read spaces: - marketing create_role_request3: summary: Feature privileges in a space description: Grant full access to all features in the default space. value: metadata: version: 1 elasticsearch: cluster: [] indices: [] kibana: - base: - all feature: {} spaces: - default create_role_request4: summary: Elasticsearch and Kibana feature privileges description: Grant Elasticsearch and Kibana feature privileges. value: description: Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space. metadata: version: 1 elasticsearch: cluster: - all indices: - names: - index1 - index2 privileges: - all remote_indices: - clusters: - remote_cluster1 names: - remote_index1 - remote_index2 privileges: - all remote_cluster: - clusters: - remote_cluster1 privileges: - monitor_enrich kibana: - base: - all feature: {} spaces: - default copy_saved_objects_request1: summary: Copy with createNewCopies description: | Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. value: objects: - type: dashboard id: my-dashboard spaces: - marketing includeReferences: true copy_saved_objects_request2: summary: Copy without createNewCopies description: | Copy a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and that has a reference to a data view. value: objects: - type: dashboard id: my-dashboard spaces: - marketing includeReferences: true createNewCopies: false copy_saved_objects_response1: summary: Copy with createNewCopies description: | The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. The result indicates a successful copy and all three objects are created. Since these objects were created as new copies, each entry in the successResults array includes a destinationId attribute. value: marketing: success: true successCount: 3 successResults: - id: my-dashboard type: dashboard destinationId: 1e127098-5b80-417f-b0f1-c60c8395358f meta: icon: dashboardApp title: Look at my dashboard - id: my-vis type: visualization destinationId: a610ed80-1c73-4507-9e13-d3af736c8e04 meta: icon: visualizeApp title: Look at my visualization - id: my-index-pattern type: index-pattern destinationId: bc3c9c70-bf6f-4bec-b4ce-f4189aa9e26b meta: icon: indexPatternApp title: my-pattern-* copy_saved_objects_response2: summary: Copy without createNewCopies description: | The response for successfully copying a dashboard with the my-dashboard ID with createNewCopies turned off. The result indicates a successful copy and all three objects are created. value: marketing: success: true successCount: 3 successResults: - id: my-dashboard type: dashboard meta: icon: dashboardApp title: Look at my dashboard - id: my-vis type: visualization meta: icon: visualizeApp title: Look at my visualization - id: my-index-pattern type: index-pattern meta: icon: indexPatternApp title: my-pattern-* copy_saved_objects_response3: summary: Failed copy response with conflict errors description: | A response for a failed copy of a dashboard with the my-dashboard ID including all references from the default space to the marketing and sales spaces. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to an index pattern. The result indicates a successful copy for the marketing space and an unsuccessful copy for the sales space because the data view, visualization, and Canvas workpad each resulted in a conflict error. Objects are created when the error is resolved using the resolve copy conflicts API. value: marketing: success: true successCount: 4 successResults: - id: my-dashboard type: dashboard meta: icon: dashboardApp title: Look at my dashboard - id: my-vis type: visualization meta: icon: visualizeApp title: Look at my visualization - id: my-canvas type: canvas-workpad meta: icon: canvasApp title: Look at my canvas - id: my-index-pattern type: index-pattern meta: icon: indexPatternApp title: my-pattern-* sales: success: false successCount: 1, errors: - id: my-pattern type: index-pattern title: my-pattern-* error: type: conflict meta: icon: indexPatternApp title: my-pattern-* - id: my-visualization type: my-vis title: Look at my visualization error: type: conflict destinationId: another-vis meta: icon: visualizeApp title: Look at my visualization - id: my-canvas type: canvas-workpad title: Look at my canvas error: type: ambiguous_conflict destinations: - id: another-canvas title: Look at another canvas updatedAt: '2020-07-08T16:36:32.377Z' - id: yet-another-canvas title: Look at yet another canvas updatedAt: '2020-07-05T12:29:54.849Z' meta: icon: canvasApp title: Look at my canvas successResults": - id: my-dashboard type: dashboard meta: icon: dashboardApp title: Look at my dashboard copy_saved_objects_response4: summary: Failed copy with missing reference errors description: | The response for successfully copying a dashboard with the my-dashboard ID, including all references from the default space to the marketing space. In this example, the dashboard has a reference to a visualization and a Canvas workpad and the visualization has a reference to a data view. The result indicates an unsuccessful copy because the visualization resulted in a missing references error. Objects are created when the errors are resolved using the resolve copy conflicts API. value: marketing: success: false successCount: 2 errors: - id: my-vis type: visualization title: Look at my visualization error: type: missing_references references: - type: index-pattern id: my-pattern-* meta: icon: visualizeApp title: Look at my visualization successResults: - id: my-dashboard type: dashboard meta: icon: dashboardApp title: Look at my dashboard - id: my-canvas type: canvas-workpad meta: icon: canvasApp title: Look at my canvas disable_legacy_url_request1: summary: Disable legacy URL aliases description: | This request leaves the alias intact but the legacy URL for this alias (http://localhost:5601/s/bills-space/app/dashboards#/view/123) will no longer function. The dashboard still exists and you can access it with the new URL. value: aliases: - targetSpace: bills-space targetType: dashboard sourceId: 123 resolve_copy_saved_objects_request1: summary: Resolve conflict errors description: | Resolve conflict errors for a data view, visualization, and Canvas workpad by overwriting the existing saved objects. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard accordingly. value: objects: - type: dashboard id: my-dashboard includeReferences: true createNewCopies: false retries: sales: - type: index-pattern id: my-pattern overwrite: true - type: visualization id: my-vis overwrite: true, destinationId: another-vis - type: canvas id: my-canvas overwrite: true destinationId: yet-another-canvas - type: dashboard id: my-dashboard resolve_copy_saved_objects_request2: summary: Resolve missing reference errors description: | Resolve missing reference errors for a visualization by ignoring the error. NOTE: If a prior copy attempt resulted in resolvable errors, you must include a retry for each object you want to copy, including any that were returned in the successResults array. In this example, we retried copying the dashboard and canvas accordingly. value: objects: - type: dashboard id: my-dashboard includeReferences: true createNewCopies: false retries: marketing: - type: visualization id: my-vis ignoreMissingReferences: true - type: canvas id: my-canvas - type: dashboard id: my-dashboard update_saved_objects_spaces_request1: summary: Update saved object spaces description: Update the spaces of each saved object and all its references. value: objects: - type: index-pattern id: 90943e30-9a47-11e8-b64d-95841ca0b247 spacesToAdd: - test spacesToRemove: [] update_saved_objects_spaces_response1: summary: Update saved object spaces description: | The response from updating the spaces of saved objects. value: objects: - type: index-pattern id: 90943e30-9a47-11e8-b64d-95841ca0b247 spaces: - default - test get_spaces_response1: summary: Get all spaces description: Get all spaces without specifying any options. value: - id: default name: Default description: This is the Default Space disabledFeatures: [] imageUrl: '' _reserved: true - id: marketing name: Marketing description: This is the Marketing Space color: null disabledFeatures: - apm initials: MK imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU - id: sales name: Sales initials: MK disabledFeatures: - discover imageUr": '' solution: oblt get_spaces_response2: summary: Get all spaces with custom options description: | The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true" value: - id: default name: Default description: This is the Default Space disabledFeatures: [] imageUrl: '' _reserved: true authorizedPurposes: any: true copySavedObjectsIntoSpace: true findSavedObjects: true shareSavedObjectsIntoSpace: true - id: marketing name: Marketing description: This is the Marketing Space color: null disabledFeatures: - apm initials: MK imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU authorizedPurposes: any: true copySavedObjectsIntoSpace: true findSavedObjects: true shareSavedObjectsIntoSpace: true - id: sales name: Sales initials: MK disabledFeatures: - discover imageUrl: '' authorizedPurposes: any: true copySavedObjectsIntoSpace: false findSavedObjects: true shareSavedObjectsIntoSpace: false create_space_request: summary: Create a marketing space value: id: marketing name: Marketing description: This is the Marketing Space color: null initials: MK disabledFeatures: [] imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg== get_space_response: summary: Get details about a marketing space value: id: marketing name: Marketing description: This is the Marketing Space color: null initials: MK disabledFeatures: [] imageUrl: '' solution: es update_space_request: summary: Update a marketing space description: Update the marketing space to remove the imageUrl. value: id: marketing name: Marketing description: This is the Marketing Space color: null initials: MK disabledFeatures: [] imageUrl: '' parameters: Alerting_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string APM_UI_elastic_api_version: description: The version of the API to use in: header name: elastic-api-version required: true schema: default: '2023-10-31' enum: - '2023-10-31' type: string APM_UI_kbn_xsrf: description: A required header to protect against CSRF attacks in: header name: kbn-xsrf required: true schema: example: 'true' type: string Cases_alert_id: description: An identifier for the alert. in: path name: alertId required: true schema: example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 type: string Cases_assignees_filter: description: | Filters the returned cases by assignees. Valid values are `none` or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. in: query name: assignees schema: oneOf: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_case_id: description: The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. in: path name: caseId required: true schema: example: 9c235210-6834-11ea-a78c-6ffb38a34414 type: string Cases_category: description: Filters the returned cases by category. in: query name: category schema: oneOf: - $ref: '#/components/schemas/Cases_case_category' - $ref: '#/components/schemas/Cases_case_categories' Cases_comment_id: description: | The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. in: path name: commentId required: true schema: example: 71ec1870-725b-11ea-a0b2-c51ea50a58e2 type: string Cases_configuration_id: description: An identifier for the configuration. in: path name: configurationId required: true schema: example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 type: string Cases_connector_id: description: An identifier for the connector. To retrieve connector IDs, use the find connectors API. in: path name: connectorId required: true schema: example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 type: string Cases_defaultSearchOperator: description: he default operator to use for the simple_query_string. example: OR in: query name: defaultSearchOperator schema: default: OR type: string Cases_from: description: | Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. in: query name: from schema: example: now-1d type: string Cases_ids: description: | The cases that you want to removed. All non-ASCII characters must be URL encoded. example: d4e7abb0-b462-11ec-9a8d-698504725a43 in: query name: ids required: true schema: items: maxItems: 100 minItems: 1 type: string type: array Cases_includeComments: deprecated: true description: Deprecated in 8.1.0. This parameter is deprecated and will be removed in a future release. It determines whether case comments are returned. in: query name: includeComments schema: default: true type: boolean Cases_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string Cases_owner_filter: description: | A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. example: cases in: query name: owner schema: oneOf: - $ref: '#/components/schemas/Cases_owner' - $ref: '#/components/schemas/Cases_owners' Cases_page_index: description: The page number to return. in: query name: page required: false schema: default: 1 type: integer Cases_page_size: description: The number of items to return. Limited to 100 items. in: query name: perPage required: false schema: default: 20 maximum: 100 type: integer Cases_reporters: description: Filters the returned cases by the user name of the reporter. example: elastic in: query name: reporters schema: oneOf: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_search: description: An Elasticsearch simple_query_string query that filters the objects in the response. in: query name: search schema: type: string Cases_searchFields: description: The fields to perform the simple_query_string parsed query against. in: query name: searchFields schema: oneOf: - $ref: '#/components/schemas/Cases_searchFieldsType' - $ref: '#/components/schemas/Cases_searchFieldsTypeArray' Cases_severity: description: The severity of the case. in: query name: severity schema: enum: - critical - high - low - medium type: string Cases_sort_order: description: Determines the sort order. in: query name: sortOrder required: false schema: default: desc enum: - asc - desc type: string Cases_sortField: description: Determines which field is used to sort the results. example: updatedAt in: query name: sortField schema: default: createdAt enum: - createdAt - updatedAt - closedAt - title - category - status - severity type: string Cases_status: description: Filters the returned cases by state. example: open in: query name: status schema: enum: - closed - in-progress - open type: string Cases_tags: description: Filters the returned cases by tags. example: tag-1 in: query name: tags schema: oneOf: - $ref: '#/components/schemas/Cases_string' - $ref: '#/components/schemas/Cases_string_array' Cases_to: description: | Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. example: now+1d in: query name: to schema: type: string Cases_user_action_types: description: Determines the types of user actions to return. example: create_case in: query name: types schema: items: enum: - action - alert - assignees - attachment - comment - connector - create_case - description - pushed - settings - severity - status - tags - title - user type: string type: array Data_views_field_name: description: The name of the runtime field. in: path name: fieldName required: true schema: example: hour_of_day type: string Data_views_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string Data_views_view_id: description: An identifier for the data view. in: path name: viewId required: true schema: example: ff959d40-b880-11e8-a6d9-e546fe2bba5f type: string Machine_learning_APIs_simulateParam: description: When true, simulates the synchronization by returning only the list of actions that would be performed. example: 'true' in: query name: simulate required: false schema: type: boolean Saved_objects_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string Saved_objects_saved_object_id: description: An identifier for the saved object. in: path name: id required: true schema: type: string Saved_objects_saved_object_type: description: Valid options include `visualization`, `dashboard`, `search`, `index-pattern`, `config`. in: path name: type required: true schema: type: string Short_URL_APIs_idParam: description: The identifier for the short URL. in: path name: id required: true schema: type: string SLOs_kbn_xsrf: description: Cross-site request forgery protection in: header name: kbn-xsrf required: true schema: type: string SLOs_slo_id: description: An identifier for the slo. in: path name: sloId required: true schema: example: 9c235211-6834-11ea-a78c-6feb38a34414 type: string SLOs_space_id: description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. in: path name: spaceId required: true schema: example: default type: string schemas: Alerting_401_response: properties: error: enum: - Unauthorized example: Unauthorized type: string message: type: string statusCode: enum: - 401 example: 401 type: integer title: Unsuccessful rule API response type: object Alerting_alert_response_properties: title: Legacy alert response properties type: object properties: actions: items: type: object type: array alertTypeId: example: .index-threshold type: string apiKeyOwner: example: elastic nullable: true type: string createdAt: description: The date and time that the alert was created. example: '2022-12-05T23:36:58.284Z' format: date-time type: string createdBy: description: The identifier for the user that created the alert. example: elastic type: string enabled: description: Indicates whether the alert is currently enabled. example: true type: boolean executionStatus: type: object properties: lastExecutionDate: example: '2022-12-06T00:13:43.890Z' format: date-time type: string status: example: ok type: string id: description: The identifier for the alert. example: b530fed0-74f5-11ed-9801-35303b735aef type: string muteAll: example: false type: boolean mutedInstanceIds: items: type: string nullable: true type: array name: description: The name of the alert. example: my alert type: string notifyWhen: example: onActionGroupChange type: string params: additionalProperties: true type: object schedule: type: object properties: interval: type: string scheduledTaskId: example: b530fed0-74f5-11ed-9801-35303b735aef type: string tags: items: type: string type: array throttle: nullable: true type: string updatedAt: example: '2022-12-05T23:36:58.284Z' type: string updatedBy: description: The identifier for the user that updated this alert most recently. example: elastic nullable: true type: string Alerting_fieldmap_properties: title: Field map objects in the get rule types response type: object properties: array: description: Indicates whether the field is an array. type: boolean dynamic: description: Indicates whether it is a dynamic field mapping. type: boolean format: description: | Indicates the format of the field. For example, if the `type` is `date_range`, the `format` can be `epoch_millis||strict_date_optional_time`. type: string ignore_above: description: Specifies the maximum length of a string field. Longer strings are not indexed or stored. type: integer index: description: Indicates whether field values are indexed. type: boolean path: description: TBD type: string properties: additionalProperties: type: object properties: type: description: The data type for each object property. type: string description: | Details about the object properties. This property is applicable when `type` is `object`. type: object required: description: Indicates whether the field is required. type: boolean scaling_factor: description: | The scaling factor to use when encoding values. This property is applicable when `type` is `scaled_float`. Values will be multiplied by this factor at index time and rounded to the closest long value. type: integer type: description: Specifies the data type for the field. example: scaled_float type: string APM_UI_400_response: type: object properties: error: description: Error type example: Not Found type: string message: description: Error message example: Not Found type: string statusCode: description: Error status code example: 400 type: number APM_UI_401_response: type: object properties: error: description: Error type example: Unauthorized type: string message: description: Error message type: string statusCode: description: Error status code example: 401 type: number APM_UI_403_response: type: object properties: error: description: Error type example: Forbidden type: string message: description: Error message type: string statusCode: description: Error status code example: 403 type: number APM_UI_404_response: type: object properties: error: description: Error type example: Not Found type: string message: description: Error message example: Not Found type: string statusCode: description: Error status code example: 404 type: number APM_UI_500_response: type: object properties: error: description: Error type example: Internal Server Error type: string message: description: Error message type: string statusCode: description: Error status code example: 500 type: number APM_UI_501_response: type: object properties: error: description: Error type example: Not Implemented type: string message: description: Error message example: Not Implemented type: string statusCode: description: Error status code example: 501 type: number APM_UI_agent_configuration_intake_object: type: object properties: agent_name: description: Agent name type: string service: $ref: '#/components/schemas/APM_UI_service_object' settings: $ref: '#/components/schemas/APM_UI_settings_object' required: - service - settings APM_UI_agent_configuration_object: description: Agent configuration type: object properties: '@timestamp': description: Timestamp example: 1730194190636 type: number agent_name: description: Agent name type: string applied_by_agent: description: Applied by agent example: true type: boolean etag: description: Etag example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 type: string service: $ref: '#/components/schemas/APM_UI_service_object' settings: $ref: '#/components/schemas/APM_UI_settings_object' required: - service - settings - '@timestamp' - etag APM_UI_agent_configurations_response: type: object properties: configurations: description: Agent configuration items: $ref: '#/components/schemas/APM_UI_agent_configuration_object' type: array APM_UI_agent_keys_object: type: object properties: name: description: Agent name type: string privileges: description: Privileges configuration items: enum: - event:write - config_agent:read type: string type: array required: - name - privileges APM_UI_agent_keys_response: type: object properties: agentKey: description: Agent key type: object properties: api_key: type: string encoded: type: string expiration: format: int64 type: integer id: type: string name: type: string required: - id - name - api_key - encoded APM_UI_annotation_search_response: type: object properties: annotations: description: Annotations items: type: object properties: '@timestamp': type: number id: type: string text: type: string type: enum: - version type: string type: array APM_UI_base_source_map_object: type: object properties: compressionAlgorithm: description: Compression Algorithm type: string created: description: Created date type: string decodedSha256: description: Decoded SHA-256 type: string decodedSize: description: Decoded size type: number encodedSha256: description: Encoded SHA-256 type: string encodedSize: description: Encoded size type: number encryptionAlgorithm: description: Encryption Algorithm type: string id: description: Identifier type: string identifier: description: Identifier type: string packageName: description: Package name type: string relative_url: description: Relative URL type: string type: description: Type type: string APM_UI_create_annotation_object: type: object properties: '@timestamp': description: Timestamp type: string message: description: Message type: string service: description: Service type: object properties: environment: type: string version: type: string required: - version tags: description: Tags items: type: string type: array required: - '@timestamp' - service APM_UI_create_annotation_response: type: object properties: _id: description: Identifier type: string _index: description: Index type: string _source: description: Response type: object properties: '@timestamp': type: string annotation: type: object properties: title: type: string type: type: string event: type: object properties: created: type: string message: type: string service: type: object properties: environment: type: string name: type: string version: type: string tags: items: type: string type: array APM_UI_delete_agent_configurations_response: type: object properties: result: description: Result type: string APM_UI_search_agent_configuration_object: type: object properties: etag: description: If etags match then `applied_by_agent` field will be set to `true` example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85 type: string mark_as_applied_by_agent: description: | `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". This is needed for Jaeger agent that doesn't have etags type: boolean service: $ref: '#/components/schemas/APM_UI_service_object' required: - service APM_UI_search_agent_configuration_response: type: object properties: _id: description: Identifier type: string _index: description: Index type: string _score: description: Score type: number _source: $ref: '#/components/schemas/APM_UI_agent_configuration_object' APM_UI_service_agent_name_response: type: object properties: agentName: description: Agent name example: nodejs type: string APM_UI_service_environment_object: type: object properties: alreadyConfigured: description: Already configured type: boolean name: description: Service environment name example: ALL_OPTION_VALUE type: string APM_UI_service_environments_response: type: object properties: environments: description: Service environment list items: $ref: '#/components/schemas/APM_UI_service_environment_object' type: array APM_UI_service_object: description: Service type: object properties: environment: description: Environment example: prod type: string name: description: Name example: node type: string APM_UI_settings_object: additionalProperties: type: string description: Agent configuration settings type: object APM_UI_single_agent_configuration_response: allOf: - type: object properties: id: type: string required: - id - $ref: '#/components/schemas/APM_UI_agent_configuration_object' APM_UI_source_maps_response: type: object properties: artifacts: description: Artifacts items: allOf: - type: object properties: body: type: object properties: bundleFilepath: type: string serviceName: type: string serviceVersion: type: string sourceMap: type: object properties: file: type: string mappings: type: string sourceRoot: type: string sources: items: type: string type: array sourcesContent: items: type: string type: array version: type: number - $ref: '#/components/schemas/APM_UI_base_source_map_object' type: array APM_UI_upload_source_map_object: type: object properties: bundle_filepath: description: The absolute path of the final bundle as used in the web application. type: string service_name: description: The name of the service that the service map should apply to. type: string service_version: description: The version of the service that the service map should apply to. type: string sourcemap: description: | The source map. String or file upload. It must follow the [source map revision 3 proposal](https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k). format: binary type: string required: - service_name - service_version - bundle_filepath - sourcemap APM_UI_upload_source_maps_response: allOf: - type: object properties: body: type: string - $ref: '#/components/schemas/APM_UI_base_source_map_object' Cases_4xx_response: properties: error: example: Unauthorized type: string message: type: string statusCode: example: 401 type: integer title: Unsuccessful cases API response type: object Cases_action_types: description: The type of action. enum: - assignees - create_case - comment - connector - delete_case - description - pushed - tags - title - status - settings - severity example: create_case type: string Cases_actions: enum: - add - create - delete - push_to_service - update example: create type: string Cases_add_alert_comment_request_properties: description: Defines properties for case comment requests when type is alert. type: object properties: alertId: $ref: '#/components/schemas/Cases_alert_identifiers' index: $ref: '#/components/schemas/Cases_alert_indices' owner: $ref: '#/components/schemas/Cases_owner' rule: $ref: '#/components/schemas/Cases_rule' type: description: The type of comment. enum: - alert example: alert type: string required: - alertId - index - owner - rule - type title: Add case comment request properties for alerts Cases_add_case_comment_request: description: The add comment to case API request body varies depending on whether you are adding an alert or a comment. discriminator: mapping: alert: '#/components/schemas/Cases_add_alert_comment_request_properties' user: '#/components/schemas/Cases_add_user_comment_request_properties' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' title: Add case comment request Cases_add_case_file_request: description: Defines the file that will be attached to the case. Optional parameters will be generated automatically from the file metadata if not defined. type: object properties: file: description: The file being attached to the case. format: binary type: string filename: description: The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. **This should not include the file extension.** type: string required: - file title: Add case file request properties Cases_add_user_comment_request_properties: description: Defines properties for case comment requests when type is user. properties: comment: description: The new comment. It is required only when `type` is `user`. example: A new comment. maxLength: 30000 type: string owner: $ref: '#/components/schemas/Cases_owner' type: description: The type of comment. enum: - user example: user type: string required: - comment - owner - type title: Add case comment request properties for user comments type: object Cases_alert_comment_response_properties: title: Add case comment response properties for alerts type: object properties: alertId: items: example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 type: string type: array created_at: example: '2023-11-06T19:29:38.424Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username id: example: 73362370-ab1a-11ec-985f-97e55adae8b9 type: string index: items: example: .internal.alerts-security.alerts-default-000001 type: string type: array owner: $ref: '#/components/schemas/Cases_owner' pushed_at: example: null format: date-time nullable: true type: string pushed_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username rule: type: object properties: id: description: The rule identifier. example: 94d80550-aaf4-11ec-985f-97e55adae8b9 type: string name: description: The rule name. example: security_rule type: string type: enum: - alert example: alert type: string updated_at: format: date-time nullable: true type: string updated_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username version: example: WzMwNDgsMV0= type: string required: - type Cases_alert_identifiers: description: | The alert identifiers. It is required only when `type` is `alert`. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; `index` must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 oneOf: - type: string - items: type: string maxItems: 1000 type: array title: Alert identifiers x-state: Technical preview Cases_alert_indices: description: | The alert indices. It is required only when `type` is `alert`. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the `alertId` array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. oneOf: - type: string - items: type: string maxItems: 1000 type: array title: Alert indices x-state: Technical preview Cases_alert_response_properties: type: object properties: attached_at: format: date-time type: string id: description: The alert identifier. type: string index: description: The alert index. type: string Cases_assignees: description: An array containing users that are assigned to the case. items: type: object properties: uid: description: A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API. example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 type: string required: - uid maxItems: 10 nullable: true type: array Cases_case_categories: items: $ref: '#/components/schemas/Cases_case_category' maxItems: 100 type: array Cases_case_category: description: A word or phrase that categorizes the case. maxLength: 50 type: string Cases_case_description: description: The description for the case. maxLength: 30000 type: string Cases_case_response_closed_by_properties: nullable: true properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username title: Case response properties for closed_by type: object Cases_case_response_created_by_properties: title: Case response properties for created_by type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username Cases_case_response_properties: title: Case response properties type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: description: The case category. nullable: true type: string closed_at: format: date-time nullable: true type: string closed_by: $ref: '#/components/schemas/Cases_case_response_closed_by_properties' comments: description: An array of comment objects for the case. items: discriminator: mapping: alert: '#/components/schemas/Cases_alert_comment_response_properties' user: '#/components/schemas/Cases_user_comment_response_properties' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - $ref: '#/components/schemas/Cases_user_comment_response_properties' maxItems: 10000 title: Case response properties for comments type: array connector: discriminator: mapping: .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' .jira: '#/components/schemas/Cases_connector_properties_jira' .none: '#/components/schemas/Cases_connector_properties_none' .resilient: '#/components/schemas/Cases_connector_properties_resilient' .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_connector_properties_none' - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - $ref: '#/components/schemas/Cases_connector_properties_jira' - $ref: '#/components/schemas/Cases_connector_properties_resilient' - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - $ref: '#/components/schemas/Cases_connector_properties_swimlane' title: Case response properties for connectors created_at: example: '2022-05-13T09:16:17.416Z' format: date-time type: string created_by: $ref: '#/components/schemas/Cases_case_response_created_by_properties' customFields: description: Custom field values for the case. items: type: object properties: key: description: | The unique identifier for the custom field. The key value must exist in the case configuration settings. type: string type: description: | The custom field type. It must match the type specified in the case configuration settings. enum: - text - toggle type: string value: description: | The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 nullable: true type: string - type: boolean type: array description: example: A case description. type: string duration: description: | The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. example: 120 nullable: true type: integer external_service: $ref: '#/components/schemas/Cases_external_service' id: example: 66b9aa00-94fa-11ea-9f74-e7e108796192 type: string owner: $ref: '#/components/schemas/Cases_owner' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' status: $ref: '#/components/schemas/Cases_case_status' tags: example: - tag-1 items: type: string type: array title: example: Case title 1 type: string totalAlerts: example: 0 type: integer totalComment: example: 0 type: integer updated_at: format: date-time nullable: true type: string updated_by: $ref: '#/components/schemas/Cases_case_response_updated_by_properties' version: example: WzUzMiwxXQ== type: string required: - closed_at - closed_by - comments - connector - created_at - created_by - description - duration - external_service - id - owner - settings - severity - status - tags - title - totalAlerts - totalComment - updated_at - updated_by - version Cases_case_response_pushed_by_properties: nullable: true properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username title: Case response properties for pushed_by type: object Cases_case_response_updated_by_properties: nullable: true properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username title: Case response properties for updated_by type: object Cases_case_severity: default: low description: The severity of the case. enum: - critical - high - low - medium type: string Cases_case_status: description: The status of the case. enum: - closed - in-progress - open type: string Cases_case_tags: description: | The words and phrases that help categorize cases. It can be an empty array. items: maxLength: 256 type: string maxItems: 200 type: array Cases_case_title: description: A title for the case. maxLength: 160 type: string Cases_closure_types: description: Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`). enum: - close-by-pushing - close-by-user example: close-by-user type: string Cases_connector_properties_cases_webhook: description: Defines properties for connectors when type is `.cases-webhook`. type: object properties: fields: example: null nullable: true type: string id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .cases-webhook example: .cases-webhook type: string required: - fields - id - name - type title: Create or upate case request properties for Cases Webhook connector Cases_connector_properties_jira: description: Defines properties for connectors when type is `.jira`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. type: object properties: issueType: description: The type of issue. nullable: true type: string parent: description: The key of the parent issue, when the issue type is sub-task. nullable: true type: string priority: description: The priority of the issue. nullable: true type: string required: - issueType - parent - priority id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .jira example: .jira type: string required: - fields - id - name - type title: Create or update case request properties for a Jira connector Cases_connector_properties_none: description: Defines properties for connectors when type is `.none`. type: object properties: fields: description: An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null. example: null nullable: true type: string id: description: The identifier for the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. example: none type: string name: description: The name of the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. example: none type: string type: description: The type of connector. To create a case without a connector, use `.none`. To update a case to remove the connector, specify `.none`. enum: - .none example: .none type: string required: - fields - id - name - type title: Create or update case request properties for no connector Cases_connector_properties_resilient: description: Defines properties for connectors when type is `.resilient`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. nullable: true type: object properties: issueTypes: description: The type of incident. items: type: string type: array severityCode: description: The severity code of the incident. type: string required: - issueTypes - severityCode id: description: The identifier for the connector. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .resilient example: .resilient type: string required: - fields - id - name - type title: Create case request properties for a IBM Resilient connector Cases_connector_properties_servicenow: description: Defines properties for connectors when type is `.servicenow`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. type: object properties: category: description: The category of the incident. nullable: true type: string impact: description: The effect an incident had on business. nullable: true type: string severity: description: The severity of the incident. nullable: true type: string subcategory: description: The subcategory of the incident. nullable: true type: string urgency: description: The extent to which the incident resolution can be delayed. nullable: true type: string required: - category - impact - severity - subcategory - urgency id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .servicenow example: .servicenow type: string required: - fields - id - name - type title: Create case request properties for a ServiceNow ITSM connector Cases_connector_properties_servicenow_sir: description: Defines properties for connectors when type is `.servicenow-sir`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. type: object properties: category: description: The category of the incident. nullable: true type: string destIp: description: Indicates whether cases will send a comma-separated list of destination IPs. nullable: true type: boolean malwareHash: description: Indicates whether cases will send a comma-separated list of malware hashes. nullable: true type: boolean malwareUrl: description: Indicates whether cases will send a comma-separated list of malware URLs. nullable: true type: boolean priority: description: The priority of the issue. nullable: true type: string sourceIp: description: Indicates whether cases will send a comma-separated list of source IPs. nullable: true type: boolean subcategory: description: The subcategory of the incident. nullable: true type: string required: - category - destIp - malwareHash - malwareUrl - priority - sourceIp - subcategory id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .servicenow-sir example: .servicenow-sir type: string required: - fields - id - name - type title: Create case request properties for a ServiceNow SecOps connector Cases_connector_properties_swimlane: description: Defines properties for connectors when type is `.swimlane`. type: object properties: fields: description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. type: object properties: caseId: description: The case identifier for Swimlane connectors. nullable: true type: string required: - caseId id: description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. type: string name: description: The name of the connector. type: string type: description: The type of connector. enum: - .swimlane example: .swimlane type: string required: - fields - id - name - type title: Create case request properties for a Swimlane connector Cases_connector_types: description: The type of connector. enum: - .cases-webhook - .jira - .none - .resilient - .servicenow - .servicenow-sir - .swimlane example: .none type: string Cases_create_case_request: description: The create case API request body varies depending on the type of connector. properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: $ref: '#/components/schemas/Cases_case_category' connector: oneOf: - $ref: '#/components/schemas/Cases_connector_properties_none' - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - $ref: '#/components/schemas/Cases_connector_properties_jira' - $ref: '#/components/schemas/Cases_connector_properties_resilient' - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - $ref: '#/components/schemas/Cases_connector_properties_swimlane' customFields: description: | Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. items: type: object properties: key: description: | The unique identifier for the custom field. The key value must exist in the case configuration settings. type: string type: description: | The custom field type. It must match the type specified in the case configuration settings. enum: - text - toggle type: string value: description: | The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 nullable: true type: string - type: boolean required: - key - type - value maxItems: 10 minItems: 0 type: array description: $ref: '#/components/schemas/Cases_case_description' owner: $ref: '#/components/schemas/Cases_owner' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' tags: $ref: '#/components/schemas/Cases_case_tags' title: $ref: '#/components/schemas/Cases_case_title' required: - connector - description - owner - settings - tags - title title: Create case request type: object Cases_external_service: nullable: true type: object properties: connector_id: type: string connector_name: type: string external_id: type: string external_title: type: string external_url: type: string pushed_at: format: date-time type: string pushed_by: nullable: true type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string Cases_owner: description: | The application that owns the cases: Stack Management, Observability, or Elastic Security. enum: - cases - observability - securitySolution example: cases type: string Cases_owners: items: $ref: '#/components/schemas/Cases_owner' type: array Cases_payload_alert_comment: type: object properties: comment: type: object properties: alertId: oneOf: - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d type: string - items: type: string type: array index: oneOf: - example: .alerts-observability.logs.alerts-default type: string - items: type: string type: array owner: $ref: '#/components/schemas/Cases_owner' rule: type: object properties: id: description: The rule identifier. example: 94d80550-aaf4-11ec-985f-97e55adae8b9 type: string name: description: The rule name. example: security_rule type: string type: enum: - alert type: string Cases_payload_assignees: type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' Cases_payload_connector: type: object properties: connector: type: object properties: fields: description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. example: null nullable: true type: object properties: caseId: description: The case identifier for Swimlane connectors. type: string category: description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. type: string destIp: description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. nullable: true type: boolean impact: description: The effect an incident had on business for ServiceNow ITSM connectors. type: string issueType: description: The type of issue for Jira connectors. type: string issueTypes: description: The type of incident for IBM Resilient connectors. items: type: string type: array malwareHash: description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. nullable: true type: boolean malwareUrl: description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. nullable: true type: boolean parent: description: The key of the parent issue, when the issue type is sub-task for Jira connectors. type: string priority: description: The priority of the issue for Jira and ServiceNow SecOps connectors. type: string severity: description: The severity of the incident for ServiceNow ITSM connectors. type: string severityCode: description: The severity code of the incident for IBM Resilient connectors. type: string sourceIp: description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. nullable: true type: boolean subcategory: description: The subcategory of the incident for ServiceNow ITSM connectors. type: string urgency: description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string id: description: The identifier for the connector. To create a case without a connector, use `none`. example: none type: string name: description: The name of the connector. To create a case without a connector, use `none`. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' Cases_payload_create_case: type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' connector: type: object properties: fields: description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. example: null nullable: true type: object properties: caseId: description: The case identifier for Swimlane connectors. type: string category: description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. type: string destIp: description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. nullable: true type: boolean impact: description: The effect an incident had on business for ServiceNow ITSM connectors. type: string issueType: description: The type of issue for Jira connectors. type: string issueTypes: description: The type of incident for IBM Resilient connectors. items: type: string type: array malwareHash: description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. nullable: true type: boolean malwareUrl: description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. nullable: true type: boolean parent: description: The key of the parent issue, when the issue type is sub-task for Jira connectors. type: string priority: description: The priority of the issue for Jira and ServiceNow SecOps connectors. type: string severity: description: The severity of the incident for ServiceNow ITSM connectors. type: string severityCode: description: The severity code of the incident for IBM Resilient connectors. type: string sourceIp: description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. nullable: true type: boolean subcategory: description: The subcategory of the incident for ServiceNow ITSM connectors. type: string urgency: description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. type: string id: description: The identifier for the connector. To create a case without a connector, use `none`. example: none type: string name: description: The name of the connector. To create a case without a connector, use `none`. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' description: type: string owner: $ref: '#/components/schemas/Cases_owner' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' status: $ref: '#/components/schemas/Cases_case_status' tags: items: example: - tag-1 type: string type: array title: type: string Cases_payload_delete: description: If the `action` is `delete` and the `type` is `delete_case`, the payload is nullable. nullable: true type: object Cases_payload_description: type: object properties: description: type: string Cases_payload_pushed: type: object properties: externalService: $ref: '#/components/schemas/Cases_external_service' Cases_payload_settings: type: object properties: settings: $ref: '#/components/schemas/Cases_settings' Cases_payload_severity: type: object properties: severity: $ref: '#/components/schemas/Cases_case_severity' Cases_payload_status: type: object properties: status: $ref: '#/components/schemas/Cases_case_status' Cases_payload_tags: type: object properties: tags: example: - tag-1 items: type: string type: array Cases_payload_title: type: object properties: title: type: string Cases_payload_user_comment: type: object properties: comment: type: object properties: comment: type: string owner: $ref: '#/components/schemas/Cases_owner' type: enum: - user type: string Cases_rule: description: | The rule that is associated with the alerts. It is required only when `type` is `alert`. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. title: Alerting rule type: object properties: id: description: The rule identifier. example: 94d80550-aaf4-11ec-985f-97e55adae8b9 type: string name: description: The rule name. example: security_rule type: string x-state: Technical preview Cases_searchFieldsType: description: The fields to perform the `simple_query_string` parsed query against. enum: - description - title type: string Cases_searchFieldsTypeArray: items: $ref: '#/components/schemas/Cases_searchFieldsType' type: array Cases_set_case_configuration_request: description: External connection details, such as the closure type and default connector for cases. properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: description: An object that contains the connector configuration. type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' required: - fields - id - name - type customFields: description: Custom fields case configuration. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean required: - key - label - required - type maxItems: 10 minItems: 0 type: array owner: $ref: '#/components/schemas/Cases_owner' templates: $ref: '#/components/schemas/Cases_templates' required: - closure_type - connector - owner title: Set case configuration request type: object Cases_settings: description: An object that contains the case settings. type: object properties: syncAlerts: description: Turns alert syncing on or off. example: true type: boolean required: - syncAlerts Cases_string: type: string Cases_string_array: items: $ref: '#/components/schemas/Cases_string' maxItems: 100 type: array Cases_template_tags: description: | The words and phrases that help categorize templates. It can be an empty array. items: maxLength: 256 type: string maxItems: 200 type: array Cases_templates: items: type: object properties: caseFields: type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: $ref: '#/components/schemas/Cases_case_category' connector: type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' customFields: description: Custom field values in the template. items: type: object properties: key: description: The unique key for the custom field. type: string type: description: The type of the custom field. enum: - text - toggle type: string value: description: | The default value for the custom field when a case uses the template. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean type: array x-state: Technical preview description: $ref: '#/components/schemas/Cases_case_description' settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' tags: $ref: '#/components/schemas/Cases_case_tags' title: $ref: '#/components/schemas/Cases_case_title' description: description: A description for the template. type: string key: description: | A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template. type: string name: description: The name of the template. type: string tags: $ref: '#/components/schemas/Cases_template_tags' type: array x-state: Technical preview Cases_update_alert_comment_request_properties: description: Defines properties for case comment requests when type is alert. type: object properties: alertId: $ref: '#/components/schemas/Cases_alert_identifiers' id: description: | The identifier for the comment. To retrieve comment IDs, use the get comments API. example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string index: $ref: '#/components/schemas/Cases_alert_indices' owner: $ref: '#/components/schemas/Cases_owner' rule: $ref: '#/components/schemas/Cases_rule' type: description: The type of comment. enum: - alert example: alert type: string version: description: | The current comment version. To retrieve version values, use the get comments API. example: Wzk1LDFd type: string required: - alertId - id - index - owner - rule - type - version title: Update case comment request properties for alerts Cases_update_case_comment_request: description: The update case comment API request body varies depending on whether you are updating an alert or a comment. discriminator: mapping: alert: '#/components/schemas/Cases_update_alert_comment_request_properties' user: '#/components/schemas/Cases_update_user_comment_request_properties' propertyName: type oneOf: - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' title: Update case comment request Cases_update_case_configuration_request: description: | You can update settings such as the closure type, custom fields, templates, and the default connector for cases. properties: closure_type: $ref: '#/components/schemas/Cases_closure_types' connector: description: An object that contains the connector configuration. type: object properties: fields: description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. nullable: true type: object id: description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. example: none type: string name: description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. example: none type: string type: $ref: '#/components/schemas/Cases_connector_types' required: - fields - id - name - type customFields: description: Custom fields case configuration. items: type: object properties: defaultValue: description: | A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. oneOf: - type: string - type: boolean key: description: | A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. maxLength: 36 minLength: 1 type: string label: description: The custom field label that is displayed in the case. maxLength: 50 minLength: 1 type: string type: description: The type of the custom field. enum: - text - toggle type: string required: description: | Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. type: boolean required: - key - label - required - type type: array templates: $ref: '#/components/schemas/Cases_templates' version: description: | The version of the connector. To retrieve the version value, use the get configuration API. example: WzIwMiwxXQ== type: string required: - version title: Update case configuration request type: object Cases_update_case_request: description: The update case API request body varies depending on the type of connector. properties: cases: description: An array containing one or more case objects. items: type: object properties: assignees: $ref: '#/components/schemas/Cases_assignees' category: $ref: '#/components/schemas/Cases_case_category' connector: oneOf: - $ref: '#/components/schemas/Cases_connector_properties_none' - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - $ref: '#/components/schemas/Cases_connector_properties_jira' - $ref: '#/components/schemas/Cases_connector_properties_resilient' - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - $ref: '#/components/schemas/Cases_connector_properties_swimlane' customFields: description: | Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. items: type: object properties: key: description: | The unique identifier for the custom field. The key value must exist in the case configuration settings. type: string type: description: | The custom field type. It must match the type specified in the case configuration settings. enum: - text - toggle type: string value: description: | The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. oneOf: - maxLength: 160 minLength: 1 nullable: true type: string - type: boolean required: - key - type - value maxItems: 10 minItems: 0 type: array description: $ref: '#/components/schemas/Cases_case_description' id: description: The identifier for the case. maxLength: 30000 type: string settings: $ref: '#/components/schemas/Cases_settings' severity: $ref: '#/components/schemas/Cases_case_severity' status: $ref: '#/components/schemas/Cases_case_status' tags: $ref: '#/components/schemas/Cases_case_tags' title: $ref: '#/components/schemas/Cases_case_title' version: description: The current version of the case. To determine this value, use the get case or find cases APIs. type: string required: - id - version maxItems: 100 minItems: 1 type: array required: - cases title: Update case request type: object Cases_update_user_comment_request_properties: description: Defines properties for case comment requests when type is user. properties: comment: description: The new comment. It is required only when `type` is `user`. example: A new comment. maxLength: 30000 type: string id: description: | The identifier for the comment. To retrieve comment IDs, use the get comments API. example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string owner: $ref: '#/components/schemas/Cases_owner' type: description: The type of comment. enum: - user example: user type: string version: description: | The current comment version. To retrieve version values, use the get comments API. example: Wzk1LDFd type: string required: - comment - id - owner - type - version title: Update case comment request properties for user comments type: object Cases_user_actions_find_response_properties: type: object properties: action: $ref: '#/components/schemas/Cases_actions' comment_id: example: 578608d0-03b1-11ed-920c-974bfa104448 nullable: true type: string created_at: example: '2022-05-13T09:16:17.416Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username id: example: 22fd3e30-03b1-11ed-920c-974bfa104448 type: string owner: $ref: '#/components/schemas/Cases_owner' payload: oneOf: - $ref: '#/components/schemas/Cases_payload_alert_comment' - $ref: '#/components/schemas/Cases_payload_assignees' - $ref: '#/components/schemas/Cases_payload_connector' - $ref: '#/components/schemas/Cases_payload_create_case' - $ref: '#/components/schemas/Cases_payload_delete' - $ref: '#/components/schemas/Cases_payload_description' - $ref: '#/components/schemas/Cases_payload_pushed' - $ref: '#/components/schemas/Cases_payload_settings' - $ref: '#/components/schemas/Cases_payload_severity' - $ref: '#/components/schemas/Cases_payload_status' - $ref: '#/components/schemas/Cases_payload_tags' - $ref: '#/components/schemas/Cases_payload_title' - $ref: '#/components/schemas/Cases_payload_user_comment' type: description: The type of action. enum: - assignees - create_case - comment - connector - description - pushed - tags - title - status - settings - severity example: create_case type: string version: example: WzM1ODg4LDFd type: string required: - action - comment_id - created_at - created_by - id - owner - payload - type - version Cases_user_actions_response_properties: type: object properties: action: $ref: '#/components/schemas/Cases_actions' action_id: example: 22fd3e30-03b1-11ed-920c-974bfa104448 type: string case_id: example: 22df07d0-03b1-11ed-920c-974bfa104448 type: string comment_id: example: 578608d0-03b1-11ed-920c-974bfa104448 nullable: true type: string created_at: example: '2022-05-13T09:16:17.416Z' format: date-time type: string created_by: type: object properties: email: example: null nullable: true type: string full_name: example: null nullable: true type: string profile_uid: example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 type: string username: example: elastic nullable: true type: string required: - email - full_name - username owner: $ref: '#/components/schemas/Cases_owner' payload: oneOf: - $ref: '#/components/schemas/Cases_payload_alert_comment' - $ref: '#/components/schemas/Cases_payload_assignees' - $ref: '#/components/schemas/Cases_payload_connector' - $ref: '#/components/schemas/Cases_payload_create_case' - $ref: '#/components/schemas/Cases_payload_delete' - $ref: '#/components/schemas/Cases_payload_description' - $ref: '#/components/schemas/Cases_payload_pushed' - $ref: '#/components/schemas/Cases_payload_settings' - $ref: '#/components/schemas/Cases_payload_severity' - $ref: '#/components/schemas/Cases_payload_status' - $ref: '#/components/schemas/Cases_payload_tags' - $ref: '#/components/schemas/Cases_payload_title' - $ref: '#/components/schemas/Cases_payload_user_comment' type: $ref: '#/components/schemas/Cases_action_types' required: - action - action_id - case_id - comment_id - created_at - created_by - owner - payload - type Cases_user_comment_response_properties: title: Case response properties for user comments type: object properties: comment: example: A new comment. type: string created_at: example: '2022-05-13T09:16:17.416Z' format: date-time type: string created_by: $ref: '#/components/schemas/Cases_case_response_created_by_properties' id: example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 type: string owner: $ref: '#/components/schemas/Cases_owner' pushed_at: example: null format: date-time nullable: true type: string pushed_by: $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' type: enum: - user example: user type: string updated_at: example: null format: date-time nullable: true type: string updated_by: $ref: '#/components/schemas/Cases_case_response_updated_by_properties' version: example: WzIwNDMxLDFd type: string required: - type Data_views_400_response: title: Bad request type: object properties: error: example: Bad Request type: string message: type: string statusCode: example: 400 type: number required: - statusCode - error - message Data_views_404_response: type: object properties: error: enum: - Not Found example: Not Found type: string message: example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found type: string statusCode: enum: - 404 example: 404 type: integer Data_views_allownoindex: description: Allows the data view saved object to exist before the data is available. type: boolean Data_views_create_data_view_request_object: title: Create data view request type: object properties: data_view: description: The data view object. type: object properties: allowNoIndex: $ref: '#/components/schemas/Data_views_allownoindex' fieldAttrs: additionalProperties: $ref: '#/components/schemas/Data_views_fieldattrs' type: object fieldFormats: $ref: '#/components/schemas/Data_views_fieldformats' fields: type: object id: type: string name: description: The data view name. type: string namespaces: $ref: '#/components/schemas/Data_views_namespaces' runtimeFieldMap: additionalProperties: $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object sourceFilters: $ref: '#/components/schemas/Data_views_sourcefilters' timeFieldName: $ref: '#/components/schemas/Data_views_timefieldname' title: $ref: '#/components/schemas/Data_views_title' type: $ref: '#/components/schemas/Data_views_type' typeMeta: $ref: '#/components/schemas/Data_views_typemeta' version: type: string required: - title override: default: false description: Override an existing data view if a data view with the provided title already exists. type: boolean required: - data_view Data_views_data_view_response_object: title: Data view response properties type: object properties: data_view: type: object properties: allowNoIndex: $ref: '#/components/schemas/Data_views_allownoindex' fieldAttrs: additionalProperties: $ref: '#/components/schemas/Data_views_fieldattrs' type: object fieldFormats: $ref: '#/components/schemas/Data_views_fieldformats' fields: type: object id: example: ff959d40-b880-11e8-a6d9-e546fe2bba5f type: string name: description: The data view name. type: string namespaces: $ref: '#/components/schemas/Data_views_namespaces' runtimeFieldMap: additionalProperties: $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object sourceFilters: $ref: '#/components/schemas/Data_views_sourcefilters' timeFieldName: $ref: '#/components/schemas/Data_views_timefieldname' title: $ref: '#/components/schemas/Data_views_title' typeMeta: $ref: '#/components/schemas/Data_views_typemeta_response' version: example: WzQ2LDJd type: string Data_views_fieldattrs: description: A map of field attributes by field name. type: object properties: count: description: Popularity count for the field. type: integer customDescription: description: Custom description for the field. maxLength: 300 type: string customLabel: description: Custom label for the field. type: string Data_views_fieldformats: description: A map of field formats by field name. type: object Data_views_namespaces: description: An array of space identifiers for sharing the data view between multiple spaces. items: default: default type: string type: array Data_views_runtimefieldmap: description: A map of runtime field definitions by field name. type: object properties: script: type: object properties: source: description: Script for the runtime field. type: string type: description: Mapping type of the runtime field. type: string required: - script - type Data_views_sourcefilters: description: The array of field names you want to filter out in Discover. items: type: object properties: value: type: string required: - value type: array Data_views_swap_data_view_request_object: title: Data view reference swap request type: object properties: delete: description: Deletes referenced saved object if all references are removed. type: boolean forId: description: Limit the affected saved objects to one or more by identifier. oneOf: - type: string - items: type: string type: array forType: description: Limit the affected saved objects by type. type: string fromId: description: The saved object reference to change. type: string fromType: description: | Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. type: string toId: description: New saved object reference value to replace the old value. type: string required: - fromId - toId Data_views_timefieldname: description: The timestamp field name, which you use for time-based data views. type: string Data_views_title: description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). type: string Data_views_type: description: When set to `rollup`, identifies the rollup data views. type: string Data_views_typemeta: description: When you use rollup indices, contains the field list for the rollup data view API endpoints. type: object properties: aggs: description: A map of rollup restrictions by aggregation type and field name. type: object params: description: Properties for retrieving rollup fields. type: object required: - aggs - params Data_views_typemeta_response: description: When you use rollup indices, contains the field list for the rollup data view API endpoints. nullable: true type: object properties: aggs: description: A map of rollup restrictions by aggregation type and field name. type: object params: description: Properties for retrieving rollup fields. type: object Data_views_update_data_view_request_object: title: Update data view request type: object properties: data_view: description: | The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. type: object properties: allowNoIndex: $ref: '#/components/schemas/Data_views_allownoindex' fieldFormats: $ref: '#/components/schemas/Data_views_fieldformats' fields: type: object name: type: string runtimeFieldMap: additionalProperties: $ref: '#/components/schemas/Data_views_runtimefieldmap' type: object sourceFilters: $ref: '#/components/schemas/Data_views_sourcefilters' timeFieldName: $ref: '#/components/schemas/Data_views_timefieldname' title: $ref: '#/components/schemas/Data_views_title' type: $ref: '#/components/schemas/Data_views_type' typeMeta: $ref: '#/components/schemas/Data_views_typemeta' refresh_fields: default: false description: Reloads the data view fields after the data view is updated. type: boolean required: - data_view Kibana_HTTP_APIs_core_status_redactedResponse: additionalProperties: false description: A minimal representation of Kibana's operational status. type: object properties: status: additionalProperties: false type: object properties: overall: additionalProperties: false type: object properties: level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string required: - level required: - overall required: - status Kibana_HTTP_APIs_core_status_response: additionalProperties: false description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. type: object properties: metrics: additionalProperties: false description: Metric groups collected by Kibana. type: object properties: collection_interval_in_millis: description: The interval at which metrics should be collected. type: number elasticsearch_client: additionalProperties: false description: Current network metrics of Kibana's Elasticsearch client. type: object properties: totalActiveSockets: description: Count of network sockets currently in use. type: number totalIdleSockets: description: Count of network sockets currently idle. type: number totalQueuedRequests: description: Count of requests not yet assigned to sockets. type: number required: - totalActiveSockets - totalIdleSockets - totalQueuedRequests last_updated: description: The time metrics were collected. type: string required: - elasticsearch_client - last_updated - collection_interval_in_millis name: description: Kibana instance name. type: string status: additionalProperties: false type: object properties: core: additionalProperties: false description: Statuses of core Kibana services. type: object properties: elasticsearch: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta savedObjects: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta required: - elasticsearch - savedObjects overall: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta plugins: additionalProperties: additionalProperties: false type: object properties: detail: description: Human readable detail of the service status. type: string documentationUrl: description: A URL to further documentation regarding this service. type: string level: description: Service status levels as human and machine readable values. enum: - available - degraded - unavailable - critical type: string meta: additionalProperties: {} description: An unstructured set of extra metadata about this service. type: object summary: description: A human readable summary of the service status. type: string required: - level - summary - meta description: A dynamic mapping of plugin ID to plugin status. type: object required: - overall - core - plugins uuid: description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. type: string version: additionalProperties: false type: object properties: build_date: description: The date and time of this build. type: string build_flavor: description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. enum: - serverless - traditional type: string build_hash: description: A unique hash value representing the git commit of this Kibana build. type: string build_number: description: A monotonically increasing number, each subsequent build will have a higher number. type: number build_snapshot: description: Whether this build is a snapshot build. type: boolean number: description: A semantic version number. type: string required: - number - build_hash - build_number - build_snapshot - build_flavor - build_date required: - name - uuid - version - status - metrics Machine_learning_APIs_mlSync200Response: properties: datafeedsAdded: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. type: object datafeedsRemoved: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. type: object savedObjectsCreated: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' savedObjectsDeleted: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' title: Successful sync API response type: object Machine_learning_APIs_mlSync4xxResponse: properties: error: example: Unauthorized type: string message: type: string statusCode: example: 401 type: integer title: Unsuccessful sync API response type: object Machine_learning_APIs_mlSyncResponseAnomalyDetectors: description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for anomaly detection jobs type: object Machine_learning_APIs_mlSyncResponseDatafeeds: description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for datafeeds type: object Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for data frame analytics jobs type: object Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' description: If saved objects are missing for anomaly detection jobs, they are created. type: object data-frame-analytics: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' description: If saved objects are missing for data frame analytics jobs, they are created. type: object trained-model: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' description: If saved objects are missing for trained models, they are created. type: object title: Sync API response for created saved objects type: object Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. properties: anomaly-detector: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. type: object data-frame-analytics: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. type: object trained-model: additionalProperties: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' description: If there are saved objects exist for nonexistent trained models, they are deleted. type: object title: Sync API response for deleted saved objects type: object Machine_learning_APIs_mlSyncResponseSuccess: description: The success or failure of the synchronization. type: boolean Machine_learning_APIs_mlSyncResponseTrainedModels: description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. properties: success: $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' title: Sync API response for trained models type: object Saved_objects_400_response: title: Bad request type: object properties: error: enum: - Bad Request type: string message: type: string statusCode: enum: - 400 type: integer required: - error - message - statusCode Saved_objects_attributes: description: | The data that you want to create. WARNING: When you create saved objects, attributes are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. type: object Saved_objects_initial_namespaces: description: | Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with `namespaceType: 'multiple'`), this option can be used to specify one or more spaces, including the "All spaces" identifier ('*'). For isolated object types (registered with `namespaceType: 'single'` or `namespaceType: 'multiple-isolated'`), this option can only be used to specify a single space, and the "All spaces" identifier ('*') is not allowed. For global object types (`registered with `namespaceType: agnostic`), this option cannot be used. type: array Saved_objects_references: description: | Objects with `name`, `id`, and `type` properties that describe the other saved objects that this object references. Use `name` in attributes to refer to the other saved object, but never the `id`, which can update automatically during migrations or import and export. type: array Security_AI_Assistant_API_AnonymizationFieldCreateProps: type: object properties: allowed: type: boolean anonymized: type: boolean field: type: string required: - field Security_AI_Assistant_API_AnonymizationFieldDetailsInError: type: object properties: id: type: string name: type: string required: - id Security_AI_Assistant_API_AnonymizationFieldResponse: type: object properties: allowed: type: boolean anonymized: type: boolean createdAt: type: string createdBy: type: string field: type: string id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' namespace: description: Kibana space type: string timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' updatedAt: type: string updatedBy: type: string required: - id - field Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: enum: - ANONYMIZATION_FIELD_NOT_MODIFIED type: string Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: type: object properties: id: type: string name: type: string skip_reason: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' required: - id - skip_reason Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: type: object properties: anonymization_fields_count: type: integer attributes: type: object properties: errors: items: $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' type: array results: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary message: type: string status_code: type: integer success: type: boolean required: - attributes Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: type: object properties: created: items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array deleted: items: type: string type: array skipped: items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' type: array updated: items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' type: array required: - updated - created - deleted - skipped Security_AI_Assistant_API_AnonymizationFieldUpdateProps: type: object properties: allowed: type: boolean anonymized: type: boolean id: type: string required: - id Security_AI_Assistant_API_ApiConfig: type: object properties: actionTypeId: description: action type id type: string connectorId: description: connector id type: string defaultSystemPromptId: description: defaultSystemPromptId type: string model: description: model type: string provider: $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' description: Provider required: - connectorId - actionTypeId Security_AI_Assistant_API_BaseContentReference: description: The basis of a content reference type: object properties: id: description: Id of the content reference type: string type: description: Type of the content reference type: string required: - id - type Security_AI_Assistant_API_BulkCrudActionSummary: type: object properties: failed: type: integer skipped: type: integer succeeded: type: integer total: type: integer required: - failed - skipped - succeeded - total Security_AI_Assistant_API_ChatCompleteProps: type: object properties: connectorId: type: string conversationId: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' isStream: type: boolean langSmithApiKey: type: string langSmithProject: type: string messages: items: $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' type: array model: type: string persist: type: boolean promptId: type: string responseLanguage: type: string required: - messages - persist - connectorId Security_AI_Assistant_API_ChatMessage: description: AI assistant message. type: object properties: content: description: Message content. type: string data: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' description: ECS object to attach to the context of the message. fields_to_anonymize: items: type: string type: array role: $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' description: Message role. required: - role Security_AI_Assistant_API_ChatMessageRole: description: Message role. enum: - system - user - assistant type: string Security_AI_Assistant_API_ContentReferences: additionalProperties: oneOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' additionalProperties: false description: A union of all content reference types type: object Security_AI_Assistant_API_ConversationCategory: description: The conversation category. enum: - assistant - insights type: string Security_AI_Assistant_API_ConversationConfidence: description: The conversation confidence. enum: - low - medium - high type: string Security_AI_Assistant_API_ConversationCreateProps: type: object properties: apiConfig: $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' description: LLM API configuration. category: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' description: The conversation category. excludeFromLastConversationStorage: description: excludeFromLastConversationStorage. type: boolean id: description: The conversation id. type: string isDefault: description: Is default conversation. type: boolean messages: description: The conversation messages. items: $ref: '#/components/schemas/Security_AI_Assistant_API_Message' type: array replacements: $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' title: description: The conversation title. type: string required: - title Security_AI_Assistant_API_ConversationResponse: type: object properties: apiConfig: $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' description: LLM API configuration. category: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' description: The conversation category. createdAt: description: The last time conversation was updated. type: string excludeFromLastConversationStorage: description: excludeFromLastConversationStorage. type: boolean id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' isDefault: description: Is default conversation. type: boolean messages: description: The conversation messages. items: $ref: '#/components/schemas/Security_AI_Assistant_API_Message' type: array namespace: description: Kibana space type: string replacements: $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' title: description: The conversation title. type: string updatedAt: description: The last time conversation was updated. type: string users: items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - title - createdAt - users - namespace - category Security_AI_Assistant_API_ConversationSummary: type: object properties: confidence: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationConfidence' description: How confident you are about this being a correct and useful learning. content: description: Summary text of the conversation over time. type: string public: description: Define if summary is marked as publicly available. type: boolean timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' description: The timestamp summary was updated. Security_AI_Assistant_API_ConversationUpdateProps: type: object properties: apiConfig: $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' description: LLM API configuration. category: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' description: The conversation category. excludeFromLastConversationStorage: description: excludeFromLastConversationStorage. type: boolean id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' messages: description: The conversation messages. items: $ref: '#/components/schemas/Security_AI_Assistant_API_Message' type: array replacements: $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' title: description: The conversation title. type: string required: - id Security_AI_Assistant_API_DeleteResponseFields: type: object properties: id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' required: - id Security_AI_Assistant_API_DocumentEntry: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false type: boolean name: description: Name of the Knowledge Base Entry type: string namespace: description: Kibana Space, defaults to 'default' space type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - namespace - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' Security_AI_Assistant_API_DocumentEntryCreateFields: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false type: boolean name: description: Name of the Knowledge Base Entry type: string namespace: description: Kibana Space, defaults to 'default' space type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryOptionalFields: type: object properties: required: description: Whether this resource should always be included, defaults to false type: boolean vector: $ref: '#/components/schemas/Security_AI_Assistant_API_Vector' Security_AI_Assistant_API_DocumentEntryRequiredFields: type: object properties: kbResource: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResource' source: description: Source document name or filepath type: string text: description: Knowledge Base Entry content type: string type: description: Entry type enum: - document type: string required: - type - kbResource - source - text Security_AI_Assistant_API_DocumentEntryResponseFields: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' Security_AI_Assistant_API_DocumentEntryUpdateFields: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false type: boolean id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' name: description: Name of the Knowledge Base Entry type: string namespace: description: Kibana Space, defaults to 'default' space type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' Security_AI_Assistant_API_EsqlContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: label: description: Label of the query type: string query: description: An ESQL query type: string timerange: description: Time range to select in the time picker. type: object properties: from: type: string to: type: string required: - from - to type: enum: - EsqlQuery type: string required: - type - query - label description: References an ESQL query Security_AI_Assistant_API_FindAnonymizationFieldsSortField: enum: - created_at - anonymized - allowed - field - updated_at type: string Security_AI_Assistant_API_FindConversationsSortField: enum: - created_at - is_default - title - updated_at type: string Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField: enum: - created_at - is_default - title - updated_at type: string Security_AI_Assistant_API_FindPromptsSortField: enum: - created_at - is_default - name - updated_at type: string Security_AI_Assistant_API_IndexEntry: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false type: boolean name: description: Name of the Knowledge Base Entry type: string namespace: description: Kibana Space, defaults to 'default' space type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - namespace - global - users - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' Security_AI_Assistant_API_IndexEntryCreateFields: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false type: boolean name: description: Name of the Knowledge Base Entry type: string namespace: description: Kibana Space, defaults to 'default' space type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - name - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryOptionalFields: type: object properties: inputSchema: $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' outputFields: description: Fields to extract from the query result, defaults to all fields if not provided or empty items: type: string type: array Security_AI_Assistant_API_IndexEntryRequiredFields: type: object properties: description: description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description type: string field: description: Field to query for Knowledge Base content type: string index: description: Index or Data Stream to query for Knowledge Base content type: string queryDescription: description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema type: string type: description: Entry type enum: - index type: string required: - type - index - field - description - queryDescription Security_AI_Assistant_API_IndexEntryResponseFields: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' Security_AI_Assistant_API_IndexEntryUpdateFields: allOf: - type: object properties: global: description: Whether this Knowledge Base Entry is global, defaults to false type: boolean id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' name: description: Name of the Knowledge Base Entry type: string namespace: description: Kibana Space, defaults to 'default' space type: string users: description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' Security_AI_Assistant_API_InputSchema: description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval items: type: object properties: description: description: Description of the field type: string fieldName: description: Name of the field type: string fieldType: description: Type of the field type: string required: - fieldName - fieldType - description type: array Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: enum: - KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED type: string Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult: type: object properties: id: type: string name: type: string skip_reason: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' required: - id - skip_reason Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse: type: object properties: attributes: type: object properties: errors: items: $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' type: array results: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' required: - results - summary knowledgeBaseEntriesCount: type: integer message: type: string statusCode: type: integer success: type: boolean required: - attributes Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults: type: object properties: created: items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array deleted: items: type: string type: array skipped: items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' type: array updated: items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' type: array required: - updated - created - deleted - skipped Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary: type: object properties: failed: type: integer skipped: type: integer succeeded: type: integer total: type: integer required: - failed - skipped - succeeded - total Security_AI_Assistant_API_KnowledgeBaseEntryContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: knowledgeBaseEntryId: description: Id of the Knowledge Base Entry type: string knowledgeBaseEntryName: description: Name of the knowledge base entry type: string type: enum: - KnowledgeBaseEntry type: string required: - type - knowledgeBaseEntryId - knowledgeBaseEntryName description: References a knowledge base entry Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: anyOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: type: object properties: id: type: string name: type: string required: - id Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema: additionalProperties: false type: object properties: error: type: string message: type: string statusCode: type: number required: - statusCode - error - message Security_AI_Assistant_API_KnowledgeBaseEntryResponse: anyOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntry' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntry' discriminator: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: anyOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' discriminator: propertyName: type Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: anyOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' discriminator: propertyName: type Security_AI_Assistant_API_KnowledgeBaseResource: description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc enum: - security_labs - user type: string Security_AI_Assistant_API_KnowledgeBaseResponse: description: AI assistant KnowledgeBase. type: object properties: success: description: Identify the success of the method execution. type: boolean Security_AI_Assistant_API_Message: description: AI assistant conversation message. type: object properties: content: description: Message content. type: string isError: description: Is error message. type: boolean metadata: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageMetadata' description: metadata reader: $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' description: Message content. role: $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' description: Message role. timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' description: The timestamp message was sent or received. traceData: $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' description: trace Data required: - timestamp - content - role Security_AI_Assistant_API_MessageData: additionalProperties: true type: object Security_AI_Assistant_API_MessageMetadata: description: Message metadata type: object properties: contentReferences: $ref: '#/components/schemas/Security_AI_Assistant_API_ContentReferences' description: Data refered to by the message content. Security_AI_Assistant_API_MessageRole: description: Message role. enum: - system - user - assistant type: string Security_AI_Assistant_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty minLength: 1 type: string Security_AI_Assistant_API_NormalizedAnonymizationFieldError: type: object properties: anonymization_fields: items: $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' type: array err_code: type: string message: type: string status_code: type: integer required: - message - status_code - anonymization_fields Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError: type: object properties: err_code: type: string knowledgeBaseEntries: items: $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' type: array message: type: string statusCode: type: integer required: - message - statusCode - knowledgeBaseEntries Security_AI_Assistant_API_NormalizedPromptError: type: object properties: err_code: type: string message: type: string prompts: items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' type: array status_code: type: integer required: - message - status_code - prompts Security_AI_Assistant_API_ProductDocumentationContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: title: description: Title of the documentation type: string type: enum: - ProductDocumentation type: string url: description: URL to the documentation type: string required: - type - title - url description: References the product documentation Security_AI_Assistant_API_PromptCreateProps: type: object properties: categories: items: type: string type: array color: type: string consumer: type: string content: type: string isDefault: type: boolean isNewConversationDefault: type: boolean name: type: string promptType: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' required: - name - content - promptType Security_AI_Assistant_API_PromptDetailsInError: type: object properties: id: type: string name: type: string required: - id Security_AI_Assistant_API_PromptResponse: type: object properties: categories: items: type: string type: array color: type: string consumer: type: string content: type: string createdAt: type: string createdBy: type: string id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' isDefault: type: boolean isNewConversationDefault: type: boolean name: type: string namespace: description: Kibana space type: string promptType: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' timestamp: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' updatedAt: type: string updatedBy: type: string users: items: $ref: '#/components/schemas/Security_AI_Assistant_API_User' type: array required: - id - name - promptType - content Security_AI_Assistant_API_PromptsBulkActionSkipReason: enum: - PROMPT_FIELD_NOT_MODIFIED type: string Security_AI_Assistant_API_PromptsBulkActionSkipResult: type: object properties: id: type: string name: type: string skip_reason: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' required: - id - skip_reason Security_AI_Assistant_API_PromptsBulkCrudActionResponse: type: object properties: attributes: type: object properties: errors: items: $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' type: array results: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' summary: $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' required: - results - summary message: type: string prompts_count: type: integer status_code: type: integer success: type: boolean required: - attributes Security_AI_Assistant_API_PromptsBulkCrudActionResults: type: object properties: created: items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array deleted: items: type: string type: array skipped: items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' type: array updated: items: $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' type: array required: - updated - created - deleted - skipped Security_AI_Assistant_API_PromptType: description: Prompt type enum: - system - quick type: string Security_AI_Assistant_API_PromptUpdateProps: type: object properties: categories: items: type: string type: array color: type: string consumer: type: string content: type: string id: type: string isDefault: type: boolean isNewConversationDefault: type: boolean required: - id Security_AI_Assistant_API_Provider: description: Provider enum: - OpenAI - Azure OpenAI - Other type: string Security_AI_Assistant_API_Reader: additionalProperties: true type: object Security_AI_Assistant_API_Replacements: additionalProperties: type: string description: Replacements object used to anonymize/deanomymize messsages type: object Security_AI_Assistant_API_ResponseFields: type: object properties: createdAt: description: Time the Knowledge Base Entry was created type: string createdBy: description: User who created the Knowledge Base Entry type: string id: $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' updatedAt: description: Time the Knowledge Base Entry was last updated type: string updatedBy: description: User who last updated the Knowledge Base Entry type: string required: - id - createdAt - createdBy - updatedAt - updatedBy Security_AI_Assistant_API_SecurityAlertContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: alertId: description: ID of the Alert type: string type: enum: - SecurityAlert type: string required: - type - alertId description: References a security alert Security_AI_Assistant_API_SecurityAlertsPageContentReference: allOf: - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' - type: object properties: type: enum: - SecurityAlertsPage type: string required: - type description: References the security alerts page Security_AI_Assistant_API_SortOrder: enum: - asc - desc type: string Security_AI_Assistant_API_TraceData: description: trace Data type: object properties: traceId: description: Could be any string, not necessarily a UUID type: string transactionId: description: Could be any string, not necessarily a UUID type: string Security_AI_Assistant_API_User: description: Could be any string, not necessarily a UUID type: object properties: id: description: User id type: string name: description: User name type: string Security_AI_Assistant_API_Vector: description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings type: object properties: modelId: description: ID of the model used to create the embeddings type: string tokens: additionalProperties: type: number description: Tokens with their corresponding values type: object required: - modelId - tokens Security_Detections_API_AlertAssignees: type: object properties: add: items: description: A list of users ids to assign. format: nonempty minLength: 1 type: string type: array remove: items: description: A list of users ids to unassign. format: nonempty minLength: 1 type: string type: array required: - add - remove Security_Detections_API_AlertIds: description: A list of alerts `id`s. items: format: nonempty minLength: 1 type: string minItems: 1 type: array Security_Detections_API_AlertsIndex: deprecated: true description: (deprecated) Has no effect. type: string Security_Detections_API_AlertsIndexMigrationError: type: object properties: error: type: object properties: message: type: string status_code: type: string required: - message - status_code index: type: string required: - index - error Security_Detections_API_AlertsIndexMigrationSuccess: type: object properties: index: type: string migration_id: type: string migration_index: type: string required: - index - migration_id - migration_index Security_Detections_API_AlertsIndexNamespace: description: Has no effect. type: string Security_Detections_API_AlertsReindexOptions: type: object properties: requests_per_second: description: The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API. minimum: 1 type: integer size: description: Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API. minimum: 1 type: integer slices: description: The number of subtasks for the migration task. Corresponds to slices on the Reindex API. minimum: 1 type: integer Security_Detections_API_AlertsSort: oneOf: - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - items: $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' type: array Security_Detections_API_AlertsSortCombinations: anyOf: - type: string - additionalProperties: true type: object Security_Detections_API_AlertStatus: description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`. enum: - open - closed - acknowledged - in-progress type: string Security_Detections_API_AlertSuppression: description: Defines alert suppression configuration. type: object properties: duration: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' group_by: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' missing_fields_strategy: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' required: - group_by Security_Detections_API_AlertSuppressionDuration: type: object properties: unit: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' value: minimum: 1 type: integer required: - value - unit Security_Detections_API_AlertSuppressionDurationUnit: description: Time unit enum: - s - m - h type: string Security_Detections_API_AlertSuppressionGroupBy: items: type: string maxItems: 3 minItems: 1 type: array Security_Detections_API_AlertSuppressionMissingFieldsStrategy: description: |- Describes how alerts will be generated for documents with missing suppress by fields: doNotSuppress - per each document a separate alert will be created suppress - only alert will be created per suppress by bucket enum: - doNotSuppress - suppress type: string Security_Detections_API_AlertTag: description: Use alert tags to organize related alerts into categories that you can filter and group. format: nonempty minLength: 1 type: string Security_Detections_API_AlertTags: description: List of keywords to organize related alerts into categories that you can filter and group. items: $ref: '#/components/schemas/Security_Detections_API_AlertTag' type: array Security_Detections_API_AlertVersion: type: object properties: count: type: integer version: type: integer required: - version - count Security_Detections_API_AnomalyThreshold: description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. minimum: 0 type: integer Security_Detections_API_BuildingBlockType: description: | Determines if the rule acts as a building block. If yes, the value must be `default`. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. For more information, refer to [About building block rules](https://www.elastic.co/guide/en/security/current/building-block-rule.html). type: string Security_Detections_API_BulkActionEditPayload: anyOf: - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' Security_Detections_API_BulkActionEditPayloadIndexPatterns: description: | Edits index patterns of rulesClient. - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. type: object properties: overwrite_data_views: description: Resets the data view for the rule. type: boolean type: enum: - add_index_patterns - delete_index_patterns - set_index_patterns type: string value: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' required: - type - value Security_Detections_API_BulkActionEditPayloadInvestigationFields: description: | Edits investigation fields of rules. - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. type: object properties: type: enum: - add_investigation_fields - delete_investigation_fields - set_investigation_fields type: string value: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' required: - type - value Security_Detections_API_BulkActionEditPayloadRuleActions: description: | Edits rule actions of rules. - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. type: object properties: type: enum: - add_rule_actions - set_rule_actions type: string value: type: object properties: actions: items: $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' type: array throttle: $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' required: - actions required: - type - value Security_Detections_API_BulkActionEditPayloadSchedule: description: | Overwrites schedule of rules. - `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made. Both `interval` and `lookback` have a format of "{integer}{time_unit}", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: "45s", "30m", "6h" type: object properties: type: enum: - set_schedule type: string value: type: object properties: interval: description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. example: 1h pattern: ^[1-9]\d*[smh]$ type: string lookback: description: | Lookback time for the rules. Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. example: 1h pattern: ^[1-9]\d*[smh]$ type: string required: - interval - lookback required: - type - value Security_Detections_API_BulkActionEditPayloadTags: description: | Edits tags of rules. - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. type: object properties: type: enum: - add_tags - delete_tags - set_tags type: string value: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' required: - type - value Security_Detections_API_BulkActionEditPayloadTimeline: description: | Edits timeline of rules. - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. type: object properties: type: enum: - set_timeline type: string value: type: object properties: timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' required: - timeline_id - timeline_title required: - type - value Security_Detections_API_BulkActionsDryRunErrCode: enum: - IMMUTABLE - PREBUILT_CUSTOMIZATION_LICENSE - MACHINE_LEARNING_AUTH - MACHINE_LEARNING_INDEX_PATTERN - ESQL_INDEX_PATTERN - MANUAL_RULE_RUN_FEATURE - MANUAL_RULE_RUN_DISABLED_RULE type: string Security_Detections_API_BulkActionSkipResult: type: object properties: id: type: string name: type: string skip_reason: $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' required: - id - skip_reason Security_Detections_API_BulkCrudRulesResponse: items: oneOf: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' type: array Security_Detections_API_BulkDeleteRules: type: object properties: action: enum: - delete type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkDisableRules: type: object properties: action: enum: - disable type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkDuplicateRules: type: object properties: action: enum: - duplicate type: string duplicate: description: Duplicate object that describes applying an update action. type: object properties: include_exceptions: description: Whether to copy exceptions from the original rule type: boolean include_expired_exceptions: description: Whether to copy expired exceptions from the original rule type: boolean required: - include_exceptions - include_expired_exceptions ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkEditActionResponse: type: object properties: attributes: type: object properties: errors: items: $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' type: array results: $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' summary: $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' required: - results - summary message: type: string rules_count: type: integer status_code: type: integer success: type: boolean required: - attributes Security_Detections_API_BulkEditActionResults: type: object properties: created: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array deleted: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array skipped: items: $ref: '#/components/schemas/Security_Detections_API_BulkActionSkipResult' type: array updated: items: $ref: '#/components/schemas/Security_Detections_API_RuleResponse' type: array required: - updated - created - deleted - skipped Security_Detections_API_BulkEditActionSummary: description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. type: object properties: failed: type: integer skipped: type: integer succeeded: type: integer total: type: integer required: - failed - skipped - succeeded - total Security_Detections_API_BulkEditRules: type: object properties: action: enum: - edit type: string edit: description: Array of objects containing the edit operations items: $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayload' minItems: 1 type: array ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action - edit Security_Detections_API_BulkEditSkipReason: enum: - RULE_NOT_MODIFIED type: string Security_Detections_API_BulkEnableRules: type: object properties: action: enum: - enable type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkExportActionResponse: type: string Security_Detections_API_BulkExportRules: type: object properties: action: enum: - export type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string required: - action Security_Detections_API_BulkManualRuleRun: type: object properties: action: enum: - run type: string ids: description: Array of rule IDs. Array of rule IDs to which a bulk action will be applied. Only valid when query property is undefined. items: type: string minItems: 1 type: array query: description: Query to filter rules. type: string run: description: Object that describes applying a manual rule run action. type: object properties: end_date: description: End date of the manual rule run type: string start_date: description: Start date of the manual rule run type: string required: - start_date required: - action - run Security_Detections_API_ConcurrentSearches: minimum: 1 type: integer Security_Detections_API_DataViewId: type: string Security_Detections_API_DefaultParams: type: object properties: command: enum: - isolate type: string comment: type: string required: - command Security_Detections_API_EcsMapping: additionalProperties: type: object properties: field: type: string value: oneOf: - type: string - items: type: string type: array description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' type: object Security_Detections_API_EndpointResponseAction: type: object properties: action_type_id: enum: - .endpoint type: string params: oneOf: - $ref: '#/components/schemas/Security_Detections_API_DefaultParams' - $ref: '#/components/schemas/Security_Detections_API_ProcessesParams' required: - action_type_id - params Security_Detections_API_EqlOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' event_category_override: $ref: '#/components/schemas/Security_Detections_API_EventCategoryOverride' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' tiebreaker_field: $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' timestamp_field: $ref: '#/components/schemas/Security_Detections_API_TimestampField' Security_Detections_API_EqlQueryLanguage: enum: - eql type: string Security_Detections_API_EqlRequiredFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' description: Query language to use query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - eql type: string required: - type - query - language Security_Detections_API_EqlRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_EqlRuleResponseFields' Security_Detections_API_EqlRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' Security_Detections_API_EqlRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' Security_Detections_API_EqlRulePatchFields: allOf: - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' description: Query language to use query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - eql type: string - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' Security_Detections_API_EqlRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchFields' Security_Detections_API_EqlRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' Security_Detections_API_EqlRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' Security_Detections_API_ErrorSchema: additionalProperties: false type: object properties: error: type: object properties: message: type: string status_code: minimum: 400 type: integer required: - status_code - message id: type: string item_id: minLength: 1 type: string list_id: minLength: 1 type: string rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' required: - error Security_Detections_API_EsqlQueryLanguage: enum: - esql type: string Security_Detections_API_EsqlRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields' Security_Detections_API_EsqlRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' Security_Detections_API_EsqlRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' Security_Detections_API_EsqlRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' Security_Detections_API_EsqlRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' language: $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' type: description: Rule type enum: - esql type: string version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' Security_Detections_API_EsqlRuleRequiredFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - esql type: string required: - type - language - query Security_Detections_API_EsqlRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' Security_Detections_API_EsqlRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' Security_Detections_API_EventCategoryOverride: type: string Security_Detections_API_ExceptionListType: description: The exception type enum: - detection - rule_default - endpoint - endpoint_trusted_apps - endpoint_events - endpoint_host_isolation_exceptions - endpoint_blocklists type: string Security_Detections_API_ExternalRuleSource: description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. type: object properties: is_customized: $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' type: enum: - external type: string required: - type - is_customized Security_Detections_API_FindRulesSortField: enum: - created_at - createdAt - enabled - execution_summary.last_execution.date - execution_summary.last_execution.metrics.execution_gap_duration_s - execution_summary.last_execution.metrics.total_indexing_duration_ms - execution_summary.last_execution.metrics.total_search_duration_ms - execution_summary.last_execution.status - name - risk_score - riskScore - severity - updated_at - updatedAt type: string Security_Detections_API_HistoryWindowStart: description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. format: nonempty minLength: 1 type: string Security_Detections_API_IndexMigrationStatus: type: object properties: index: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' is_outdated: type: boolean migrations: items: $ref: '#/components/schemas/Security_Detections_API_MigrationStatus' type: array signal_versions: items: $ref: '#/components/schemas/Security_Detections_API_AlertVersion' type: array version: type: integer required: - index - version - signal_versions - migrations - is_outdated Security_Detections_API_IndexPatternArray: description: | Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). > info > This field is not supported for ES|QL rules. items: type: string type: array Security_Detections_API_InternalRuleSource: description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. type: object properties: type: enum: - internal type: string required: - type Security_Detections_API_InvestigationFields: description: | Schema for fields relating to investigation fields. These are user defined fields we use to highlight in various features in the UI such as alert details flyout and exceptions auto-population from alert. type: object properties: field_names: items: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' minItems: 1 type: array required: - field_names Security_Detections_API_InvestigationGuide: description: Notes to help investigate alerts produced by the rule. type: string Security_Detections_API_IsExternalRuleCustomized: description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). type: boolean Security_Detections_API_IsRuleEnabled: description: Determines whether the rule is enabled. Defaults to true. type: boolean Security_Detections_API_IsRuleImmutable: deprecated: true description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. type: boolean Security_Detections_API_ItemsPerSearch: minimum: 1 type: integer Security_Detections_API_KqlQueryLanguage: enum: - kuery - lucene type: string Security_Detections_API_MachineLearningJobId: description: Machine learning job ID(s) the rule monitors for anomaly scores. oneOf: - type: string - items: type: string minItems: 1 type: array Security_Detections_API_MachineLearningRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' Security_Detections_API_MachineLearningRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MachineLearningRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' Security_Detections_API_MachineLearningRulePatchFields: allOf: - type: object properties: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - machine_learning type: string - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' Security_Detections_API_MachineLearningRuleRequiredFields: type: object properties: anomaly_threshold: $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' machine_learning_job_id: $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' type: description: Rule type enum: - machine_learning type: string required: - type - machine_learning_job_id - anomaly_threshold Security_Detections_API_MachineLearningRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' Security_Detections_API_MachineLearningRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' Security_Detections_API_MaxSignals: default: 100 description: | Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-advanced-params) value). > info > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/guide/en/kibana/current/alert-action-settings-kb.html#alert-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. minimum: 1 type: integer Security_Detections_API_MigrationCleanupResult: type: object properties: destinationIndex: type: string error: type: object properties: message: type: string status_code: type: integer required: - message - status_code id: type: string sourceIndex: type: string status: enum: - success - failure - pending type: string updated: format: date-time type: string version: type: string required: - id - destinationIndex - status - sourceIndex - version - updated Security_Detections_API_MigrationFinalizationResult: type: object properties: completed: type: boolean destinationIndex: type: string error: type: object properties: message: type: string status_code: type: integer required: - message - status_code id: type: string sourceIndex: type: string status: enum: - success - failure - pending type: string updated: format: date-time type: string version: type: string required: - id - completed - destinationIndex - status - sourceIndex - version - updated Security_Detections_API_MigrationStatus: type: object properties: id: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' status: enum: - success - failure - pending type: string updated: format: date-time type: string version: type: integer required: - id - status - version - updated Security_Detections_API_NewTermsFields: description: Fields to monitor for new values. items: type: string maxItems: 3 minItems: 1 type: array Security_Detections_API_NewTermsRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' Security_Detections_API_NewTermsRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NewTermsRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_NewTermsRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' Security_Detections_API_NewTermsRulePatchFields: allOf: - type: object properties: history_window_start: $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' new_terms_fields: $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - new_terms type: string - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' Security_Detections_API_NewTermsRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields' Security_Detections_API_NewTermsRuleRequiredFields: type: object properties: history_window_start: $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' new_terms_fields: $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' type: description: Rule type enum: - new_terms type: string required: - type - query - new_terms_fields - history_window_start Security_Detections_API_NewTermsRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language Security_Detections_API_NewTermsRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' Security_Detections_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty minLength: 1 type: string Security_Detections_API_NormalizedRuleAction: additionalProperties: false type: object properties: alerts_filter: $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' frequency: $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' group: $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' id: $ref: '#/components/schemas/Security_Detections_API_RuleActionId' params: $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' required: - id - params Security_Detections_API_NormalizedRuleError: type: object properties: err_code: $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' message: type: string rules: items: $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError' type: array status_code: type: integer required: - message - status_code - rules Security_Detections_API_OsqueryParams: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' pack_id: description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' type: string queries: items: $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' type: array query: description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' type: string saved_query_id: description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' type: string timeout: description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' type: number Security_Detections_API_OsqueryQuery: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Detections_API_EcsMapping' id: description: Query ID type: string platform: type: string query: description: Query to run type: string removed: type: boolean snapshot: type: boolean version: description: Query version type: string required: - id - query Security_Detections_API_OsqueryResponseAction: type: object properties: action_type_id: enum: - .osquery type: string params: $ref: '#/components/schemas/Security_Detections_API_OsqueryParams' required: - action_type_id - params Security_Detections_API_PlatformErrorResponse: type: object properties: error: type: string message: type: string statusCode: type: integer required: - statusCode - error - message Security_Detections_API_ProcessesParams: type: object properties: command: description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' enum: - kill-process - suspend-process type: string comment: description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' type: string config: type: object properties: field: description: Field to use instead of process.pid type: string overwrite: default: true description: Whether to overwrite field with process.pid type: boolean required: - field required: - command - config Security_Detections_API_QueryRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields' Security_Detections_API_QueryRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_QueryRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' Security_Detections_API_QueryRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' Security_Detections_API_QueryRulePatchFields: allOf: - type: object properties: type: description: Rule type enum: - query type: string - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' Security_Detections_API_QueryRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields' Security_Detections_API_QueryRuleRequiredFields: type: object properties: type: description: Rule type enum: - query type: string required: - type Security_Detections_API_QueryRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' required: - query - language Security_Detections_API_QueryRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' Security_Detections_API_RelatedIntegration: description: | Related integration is a potential dependency of a rule. It's assumed that if the user installs one of the related integrations of a rule, the rule might start to work properly because it will have source events (generated by this integration) potentially matching the rule's query. NOTE: Proper work is not guaranteed, because a related integration, if installed, can be configured differently or generate data that is not necessarily relevant for this rule. Related integration is a combination of a Fleet package and (optionally) one of the package's "integrations" that this package contains. It is represented by 3 properties: - `package`: name of the package (required, unique id) - `version`: version of the package (required, semver-compatible) - `integration`: name of the integration of this package (optional, id within the package) There are Fleet packages like `windows` that contain only one integration; in this case, `integration` should be unspecified. There are also packages like `aws` and `azure` that contain several integrations; in this case, `integration` should be specified. example: integration: activitylogs package: azure version: ~1.1.6 type: object properties: integration: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' package: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' version: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - package - version Security_Detections_API_RelatedIntegrationArray: items: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' type: array Security_Detections_API_RequiredField: description: | Describes an Elasticsearch field that is needed for the rule to function. Almost all types of Security rules check source event documents for a match to some kind of query or filter. If a document has certain field with certain values, then it's a match and the rule will generate an alert. Required field is an event field that must be present in the source indices of a given rule. @example const standardEcsField: RequiredField = { name: 'event.action', type: 'keyword', ecs: true, }; @example const nonEcsField: RequiredField = { name: 'winlog.event_data.AttributeLDAPDisplayName', type: 'keyword', ecs: false, }; type: object properties: ecs: description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. type: boolean name: description: Name of an Elasticsearch field format: nonempty minLength: 1 type: string type: description: Type of the Elasticsearch field format: nonempty minLength: 1 type: string required: - name - type - ecs Security_Detections_API_RequiredFieldArray: items: $ref: '#/components/schemas/Security_Detections_API_RequiredField' type: array Security_Detections_API_RequiredFieldInput: description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. type: object properties: name: description: Name of an Elasticsearch field format: nonempty minLength: 1 type: string type: description: Type of the Elasticsearch field format: nonempty minLength: 1 type: string required: - name - type Security_Detections_API_ResponseAction: oneOf: - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction' Security_Detections_API_ResponseFields: type: object properties: created_at: format: date-time type: string created_by: type: string execution_summary: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' immutable: $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' required_fields: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray' revision: $ref: '#/components/schemas/Security_Detections_API_RuleRevision' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_source: $ref: '#/components/schemas/Security_Detections_API_RuleSource' updated_at: format: date-time type: string updated_by: type: string required: - id - rule_id - immutable - rule_source - updated_at - updated_by - created_at - created_by - revision - related_integrations - required_fields Security_Detections_API_RiskScore: description: | A numerical representation of the alert's severity from 0 to 100, where: * `0` - `21` represents low severity * `22` - `47` represents medium severity * `48` - `73` represents high severity * `74` - `100` represents critical severity maximum: 100 minimum: 0 type: integer Security_Detections_API_RiskScoreMapping: description: Overrides generated alerts' risk_score with a value from the source event items: type: object properties: field: description: Source event field used to override the default `risk_score`. type: string operator: enum: - equals type: string risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' value: type: string required: - field - operator - value type: array Security_Detections_API_RuleAction: type: object properties: action_type_id: description: | The action type used for sending notifications, can be: - `.slack` - `.slack_api` - `.email` - `.index` - `.pagerduty` - `.swimlane` - `.webhook` - `.servicenow` - `.servicenow-itom` - `.servicenow-sir` - `.jira` - `.resilient` - `.opsgenie` - `.teams` - `.torq` - `.tines` - `.d3security` type: string alerts_filter: $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' frequency: $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' group: $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' id: $ref: '#/components/schemas/Security_Detections_API_RuleActionId' params: $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' uuid: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - action_type_id - id - params Security_Detections_API_RuleActionAlertsFilter: additionalProperties: true description: | Object containing an action’s conditional filters. - `timeframe` (object, optional): Object containing the time frame for when this action can be run. - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. - start (string, required): Start time in `hh:mm` format. - end (string, required): End time in `hh:mm` format. - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. - `kql` (string, required): A KQL string. - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. type: object Security_Detections_API_RuleActionFrequency: description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). type: object properties: notifyWhen: $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' summary: description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert type: boolean throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' nullable: true required: - summary - notifyWhen - throttle Security_Detections_API_RuleActionGroup: description: Optionally groups actions by use cases. Use `default` for alert notifications. type: string Security_Detections_API_RuleActionId: description: The connector ID. type: string Security_Detections_API_RuleActionNotifyWhen: description: Defines how often rules run actions. enum: - onActiveAlert - onThrottleInterval - onActionGroupChange type: string Security_Detections_API_RuleActionParams: additionalProperties: true description: | Object containing the allowed connector fields, which varies according to the connector type. For Slack: - `message` (string, required): The notification message. For email: - `to`, `cc`, `bcc` (string): Email addresses to which the notifications are sent. At least one field must have a value. - `subject` (string, optional): Email subject line. - `message` (string, required): Email body text. For Webhook: - `body` (string, required): JSON payload. For PagerDuty: - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. - `group` (string, optional): Enables logical grouping of service components. - `source` (string, optional): The affected system. Defaults to the Kibana saved object ID of the action. - `summary` (string, options): Summary of the event. Defaults to `No summary provided`. Maximum length is 1024 characters. - `class` (string, optional): Value indicating the class/type of the event. type: object Security_Detections_API_RuleActionThrottle: description: Defines how often rule actions are taken. oneOf: - enum: - no_actions - rule type: string - description: Time interval in seconds, minutes, hours, or days. example: 1h pattern: ^[1-9]\d*[smhd]$ type: string Security_Detections_API_RuleAuthorArray: description: The rule’s author. items: type: string type: array Security_Detections_API_RuleCreateProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' discriminator: propertyName: type Security_Detections_API_RuleDescription: description: The rule’s description. example: Detects anomalous Windows process creation events. minLength: 1 type: string Security_Detections_API_RuleDetailsInError: type: object properties: id: type: string name: type: string required: - id Security_Detections_API_RuleExceptionList: description: | Array of [exception containers](https://www.elastic.co/guide/en/security/current/exceptions-api-overview.html), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. type: object properties: id: description: ID of the exception container format: nonempty minLength: 1 type: string list_id: description: List ID of the exception container format: nonempty minLength: 1 type: string namespace_type: description: Determines the exceptions validity in rule's Kibana space enum: - agnostic - single type: string type: $ref: '#/components/schemas/Security_Detections_API_ExceptionListType' required: - id - list_id - type - namespace_type Security_Detections_API_RuleExecutionMetrics: type: object properties: execution_gap_duration_s: description: Duration in seconds of execution gap minimum: 0 type: integer gap_range: description: Range of the execution gap type: object properties: gte: description: Start date of the execution gap type: string lte: description: End date of the execution gap type: string required: - gte - lte total_enrichment_duration_ms: description: Total time spent enriching documents during current rule execution cycle minimum: 0 type: integer total_indexing_duration_ms: description: Total time spent indexing documents during current rule execution cycle minimum: 0 type: integer total_search_duration_ms: description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response minimum: 0 type: integer Security_Detections_API_RuleExecutionStatus: description: |- Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. - running - Rule execution started but not reached any intermediate or final status. - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. enum: - going to run - running - partial failure - failed - succeeded type: string Security_Detections_API_RuleExecutionStatusOrder: type: integer Security_Detections_API_RuleExecutionSummary: description: | Summary of the last execution of a rule. > info > This field is under development and its usage or schema may change type: object properties: last_execution: type: object properties: date: description: Date of the last execution format: date-time type: string message: type: string metrics: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' status: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' description: Status of the last execution status_order: $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' required: - date - status - status_order - message - metrics required: - last_execution Security_Detections_API_RuleFalsePositiveArray: description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleFilterArray: description: | The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. > info > This field is not supported for ES|QL rules. items: {} type: array Security_Detections_API_RuleInterval: description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). type: string Security_Detections_API_RuleIntervalFrom: description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). format: date-math type: string Security_Detections_API_RuleIntervalTo: type: string Security_Detections_API_RuleLicense: description: The rule's license. type: string Security_Detections_API_RuleMetadata: additionalProperties: true description: | Placeholder for metadata about the rule. > info > This field is overwritten when you save changes to the rule’s settings. type: object Security_Detections_API_RuleName: description: A human-readable name for the rule. example: Anomalous Windows Process Creation minLength: 1 type: string Security_Detections_API_RuleNameOverride: description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. type: string Security_Detections_API_RuleObjectId: $ref: '#/components/schemas/Security_Detections_API_UUID' description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. Security_Detections_API_RulePatchProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' Security_Detections_API_RulePreviewLoggedRequest: type: object properties: description: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' duration: type: integer request: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' request_type: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' Security_Detections_API_RulePreviewLogs: type: object properties: duration: description: Execution duration in milliseconds type: integer errors: items: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: array requests: items: $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' type: array startedAt: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' warnings: items: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: array required: - errors - warnings - duration Security_Detections_API_RulePreviewParams: type: object properties: invocationCount: type: integer timeframeEnd: format: date-time type: string required: - invocationCount - timeframeEnd Security_Detections_API_RuleQuery: description: | [Query](https://www.elastic.co/guide/en/kibana/8.17/search.html) used by the rule to create alerts. - For indicator match rules, only the query’s results are used to determine whether an alert is generated. - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) rules for more information. type: string Security_Detections_API_RuleReferenceArray: description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleResponse: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRule' - $ref: '#/components/schemas/Security_Detections_API_QueryRule' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' discriminator: propertyName: type Security_Detections_API_RuleRevision: description: | The rule's revision number. It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. > info > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. minimum: 0 type: integer Security_Detections_API_RuleSignatureId: description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. type: string Security_Detections_API_RuleSource: description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. discriminator: propertyName: type oneOf: - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' Security_Detections_API_RuleTagArray: description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. items: type: string type: array Security_Detections_API_RuleUpdateProps: anyOf: - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' discriminator: propertyName: type Security_Detections_API_RuleVersion: description: | The rule's version number. - For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). - For custom rules it is set to `1` when the rule is created. > info > It is not incremented on each update. Compare this to the `revision` field. minimum: 1 type: integer Security_Detections_API_SavedObjectResolveAliasPurpose: enum: - savedObjectConversion - savedObjectImport type: string Security_Detections_API_SavedObjectResolveAliasTargetId: type: string Security_Detections_API_SavedObjectResolveOutcome: enum: - exactMatch - aliasMatch - conflict type: string Security_Detections_API_SavedQueryId: description: Kibana [saved search](https://www.elastic.co/guide/en/kibana/current/save-open-search.html) used by the rule to create alerts. type: string Security_Detections_API_SavedQueryRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' Security_Detections_API_SavedQueryRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SavedQueryRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_SavedQueryRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' Security_Detections_API_SavedQueryRulePatchFields: allOf: - type: object properties: saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' type: description: Rule type enum: - saved_query type: string - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' Security_Detections_API_SavedQueryRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' Security_Detections_API_SavedQueryRuleRequiredFields: type: object properties: saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' type: description: Rule type enum: - saved_query type: string required: - type - saved_id Security_Detections_API_SavedQueryRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language Security_Detections_API_SavedQueryRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' Security_Detections_API_SetAlertsStatusByIds: type: object properties: signal_ids: description: List of alert `id`s. items: format: nonempty minLength: 1 type: string minItems: 1 type: array status: $ref: '#/components/schemas/Security_Detections_API_AlertStatus' required: - signal_ids - status Security_Detections_API_SetAlertsStatusByQuery: type: object properties: conflicts: default: abort enum: - abort - proceed type: string query: additionalProperties: true type: object status: $ref: '#/components/schemas/Security_Detections_API_AlertStatus' required: - query - status Security_Detections_API_SetAlertTags: description: Object with list of tags to add and remove. type: object properties: tags_to_add: $ref: '#/components/schemas/Security_Detections_API_AlertTags' tags_to_remove: $ref: '#/components/schemas/Security_Detections_API_AlertTags' required: - tags_to_add - tags_to_remove Security_Detections_API_SetupGuide: description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. type: string Security_Detections_API_Severity: description: | Severity level of alerts produced by the rule, which must be one of the following: * `low`: Alerts that are of interest but generally not considered to be security incidents * `medium`: Alerts that require investigation * `high`: Alerts that require immediate investigation * `critical`: Alerts that indicate it is highly likely a security incident has occurred enum: - low - medium - high - critical type: string Security_Detections_API_SeverityMapping: description: Overrides generated alerts' severity with values from the source event items: type: object properties: field: description: Source event field used to override the default `severity`. type: string operator: enum: - equals type: string severity: $ref: '#/components/schemas/Security_Detections_API_Severity' value: type: string required: - field - operator - severity - value type: array Security_Detections_API_SiemErrorResponse: type: object properties: message: type: string status_code: type: integer required: - status_code - message Security_Detections_API_SkippedAlertsIndexMigration: type: object properties: index: type: string required: - index Security_Detections_API_SortOrder: enum: - asc - desc type: string Security_Detections_API_Threat: description: | > info > Currently, only threats described using the MITRE ATT&CK&trade; framework are supported. type: object properties: framework: description: Relevant attack framework type: string tactic: $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' technique: description: Array containing information on the attack techniques (optional) items: $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' type: array required: - framework - tactic Security_Detections_API_ThreatArray: items: $ref: '#/components/schemas/Security_Detections_API_Threat' type: array Security_Detections_API_ThreatFilters: items: description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values type: array Security_Detections_API_ThreatIndex: description: Elasticsearch indices used to check which field values generate alerts. items: type: string type: array Security_Detections_API_ThreatIndicatorPath: description: Defines the path to the threat indicator in the indicator documents (optional) type: string Security_Detections_API_ThreatMapping: description: | Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields: - field: field from the event indices on which the rule runs - type: must be mapping - value: field from the Elasticsearch threat index You can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic. items: type: object properties: entries: items: type: object properties: field: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' type: enum: - mapping type: string value: $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' required: - field - type - value type: array required: - entries minItems: 1 type: array Security_Detections_API_ThreatMatchRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' Security_Detections_API_ThreatMatchRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatMatchRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_ThreatMatchRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' concurrent_searches: $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' items_per_search: $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch' saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' threat_filters: $ref: '#/components/schemas/Security_Detections_API_ThreatFilters' threat_indicator_path: $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath' threat_language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_ThreatMatchRulePatchFields: allOf: - type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' threat_index: $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' threat_mapping: $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' threat_query: $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' type: description: Rule type enum: - threat_match type: string - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' Security_Detections_API_ThreatMatchRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' Security_Detections_API_ThreatMatchRuleRequiredFields: type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' threat_index: $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' threat_mapping: $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' threat_query: $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' type: description: Rule type enum: - threat_match type: string required: - type - query - threat_query - threat_mapping - threat_index Security_Detections_API_ThreatMatchRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language Security_Detections_API_ThreatMatchRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' Security_Detections_API_ThreatQuery: description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. type: string Security_Detections_API_ThreatSubtechnique: type: object properties: id: description: Subtechnique ID type: string name: description: Subtechnique name type: string reference: description: Subtechnique reference type: string required: - id - name - reference Security_Detections_API_ThreatTactic: description: | Object containing information on the attack type type: object properties: id: description: Tactic ID type: string name: description: Tactic name type: string reference: description: Tactic reference type: string required: - id - name - reference Security_Detections_API_ThreatTechnique: type: object properties: id: description: Technique ID type: string name: description: Technique name type: string reference: description: Technique reference type: string subtechnique: description: | Array containing more specific information on the attack technique. items: $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique' type: array required: - id - name - reference Security_Detections_API_Threshold: type: object properties: cardinality: $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality' field: $ref: '#/components/schemas/Security_Detections_API_ThresholdField' value: $ref: '#/components/schemas/Security_Detections_API_ThresholdValue' required: - field - value Security_Detections_API_ThresholdAlertSuppression: description: Defines alert suppression configuration. type: object properties: duration: $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' required: - duration Security_Detections_API_ThresholdCardinality: description: The field on which the cardinality is applied. items: type: object properties: field: description: The field on which to calculate and compare the cardinality. type: string value: description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. minimum: 0 type: integer required: - field - value type: array Security_Detections_API_ThresholdField: description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. oneOf: - type: string - items: type: string type: array Security_Detections_API_ThresholdRule: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - version - tags - enabled - risk_score_mapping - severity_mapping - interval - from - to - actions - exceptions_list - author - false_positives - references - max_signals - threat - setup - related_integrations - required_fields - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' Security_Detections_API_ThresholdRuleCreateFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRuleCreateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdRuleDefaultableFields: type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' Security_Detections_API_ThresholdRuleOptionalFields: type: object properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' data_view_id: $ref: '#/components/schemas/Security_Detections_API_DataViewId' filters: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' Security_Detections_API_ThresholdRulePatchFields: allOf: - type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' threshold: $ref: '#/components/schemas/Security_Detections_API_Threshold' type: description: Rule type enum: - threshold type: string - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' Security_Detections_API_ThresholdRulePatchProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' Security_Detections_API_ThresholdRuleRequiredFields: type: object properties: query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' threshold: $ref: '#/components/schemas/Security_Detections_API_Threshold' type: description: Rule type enum: - threshold type: string required: - type - query - threshold Security_Detections_API_ThresholdRuleResponseFields: allOf: - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' - type: object properties: language: $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' required: - language Security_Detections_API_ThresholdRuleUpdateProps: allOf: - type: object properties: actions: description: Array defining the automated actions (notifications) taken when alerts are generated. items: $ref: '#/components/schemas/Security_Detections_API_RuleAction' type: array alias_purpose: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' alias_target_id: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' author: $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' building_block_type: $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' description: $ref: '#/components/schemas/Security_Detections_API_RuleDescription' enabled: $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' exceptions_list: items: $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' type: array false_positives: $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' from: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' id: $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' interval: $ref: '#/components/schemas/Security_Detections_API_RuleInterval' investigation_fields: $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' license: $ref: '#/components/schemas/Security_Detections_API_RuleLicense' max_signals: $ref: '#/components/schemas/Security_Detections_API_MaxSignals' meta: $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' name: $ref: '#/components/schemas/Security_Detections_API_RuleName' namespace: $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' note: $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' outcome: $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' output_index: $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' references: $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' related_integrations: $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' required_fields: description: | Elasticsearch fields and their types that need to be present for the rule to function. > info > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. items: $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' type: array response_actions: items: $ref: '#/components/schemas/Security_Detections_API_ResponseAction' type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' rule_id: $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' rule_name_override: $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' setup: $ref: '#/components/schemas/Security_Detections_API_SetupGuide' severity: $ref: '#/components/schemas/Security_Detections_API_Severity' severity_mapping: $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' tags: $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' threat: $ref: '#/components/schemas/Security_Detections_API_ThreatArray' throttle: $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' timeline_id: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' timeline_title: $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' timestamp_override: $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' timestamp_override_fallback_disabled: $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' to: $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' version: $ref: '#/components/schemas/Security_Detections_API_RuleVersion' required: - name - description - risk_score - severity - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' Security_Detections_API_ThresholdValue: description: The threshold value from which an alert is generated. minimum: 1 type: integer Security_Detections_API_ThrottleForBulkActions: description: | Defines the maximum interval in which a rule’s actions are executed. > info > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. enum: - rule - 1h - 1d - 7d type: string Security_Detections_API_TiebreakerField: description: Sets a secondary field for sorting events type: string Security_Detections_API_TimelineTemplateId: description: Timeline template ID type: string Security_Detections_API_TimelineTemplateTitle: description: Timeline template title type: string Security_Detections_API_TimestampField: description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. type: string Security_Detections_API_TimestampOverride: description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. type: string Security_Detections_API_TimestampOverrideFallbackDisabled: description: Disables the fallback to the event's @timestamp field type: boolean Security_Detections_API_UUID: description: A universally unique identifier format: uuid type: string Security_Detections_API_WarningSchema: type: object properties: actionPath: type: string buttonLabel: type: string message: type: string type: type: string required: - type - message - actionPath Security_Endpoint_Exceptions_API_EndpointList: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList' - additionalProperties: false type: object Security_Endpoint_Exceptions_API_EndpointListItem: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' Security_Endpoint_Exceptions_API_ExceptionList: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: description: Autogenerated value - user that created object. type: string description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' immutable: type: boolean list_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. type: string version: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' required: - id - list_id - type - name - description - immutable - namespace_type - version - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Endpoint_Exceptions_API_ExceptionListDescription: description: Describes the exception list. example: This list tracks allowlisted values. type: string Security_Endpoint_Exceptions_API_ExceptionListHumanId: description: Exception list's human readable string identifier, e.g. `trusted-linux-processes`. example: simple_list format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListId: description: Exception list's identifier. example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListItem: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: description: Autogenerated value - user that created object. type: string description: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' expire_time: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' item_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' os_types: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' tags: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. type: string required: - id - item_id - list_id - type - name - description - entries - namespace_type - comments - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Endpoint_Exceptions_API_ExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - id - comment - created_at - created_by Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: description: | Array of comment fields: - comment (string): Comments about the exception item. items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' type: array Security_Endpoint_Exceptions_API_ExceptionListItemDescription: description: Describes the exception list. type: string Security_Endpoint_Exceptions_API_ExceptionListItemEntry: anyOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' type: array Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists type: string required: - type - field - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryList: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' list: type: object properties: id: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId' type: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType' required: - id - type operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list type: string required: - type - field - list - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match type: string value: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - type - field - value - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any type: string value: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' minItems: 1 type: array required: - type - field - value - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: type: object properties: field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard type: string value: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' required: - type - field - value - operator Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested: type: object properties: entries: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' type: enum: - nested type: string required: - type - field - entries Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: description: Human readable string identifier, e.g. `trusted-linux-processes` example: simple_list_item format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListItemId: description: Exception's identifier. example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListItemMeta: additionalProperties: true type: object Security_Endpoint_Exceptions_API_ExceptionListItemName: description: Exception list name. format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListItemTags: items: description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string type: array Security_Endpoint_Exceptions_API_ExceptionListItemType: enum: - simple type: string Security_Endpoint_Exceptions_API_ExceptionListMeta: additionalProperties: true description: Placeholder for metadata about the list container. type: object Security_Endpoint_Exceptions_API_ExceptionListName: description: The name of the exception list. example: My exception list type: string Security_Endpoint_Exceptions_API_ExceptionListOsType: description: Use this field to specify the operating system. enum: - linux - macos - windows type: string Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: description: Use this field to specify the operating system. Only enter one value. items: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' type: array Security_Endpoint_Exceptions_API_ExceptionListTags: description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Endpoint_Exceptions_API_ExceptionListType: description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default - endpoint - endpoint_trusted_apps - endpoint_events - endpoint_host_isolation_exceptions - endpoint_blocklists type: string Security_Endpoint_Exceptions_API_ExceptionListVersion: description: The document version, automatically increasd on updates. minimum: 1 type: integer Security_Endpoint_Exceptions_API_ExceptionNamespaceType: description: | Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - `single`: Only available in the Kibana space in which it is created. - `agnostic`: Available in all Kibana spaces. enum: - agnostic - single type: string Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter: $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' Security_Endpoint_Exceptions_API_ListId: description: Value list's identifier. example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_ListType: description: | Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - `ip`: IP addresses - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean - byte - date - date_nanos - date_range - double - double_range - float - float_range - geo_point - geo_shape - half_float - integer - integer_range - ip - ip_range - keyword - long - long_range - shape - short - text type: string Security_Endpoint_Exceptions_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty minLength: 1 type: string Security_Endpoint_Exceptions_API_PlatformErrorResponse: type: object properties: error: type: string message: type: string statusCode: type: integer required: - statusCode - error - message Security_Endpoint_Exceptions_API_SiemErrorResponse: type: object properties: message: type: string status_code: type: integer required: - status_code - message Security_Endpoint_Management_API_ActionLogRequestQuery: type: object properties: end_date: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' page: $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' page_size: $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' start_date: $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' Security_Endpoint_Management_API_ActionStateSuccessResponse: type: object properties: body: type: object properties: data: type: object properties: canEncrypt: type: boolean required: - data required: - body Security_Endpoint_Management_API_ActionStatusSuccessResponse: type: object properties: body: type: object properties: data: type: object properties: agent_id: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' pending_actions: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' required: - agent_id - pending_actions required: - data required: - body Security_Endpoint_Management_API_AgentId: description: Agent ID type: string Security_Endpoint_Management_API_AgentIds: description: A list of agent IDs. Max of 50. example: - agent-id-1 - agent-id-2 minLength: 1 oneOf: - items: minLength: 1 type: string maxItems: 50 minItems: 1 type: array - minLength: 1 type: string Security_Endpoint_Management_API_AgentTypes: description: List of agent types to retrieve. Defaults to `endpoint`. enum: - endpoint - sentinel_one - crowdstrike - microsoft_defender_endpoint example: endpoint type: string Security_Endpoint_Management_API_AlertIds: description: A list of alerts `id`s. items: format: nonempty minLength: 1 type: string minItems: 1 type: array Security_Endpoint_Management_API_CaseIds: description: Case IDs to be updated (cannot contain empty strings) example: - case-id-1 - case-id-2 items: minLength: 1 type: string minItems: 1 type: array Security_Endpoint_Management_API_CloudFileScriptParameters: type: object properties: cloudFile: description: Script name in cloud storage. minLength: 1 type: string commandLine: description: Command line arguments. minLength: 1 type: string timeout: description: Timeout in seconds. minimum: 1 type: integer required: - cloudFile Security_Endpoint_Management_API_Command: description: The command to be executed (cannot be an empty string) enum: - isolate - unisolate - kill-process - suspend-process - running-processes - get-file - execute - upload - scan minLength: 1 type: string Security_Endpoint_Management_API_Commands: description: A list of response action command names. example: - isolate - unisolate items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' type: array Security_Endpoint_Management_API_Comment: description: Optional comment example: This is a comment type: string Security_Endpoint_Management_API_EndDate: description: An end date in ISO format or Date Math format. example: '2023-10-31T23:59:59.999Z' type: string Security_Endpoint_Management_API_EndpointIds: description: List of endpoint IDs (cannot contain empty strings) example: - endpoint-id-1 - endpoint-id-2 items: minLength: 1 type: string minItems: 1 type: array Security_Endpoint_Management_API_EndpointMetadataResponse: example: host_status: healthy last_checkin: '2023-07-04T15:48:57.360Z' metadata: '@timestamp': '2023-07-04T15:48:57.3609346Z' agent: build: original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 data_stream: dataset: endpoint.metadata namespace: default type: metrics ecs: version: 1.11.0 elastic: agent: id: abb8a826-6812-448c-a571-6d8269b51449 Endpoint: capabilities: - isolation configuration: isolation: false policy: applied: endpoint_policy_version: '2' id: d5371dcd-93b7-4627-af88-4084f7d6aa3e name: test status: success version: '3' state: isolation: false status: enrolled event: action: endpoint_metadata agent_id_status: verified category: - host created: '2023-07-04T15:48:57.3609346Z' dataset: endpoint.metadata id: MNtRc++KoKHXXwlj+++++OhZ ingested: '2023-07-04T15:48:58Z' kind: metric module: endpoint sequence: 43757 type: - info host: architecture: x86_64 hostname: WinDev2104Eval id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 ip: - 10.0.2.15 - fe80::21a6:63d3:d70e:e3ad - 127.0.0.1 - '::1' mac: - 08:00:27:b1:1d:5a name: WinDev2104Eval os: Ext: variant: Windows 10 Enterprise Evaluation family: windows full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) kernel: 20H2 (10.0.19042.906) name: Windows platform: windows type: windows version: 20H2 (10.0.19042.906) message: Endpoint metadata policy_info: agent: applied: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 3 configured: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 3 endpoint: id: d5371dcd-93b7-4627-af88-4084f7d6aa3e revision: 2 type: object properties: {} Security_Endpoint_Management_API_ExecuteRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: type: object properties: command: $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' timeout: $ref: '#/components/schemas/Security_Endpoint_Management_API_Timeout' required: - command required: - parameters example: comment: Get list of all files endpoint_ids: - b3d6de74-36b0-4fa8-be46-c375bf1771bf parameters: command: ls -al timeout: 600 Security_Endpoint_Management_API_ExecuteRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: execute comment: Get list of all files createdBy: myuser hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r id: 9f934028-2300-4927-b531-b26376793dc4 isCompleted: false isExpired: false outputs: {} parameters: command: ls -al timeout: 600 startedAt: '2023-07-28T18:43:27.362Z' status: pending wasSuccessful: false type: object properties: {} Security_Endpoint_Management_API_GetEndpointActionListResponse: example: data: - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: running-processes completedAt: '2022-08-08T09:50:47.672Z' createdBy: elastic id: b3d6de74-36b0-4fa8-be46-c375bf1771bf isCompleted: true isExpired: false startedAt: '2022-08-08T15:24:57.402Z' wasSuccessful: true - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: isolate completedAt: '2022-08-08T10:41:57.352Z' createdBy: elastic id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 isCompleted: true isExpired: false startedAt: '2022-08-08T15:23:37.359Z' wasSuccessful: true - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: kill-process comment: bad process - taking up too much cpu completedAt: '2022-08-08T09:44:50.952Z' createdBy: elastic id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa isCompleted: true isExpired: false startedAt: '2022-08-08T14:38:44.125Z' wasSuccessful: true - agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: unisolate comment: Not a threat to the network completedAt: '2022-08-08T09:40:47.398Z' createdBy: elastic id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a isCompleted: true isExpired: false startedAt: '2022-08-08T14:38:15.391Z' wasSuccessful: true elasticAgentIds: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 endDate: now page: 1 pageSize: 10 startDate: now-24h/h total: 4 type: object properties: {} Security_Endpoint_Management_API_GetEndpointActionResponse: example: data: agents: - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 agentType: endpoint command: running-processes completedAt: '2022-08-08T09:50:47.672Z' createdBy: elastic id: b3d6de74-36b0-4fa8-be46-c375bf1771bf isCompleted: true isExpired: false outputs: afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0: content: entries: - command: /opt/cmd1 entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt pid: '822' user: Dexter - command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3 entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt pid: '984' user: Jada type: json startedAt: '2022-08-08T15:24:57.402Z' wasSuccessful: true type: object properties: {} Security_Endpoint_Management_API_GetFileRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: type: object properties: path: type: string required: - path required: - parameters example: comment: Get my file endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: path: /usr/my-file.txt Security_Endpoint_Management_API_GetFileRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: get-file createdBy: myuser hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 isCompleted: false isExpired: false outputs: {} parameters: path: /usr/my-file.txt startedAt: '2023-07-28T19:00:03.911Z' status: pending wasSuccessful: false type: object properties: {} Security_Endpoint_Management_API_GetProcessesRouteRequestBody: example: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids Security_Endpoint_Management_API_GetProcessesRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentType: endpoint command: running-processes comment: '' completedAt: '2022-07-29T19:09:44.961Z' createdBy: myuser errors: [] id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: true isExpired: false outputs: ed518850-681a-4d60-bb98-e22640cae2a8: content: key: value type: json parameters: {} startedAt: '2022-07-29T19:08:49.126Z' wasSuccessful: true type: object properties: {} Security_Endpoint_Management_API_HostPathScriptParameters: type: object properties: commandLine: description: Command line arguments. minLength: 1 type: string hostPath: description: Absolute or relative path of script on host machine. minLength: 1 type: string timeout: description: Timeout in seconds. minimum: 1 type: integer required: - hostPath Security_Endpoint_Management_API_HostStatuses: description: A set of agent health statuses to filter by. example: - healthy - updating items: enum: - healthy - offline - updating - inactive - unenrolled type: string type: array Security_Endpoint_Management_API_IsolateRouteResponse: example: action: 233db9ea-6733-4849-9226-5a7039c7161d data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentType: endpoint command: suspend-process comment: suspend the process completedAt: '2022-07-29T19:09:44.961Z' createdBy: myuser errors: [] id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: true isExpired: false outputs: ed518850-681a-4d60-bb98-e22640cae2a8: content: key: value type: json parameters: entity_id: abc123 startedAt: '2022-07-29T19:08:49.126Z' wasSuccessful: true type: object properties: {} Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: oneOf: - type: object properties: pid: description: The process ID (PID) of the process to terminate. example: 123 minimum: 1 type: integer - type: object properties: entity_id: description: The entity ID of the process to terminate. example: abc123 minLength: 1 type: string - type: object properties: process_name: description: The name of the process to terminate. Valid for SentinelOne agent type only. example: Elastic minLength: 1 type: string required: - parameters example: comment: terminate the process endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: entity_id: abc123 Security_Endpoint_Management_API_KillProcessRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentType: endpoint command: kill-process comment: terminate the process completedAt: '2022-07-29T19:09:44.961Z' createdBy: myuser errors: [] id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: true isExpired: false outputs: ed518850-681a-4d60-bb98-e22640cae2a8: content: key: value type: json parameters: entity_id: abc123 startedAt: '2022-07-29T19:08:49.126Z' wasSuccessful: true type: object properties: {} Security_Endpoint_Management_API_Kuery: description: A KQL string. example: 'united.endpoint.host.os.name : ''Windows''' type: string Security_Endpoint_Management_API_MetadataListResponse: example: data: - host_status: healthy last_checkin: '2023-07-04T15:47:57.432Z' metadata: '@timestamp': '2023-07-04T15:47:57.432173535Z' agent: build: original: 'version: 7.16.0, compiled: Tue Nov 16 16:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: 285297c6-3bff-4b83-9a07-f3e749801123 type: endpoint version: 7.16.0 data_stream: dataset: endpoint.metadata namespace: default type: metrics ecs: version: 1.11.0 elastic: agent: id: 285297c6-3bff-4b83-9a07-f3e749801123 Endpoint: capabilities: - isolation configuration: isolation: false policy: applied: endpoint_policy_version: '2' id: d5371dcd-93b7-4627-af88-4084f7d6aa3e name: test status: success version: '3' state: isolation: false status: enrolled event: action: endpoint_metadata agent_id_status: verified category: - host created: '2023-07-04T15:47:57.432173535Z' dataset: endpoint.metadata id: MNtSXK/SkhEBnmgt++++++7S ingested: '2023-07-04T15:47:58Z' kind: metric module: endpoint sequence: 400 type: - info host: architecture: x86_64 hostname: david-Xubuntu id: 0cfead88e2024bd8a27476352b5ab264 ip: - 127.0.0.1 - '::1' - 10.0.2.15 - fe80::2ac7:8e15:b957:2fa1 mac: - 08:00:27:e6:78:8b name: david-Xubuntu os: Ext: variant: Ubuntu family: ubuntu full: Ubuntu 20.04.2 kernel: '5.8.0-59-generic #66~20.04.1-Ubuntu SMP Thu Jun 17 11:14:10 UTC 2021' name: Linux platform: ubuntu type: linux version: 20.04.2 message: Endpoint metadata policy_info: agent: applied: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 0 configured: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 3 endpoint: id: d5371dcd-93b7-4627-af88-4084f7d6aa3e revision: 2 - host_status: healthy last_checkin: '2023-07-04T15:44:31.491Z' metadata: '@timestamp': '2023-07-04T15:44:31.4917849Z' agent: build: original: 'version: 7.16.0, compiled: Tue Nov 16 17:00:00 2021, branch: 7.16, commit: 73a51033db85e0fb3be1c934697ef6a2b08979ab' id: abb8a826-6812-448c-a571-6d8269b51449 type: endpoint version: 7.16.0 data_stream: dataset: endpoint.metadata namespace: default type: metrics ecs: version: 1.11.0 elastic: agent: id: abb8a826-6812-448c-a571-6d8269b51449 Endpoint: capabilities: - isolation configuration: isolation: false policy: applied: endpoint_policy_version: '2' id: d5371dcd-93b7-4627-af88-4084f7d6aa3e name: test status: success version: '3' state: isolation: false status: enrolled event: action: endpoint_metadata agent_id_status: verified category: - host created: '2023-07-04T15:44:31.4917849Z' dataset: endpoint.metadata id: MNtRc++KoKHXXwlj+++++/N9 ingested: '2023-07-04T15:44:33Z' kind: metric module: endpoint sequence: 5159 type: - info host: architecture: x86_64 hostname: WinDev2104Eval id: 17d9cabc-7edd-43bc-bacb-8da5f5e6c0e5 ip: - 10.0.2.15 - fe80::21a6:63d3:d70e:e3ad - 127.0.0.1 - '::1' mac: - 08:00:27:b1:1d:5a name: WinDev2104Eval os: Ext: variant: Windows 10 Enterprise Evaluation family: windows full: Windows 10 Enterprise Evaluation 20H2 (10.0.19042.906) kernel: 20H2 (10.0.19042.906) name: Windows platform: windows type: windows version: 20H2 (10.0.19042.906) message: Endpoint metadata policy_info: agent: applied: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 0 configured: id: ed7e3720-4bad-11ec-a2a8-fb22e62a5753 revision: 3 endpoint: id: d5371dcd-93b7-4627-af88-4084f7d6aa3e revision: 2 page: 0 pageSize: 10 sortDirection: desc sortField: enrolled_at total: 2 type: object properties: {} Security_Endpoint_Management_API_Page: default: 1 description: Page number example: 1 minimum: 1 type: integer Security_Endpoint_Management_API_PageSize: default: 10 description: Number of items per page example: 10 maximum: 100 minimum: 1 type: integer Security_Endpoint_Management_API_Parameters: description: Optional parameters object type: object Security_Endpoint_Management_API_PendingActionDataType: type: integer Security_Endpoint_Management_API_PendingActionsSchema: oneOf: - type: object properties: execute: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' get-file: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' isolate: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' kill-process: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' running-processes: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' scan: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' suspend-process: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' unisolate: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' upload: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - additionalProperties: true type: object Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: type: object properties: note: type: string Security_Endpoint_Management_API_RawScriptParameters: type: object properties: commandLine: description: Command line arguments. minLength: 1 type: string raw: description: Raw script content. minLength: 1 type: string timeout: description: Timeout in seconds. minimum: 1 type: integer required: - raw Security_Endpoint_Management_API_RunScriptRouteRequestBody: type: object properties: parameters: description: Exactly one of 'Raw', 'HostPath', or 'CloudFile' must be provided. CommandLine and Timeout are optional for all. oneOf: - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' required: - parameters Security_Endpoint_Management_API_ScanRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: type: object properties: path: description: The folder or file’s full path (including the file name). example: /usr/my-file.txt type: string required: - path required: - parameters example: comment: Scan the file for malware endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: path: /usr/my-file.txt Security_Endpoint_Management_API_ScanRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: scan createdBy: myuser hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 isCompleted: false isExpired: false outputs: {} parameters: path: /usr/my-file.txt startedAt: '2023-07-28T19:00:03.911Z' status: pending wasSuccessful: false type: object properties: {} Security_Endpoint_Management_API_SortDirection: description: Determines the sort order. enum: - asc - desc example: desc type: string Security_Endpoint_Management_API_SortField: description: Determines which field is used to sort the results. enum: - enrolled_at - metadata.host.hostname - host_status - metadata.Endpoint.policy.applied.name - metadata.Endpoint.policy.applied.status - metadata.host.os.name - metadata.host.ip - metadata.agent.version - last_checkin example: enrolled_at type: string Security_Endpoint_Management_API_StartDate: description: A start date in ISO 8601 format or Date Math format. example: '2023-10-31T00:00:00.000Z' type: string Security_Endpoint_Management_API_SuccessResponse: type: object properties: {} Security_Endpoint_Management_API_SuspendProcessRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: parameters: oneOf: - type: object properties: pid: description: The process ID (PID) of the process to suspend. example: 123 minimum: 1 type: integer - type: object properties: entity_id: description: The entity ID of the process to suspend. example: abc123 minLength: 1 type: string required: - parameters example: comment: suspend the process endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 parameters: entity_id: abc123 Security_Endpoint_Management_API_SuspendProcessRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentType: endpoint command: suspend-process comment: suspend the process completedAt: '2022-07-29T19:09:44.961Z' createdBy: myuser errors: [] id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: true isExpired: false outputs: ed518850-681a-4d60-bb98-e22640cae2a8: content: key: value type: json parameters: entity_id: abc123 startedAt: '2022-07-29T19:08:49.126Z' wasSuccessful: true type: object properties: {} Security_Endpoint_Management_API_Timeout: description: The maximum timeout value in milliseconds (optional) minimum: 1 type: integer Security_Endpoint_Management_API_Type: description: Type of response action enum: - automated - manual type: string Security_Endpoint_Management_API_Types: description: List of types of response actions example: - automated - manual items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' maxLength: 2 minLength: 1 type: array Security_Endpoint_Management_API_UnisolateRouteResponse: example: action: 233db9ea-6733-4849-9226-5a7039c7161d data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentType: endpoint command: suspend-process comment: suspend the process completedAt: '2022-07-29T19:09:44.961Z' createdBy: myuser errors: [] id: 233db9ea-6733-4849-9226-5a7039c7161d isCompleted: true isExpired: false outputs: ed518850-681a-4d60-bb98-e22640cae2a8: content: key: value type: json parameters: entity_id: abc123 startedAt: '2022-07-29T19:08:49.126Z' wasSuccessful: true type: object properties: {} Security_Endpoint_Management_API_UploadRouteRequestBody: allOf: - type: object properties: agent_type: $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' alert_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' case_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' comment: $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' endpoint_ids: $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' parameters: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids - type: object properties: file: description: The binary content of the file. example: RWxhc3RpYw== format: binary type: string parameters: type: object properties: overwrite: default: false description: Overwrite the file on the host if it already exists. example: false type: boolean required: - parameters - file example: endpoint_ids: - ed518850-681a-4d60-bb98-e22640cae2a8 file: RWxhc3RpYw== parameters: {} Security_Endpoint_Management_API_UploadRouteResponse: example: data: agents: - ed518850-681a-4d60-bb98-e22640cae2a8 agentState: ed518850-681a-4d60-bb98-e22640cae2a8: isCompleted: false wasSuccessful: false agentType: endpoint command: upload createdBy: elastic hosts: ed518850-681a-4d60-bb98-e22640cae2a8: name: Host-5i6cuc8kdv id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 isCompleted: false isExpired: false outputs: {} parameters: file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 file_name: fix-malware.sh file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a file_size: 69 startedAt: '2023-07-03T15:07:22.837Z' status: pending wasSuccessful: false type: object properties: {} Security_Endpoint_Management_API_UserIds: description: A list of user IDs. example: - user-id-1 - user-id-2 oneOf: - items: minLength: 1 type: string minItems: 1 type: array - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: description: A list of action IDs that should include the complete output of the action. example: - action-id-1 - action-id-2 oneOf: - items: minLength: 1 type: string minItems: 1 type: array - minLength: 1 type: string Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: type: object properties: index: type: integer message: type: string required: - message - index Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats: type: object properties: failed: type: integer successful: type: integer total: type: integer required: - successful - failed - total Security_Entity_Analytics_API_AssetCriticalityLevel: description: The criticality level of the asset. enum: - low_impact - medium_impact - high_impact - extreme_impact type: string Security_Entity_Analytics_API_AssetCriticalityRecord: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' - type: object properties: '@timestamp': description: The time the record was created or updated. example: '2017-07-21T17:32:28Z' format: date-time type: string required: - '@timestamp' example: '@timestamp': '2024-08-02T11:15:34.290Z' asset: criticality: high_impact criticality_level: high_impact host: asset: criticality: high_impact name: my_host id_field: host.name id_value: my_host Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - asset host: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: type: string required: - name service: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: type: string required: - name user: type: object properties: asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality name: type: string required: - name required: - asset Security_Entity_Analytics_API_AssetCriticalityRecordIdParts: type: object properties: id_field: $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' description: The field representing the ID. example: host.name id_value: description: The ID value of the asset. type: string required: - id_value - id_field Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse: type: object properties: cleanup_successful: example: false type: boolean errors: items: type: object properties: error: type: string seq: type: integer required: - seq - error type: array required: - cleanup_successful - errors Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse: type: object properties: errors: items: type: object properties: error: type: string seq: type: integer required: - seq - error type: array risk_engine_saved_object_configured: example: false type: boolean required: - risk_engine_saved_object_configured - errors Security_Entity_Analytics_API_CreateAssetCriticalityRecord: allOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' - type: object properties: criticality_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality_level Security_Entity_Analytics_API_EngineComponentResource: enum: - entity_engine - entity_definition - index - component_template - index_template - ingest_pipeline - enrich_policy - task - transform type: string Security_Entity_Analytics_API_EngineComponentStatus: type: object properties: errors: items: type: object properties: message: type: string title: type: string type: array health: enum: - green - yellow - red - unknown type: string id: type: string installed: type: boolean resource: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' required: - id - installed - resource Security_Entity_Analytics_API_EngineDataviewUpdateResult: type: object properties: changes: type: object properties: indexPatterns: items: type: string type: array type: type: string required: - type Security_Entity_Analytics_API_EngineDescriptor: type: object properties: delay: default: 1m pattern: '[smdh]$' type: string docsPerSecond: type: integer error: type: object fieldHistoryLength: type: integer filter: type: string frequency: default: 1m pattern: '[smdh]$' type: string indexPattern: $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' lookbackPeriod: default: 24h pattern: '[smdh]$' type: string status: $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' timeout: default: 180s pattern: '[smdh]$' type: string timestampField: type: string type: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' required: - type - indexPattern - status - fieldHistoryLength Security_Entity_Analytics_API_EngineStatus: enum: - installing - started - stopped - updating - error type: string Security_Entity_Analytics_API_Entity: oneOf: - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' - $ref: '#/components/schemas/Security_Entity_Analytics_API_ServiceEntity' Security_Entity_Analytics_API_EntityRiskLevels: enum: - Unknown - Low - Moderate - High - Critical type: string Security_Entity_Analytics_API_EntityRiskScoreRecord: type: object properties: '@timestamp': description: The time at which the risk score was calculated. example: '2017-07-21T17:32:28Z' format: date-time type: string calculated_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' description: Lexical description of the entity's risk. example: Critical calculated_score: description: The raw numeric value of the given entity's risk score. format: double type: number calculated_score_norm: description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. format: double maximum: 100 minimum: 0 type: number category_1_count: description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). format: integer type: number category_1_score: description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. format: double type: number category_2_count: format: integer type: number category_2_score: format: double type: number criticality_level: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' criticality_modifier: format: double type: number id_field: description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. example: host.name type: string id_value: description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. example: example.host type: string inputs: description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. items: $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' type: array notes: items: type: string type: array required: - '@timestamp' - id_field - id_value - calculated_level - calculated_score - calculated_score_norm - category_1_score - category_1_count - inputs - notes Security_Entity_Analytics_API_EntityType: enum: - user - host - service type: string Security_Entity_Analytics_API_HostEntity: type: object properties: '@timestamp': format: date-time type: string asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality entity: type: object properties: name: type: string source: type: string required: - name - source event: type: object properties: ingested: format: date-time type: string host: type: object properties: architecture: items: type: string type: array domain: items: type: string type: array hostname: items: type: string type: array id: items: type: string type: array ip: items: type: string type: array mac: items: type: string type: array name: type: string risk: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' type: items: type: string type: array required: - name required: - host - entity Security_Entity_Analytics_API_IdField: enum: - host.name - user.name - service.name type: string Security_Entity_Analytics_API_IndexPattern: type: string Security_Entity_Analytics_API_InspectQuery: type: object properties: dsl: items: type: string type: array response: items: type: string type: array required: - dsl - response Security_Entity_Analytics_API_Interval: description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, example: 1h pattern: ^[1-9]\d*[smh]$ type: string Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: type: object properties: full_error: type: string message: type: string required: - message - full_error Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: type: object properties: success: type: boolean Security_Entity_Analytics_API_RiskScoreInput: description: A generic representation of a document contributing to a Risk Score. type: object properties: category: description: The risk category of the risk input document. example: category_1 type: string contribution_score: format: double type: number description: description: A human-readable description of the risk input document. example: 'Generated from Detection Engine Rule: Malware Prevention Alert' type: string id: description: The unique identifier (`_id`) of the original source document example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c type: string index: description: The unique index (`_index`) of the original source document example: .internal.alerts-security.alerts-default-000001 type: string risk_score: description: The weighted risk score of the risk input document. format: double maximum: 100 minimum: 0 type: number timestamp: description: The @timestamp of the risk input document. example: '2017-07-21T17:32:28Z' type: string required: - id - index - description - category Security_Entity_Analytics_API_ServiceEntity: type: object properties: '@timestamp': format: date-time type: string asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality entity: type: object properties: name: type: string source: type: string required: - name - source event: type: object properties: ingested: format: date-time type: string service: type: object properties: name: type: string risk: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' required: - name required: - service - entity Security_Entity_Analytics_API_StoreStatus: enum: - not_installed - installing - running - stopped - error type: string Security_Entity_Analytics_API_TaskManagerUnavailableResponse: description: Task manager is unavailable type: object properties: message: type: string status_code: minimum: 400 type: integer required: - status_code - message Security_Entity_Analytics_API_UserEntity: type: object properties: '@timestamp': format: date-time type: string asset: type: object properties: criticality: $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' required: - criticality entity: type: object properties: name: type: string source: type: string required: - name - source event: type: object properties: ingested: format: date-time type: string user: type: object properties: domain: items: type: string type: array email: items: type: string type: array full_name: items: type: string type: array hash: items: type: string type: array id: items: type: string type: array name: type: string risk: $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' roles: items: type: string type: array required: - name required: - user - entity Security_Exceptions_API_CreateExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - comment Security_Exceptions_API_CreateExceptionListItemCommentArray: items: $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' type: array Security_Exceptions_API_CreateRuleExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - comment Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: items: $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' type: array Security_Exceptions_API_CreateRuleExceptionListItemProps: type: object properties: comments: $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' default: [] description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: format: date-time type: string item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' default: single os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' default: [] tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' default: [] type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' required: - type - name - description - entries Security_Exceptions_API_ExceptionList: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: description: Autogenerated value - user that created object. type: string description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' immutable: type: boolean list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. type: string version: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' required: - id - list_id - type - name - description - immutable - namespace_type - version - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Exceptions_API_ExceptionListDescription: description: Describes the exception list. example: This list tracks allowlisted values. type: string Security_Exceptions_API_ExceptionListHumanId: description: Exception list's human readable string identifier, e.g. `trusted-linux-processes`. example: simple_list format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListId: description: Exception list's identifier. example: 9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85 format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListItem: type: object properties: _version: description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. type: string comments: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: description: Autogenerated value - user that created object. type: string description: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' entries: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' expire_time: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' meta: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' name: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' namespace_type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' os_types: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' tags: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. type: string type: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. type: string required: - id - item_id - list_id - type - name - description - entries - namespace_type - comments - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Exceptions_API_ExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' created_at: description: Autogenerated date of object creation. format: date-time type: string created_by: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' id: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' updated_at: description: Autogenerated date of last object update. format: date-time type: string updated_by: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - id - comment - created_at - created_by Security_Exceptions_API_ExceptionListItemCommentArray: description: | Array of comment fields: - comment (string): Comments about the exception item. items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' type: array Security_Exceptions_API_ExceptionListItemDescription: description: Describes the exception list. type: string Security_Exceptions_API_ExceptionListItemEntry: anyOf: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' discriminator: propertyName: type Security_Exceptions_API_ExceptionListItemEntryArray: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' type: array Security_Exceptions_API_ExceptionListItemEntryExists: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - exists type: string required: - type - field - operator Security_Exceptions_API_ExceptionListItemEntryList: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' list: type: object properties: id: $ref: '#/components/schemas/Security_Exceptions_API_ListId' type: $ref: '#/components/schemas/Security_Exceptions_API_ListType' required: - id - type operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - list type: string required: - type - field - list - operator Security_Exceptions_API_ExceptionListItemEntryMatch: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match type: string value: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - type - field - value - operator Security_Exceptions_API_ExceptionListItemEntryMatchAny: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - match_any type: string value: items: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' minItems: 1 type: array required: - type - field - value - operator Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: type: object properties: field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' operator: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' type: enum: - wildcard type: string value: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - type - field - value - operator Security_Exceptions_API_ExceptionListItemEntryNested: type: object properties: entries: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' minItems: 1 type: array field: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' type: enum: - nested type: string required: - type - field - entries Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: oneOf: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' Security_Exceptions_API_ExceptionListItemEntryOperator: enum: - excluded - included type: string Security_Exceptions_API_ExceptionListItemExpireTime: description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. format: date-time type: string Security_Exceptions_API_ExceptionListItemHumanId: description: Human readable string identifier, e.g. `trusted-linux-processes` example: simple_list_item format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListItemId: description: Exception's identifier. example: 71a9f4b2-c85c-49b4-866f-c71eb9e67da2 format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListItemMeta: additionalProperties: true type: object Security_Exceptions_API_ExceptionListItemName: description: Exception list name. format: nonempty minLength: 1 type: string Security_Exceptions_API_ExceptionListItemOsTypeArray: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' type: array Security_Exceptions_API_ExceptionListItemTags: items: description: String array containing words and phrases to help categorize exception items. format: nonempty minLength: 1 type: string type: array Security_Exceptions_API_ExceptionListItemType: enum: - simple type: string Security_Exceptions_API_ExceptionListMeta: additionalProperties: true description: Placeholder for metadata about the list container. type: object Security_Exceptions_API_ExceptionListName: description: The name of the exception list. example: My exception list type: string Security_Exceptions_API_ExceptionListOsType: description: Use this field to specify the operating system. enum: - linux - macos - windows type: string Security_Exceptions_API_ExceptionListOsTypeArray: description: Use this field to specify the operating system. Only enter one value. items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' type: array Security_Exceptions_API_ExceptionListsImportBulkError: type: object properties: error: type: object properties: message: type: string status_code: type: integer required: - status_code - message id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' item_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' list_id: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' required: - error Security_Exceptions_API_ExceptionListsImportBulkErrorArray: items: $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' type: array Security_Exceptions_API_ExceptionListTags: description: String array containing words and phrases to help categorize exception containers. items: type: string type: array Security_Exceptions_API_ExceptionListType: description: The type of exception list to be created. Different list types may denote where they can be utilized. enum: - detection - rule_default - endpoint - endpoint_trusted_apps - endpoint_events - endpoint_host_isolation_exceptions - endpoint_blocklists type: string Security_Exceptions_API_ExceptionListVersion: description: The document version, automatically increasd on updates. minimum: 1 type: integer Security_Exceptions_API_ExceptionNamespaceType: description: | Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where: - `single`: Only available in the Kibana space in which it is created. - `agnostic`: Available in all Kibana spaces. enum: - agnostic - single type: string Security_Exceptions_API_FindExceptionListItemsFilter: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' Security_Exceptions_API_FindExceptionListsFilter: example: exception-list.attributes.name:%Detection%20List type: string Security_Exceptions_API_ListId: description: Value list's identifier. example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string Security_Exceptions_API_ListType: description: | Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - `ip`: IP addresses - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean - byte - date - date_nanos - date_range - double - double_range - float - float_range - geo_point - geo_shape - half_float - integer - integer_range - ip - ip_range - keyword - long - long_range - shape - short - text type: string Security_Exceptions_API_NonEmptyString: description: A string that does not contain only whitespace characters format: nonempty minLength: 1 type: string Security_Exceptions_API_PlatformErrorResponse: type: object properties: error: type: string message: type: string statusCode: type: integer required: - statusCode - error - message Security_Exceptions_API_RuleId: $ref: '#/components/schemas/Security_Exceptions_API_UUID' Security_Exceptions_API_SiemErrorResponse: type: object properties: message: type: string status_code: type: integer required: - status_code - message Security_Exceptions_API_UpdateExceptionListItemComment: type: object properties: comment: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' id: $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' required: - comment Security_Exceptions_API_UpdateExceptionListItemCommentArray: items: $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' type: array Security_Exceptions_API_UUID: description: A universally unique identifier format: uuid type: string Security_Lists_API_FindListItemsCursor: description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly. example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d format: nonempty minLength: 1 type: string Security_Lists_API_FindListItemsFilter: example: value:127.0.0.1 type: string Security_Lists_API_FindListsCursor: example: WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d format: nonempty minLength: 1 type: string Security_Lists_API_FindListsFilter: example: value:127.0.0.1 type: string Security_Lists_API_List: type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' '@timestamp': example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_at: description: Autogenerated date of object creation. example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: description: Autogenerated value - user that created object. example: elastic type: string description: $ref: '#/components/schemas/Security_Lists_API_ListDescription' deserializer: $ref: '#/components/schemas/Security_Lists_API_ListDeserializer' id: $ref: '#/components/schemas/Security_Lists_API_ListId' immutable: type: boolean meta: $ref: '#/components/schemas/Security_Lists_API_ListMetadata' name: $ref: '#/components/schemas/Security_Lists_API_ListName' serializer: $ref: '#/components/schemas/Security_Lists_API_ListSerializer' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string type: $ref: '#/components/schemas/Security_Lists_API_ListType' updated_at: description: Autogenerated date of last object update. example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. example: elastic type: string version: $ref: '#/components/schemas/Security_Lists_API_ListVersion' required: - id - type - name - description - immutable - version - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Lists_API_ListDescription: description: Describes the value list. format: nonempty minLength: 1 type: string Security_Lists_API_ListDeserializer: description: | Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions: - `{{{value}}}` - Single value item types, such as `ip`, `long`, `date`, `keyword`, and `text`. - `{{{gte}}}-{{{lte}}}` - Range value item types, such as `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`. - `{{{gte}}},{{{lte}}}` - Date range values. example: '{{value}}' type: string Security_Lists_API_ListId: description: Value list's identifier. example: 21b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string Security_Lists_API_ListItem: type: object properties: _version: $ref: '#/components/schemas/Security_Lists_API_ListVersionId' '@timestamp': example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_at: description: Autogenerated date of object creation. example: '2025-01-08T04:47:34.273Z' format: date-time type: string created_by: description: Autogenerated value - user that created object. example: elastic type: string deserializer: $ref: '#/components/schemas/Security_Lists_API_ListDeserializer' id: $ref: '#/components/schemas/Security_Lists_API_ListItemId' list_id: $ref: '#/components/schemas/Security_Lists_API_ListId' meta: $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' serializer: $ref: '#/components/schemas/Security_Lists_API_ListSerializer' tie_breaker_id: description: Field used in search to ensure all containers are sorted and returned correctly. example: f5508188-b1e9-4e6e-9662-d039a7d89899 type: string type: $ref: '#/components/schemas/Security_Lists_API_ListType' updated_at: description: Autogenerated date of last object update. example: '2025-01-08T04:47:34.273Z' format: date-time type: string updated_by: description: Autogenerated value - user that last updated object. example: elastic type: string value: $ref: '#/components/schemas/Security_Lists_API_ListItemValue' required: - id - type - list_id - value - tie_breaker_id - created_at - created_by - updated_at - updated_by Security_Lists_API_ListItemId: description: Value list item's identifier. example: 54b01cfb-058d-44b9-838c-282be16c91cd format: nonempty minLength: 1 type: string Security_Lists_API_ListItemMetadata: additionalProperties: true description: Placeholder for metadata about the value list item. type: object Security_Lists_API_ListItemPrivileges: type: object properties: application: additionalProperties: type: boolean type: object cluster: additionalProperties: type: boolean type: object has_all_requested: type: boolean index: additionalProperties: additionalProperties: type: boolean type: object type: object username: type: string required: - username - has_all_requested - cluster - index - application Security_Lists_API_ListItemValue: description: The value used to evaluate exceptions. format: nonempty minLength: 1 type: string Security_Lists_API_ListMetadata: additionalProperties: true description: Placeholder for metadata about the value list. type: object Security_Lists_API_ListName: description: Value list's name. example: List of bad IPs format: nonempty minLength: 1 type: string Security_Lists_API_ListPrivileges: type: object properties: application: additionalProperties: type: boolean type: object cluster: additionalProperties: type: boolean type: object has_all_requested: type: boolean index: additionalProperties: additionalProperties: type: boolean type: object type: object username: type: string required: - username - has_all_requested - cluster - index - application Security_Lists_API_ListSerializer: description: | Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups: - `(?<value>.+)` - Single value item types, such as ip, long, date, keyword, and text. - `(?<gte>.+)-(?<lte>.+)|(?<value>.+)` - Range value item types, such as `date_range`, `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`. example: (?<value>((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)) type: string Security_Lists_API_ListType: description: | Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: - `keyword`: Many ECS fields are Elasticsearch keywords - `ip`: IP addresses - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) enum: - binary - boolean - byte - date - date_nanos - date_range - double - double_range - float - float_range - geo_point - geo_shape - half_float - integer - integer_range - ip - ip_range - keyword - long - long_range - shape - short - text type: string Security_Lists_API_ListVersion: description: The document version number. example: 1 minimum: 1 type: integer Security_Lists_API_ListVersionId: description: | The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version. example: WzIsMV0= type: string Security_Lists_API_PlatformErrorResponse: type: object properties: error: type: string message: type: string statusCode: type: integer required: - statusCode - error - message Security_Lists_API_SiemErrorResponse: type: object properties: message: type: string status_code: type: integer required: - status_code - message Security_Osquery_API_ArrayQueries: description: An array of queries to run. items: $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' type: array Security_Osquery_API_ArrayQueriesItem: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: $ref: '#/components/schemas/Security_Osquery_API_QueryId' platform: $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' snapshot: $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' version: $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' Security_Osquery_API_CreateLiveQueryRequestBody: example: agent_all: true ecs_mapping: host.uptime: field: total_seconds query: select * from uptime; type: object properties: agent_all: description: When `true`, the query runs on all agents. type: boolean agent_ids: description: A list of agent IDs to run the query on. items: type: string type: array agent_platforms: description: A list of agent platforms to run the query on. items: type: string type: array agent_policy_ids: description: A list of agent policy IDs to run the query on. items: type: string type: array alert_ids: description: A list of alert IDs associated with the live query. items: type: string type: array case_ids: description: A list of case IDs associated with the live query. items: type: string type: array ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' event_ids: description: A list of event IDs associated with the live query. items: type: string type: array metadata: description: Custom metadata object associated with the live query. nullable: true type: object pack_id: $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' queries: $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' query: $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' saved_query_id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' Security_Osquery_API_CreateLiveQueryResponse: example: data: '@timestamp': '2022-07-26T09:59:32.220Z' action_id: 3c42c847-eb30-4452-80e0-728584042334 agent_all: true agent_ids: [] agent_platforms: [] agent_policy_ids: [] agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 expiration: '2022-07-26T10:04:32.220Z' input_type: osquery metadata: execution_context: name: osquery url: /app/osquery/live_queries/new queries: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 ecs_mapping: host.uptime: field: total_seconds id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 query: select * from uptime; timeout: 120 type: INPUT_ACTION user_id: elastic type: object properties: {} Security_Osquery_API_CreatePacksRequestBody: example: description: My pack enabled: true name: my_pack policy_ids: - my_policy_id - fleet-server-policy queries: my_query: ecs_mapping: client.port: field: port tags: value: - tag1 - tag2 interval: 60 query: SELECT * FROM listening_ports; timeout: 120 shards: fleet-server-policy: 58 my_policy_id: 35 type: object properties: description: $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' enabled: $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: $ref: '#/components/schemas/Security_Osquery_API_Shards' Security_Osquery_API_CreatePacksResponse: example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: true name: my_pack queries: ports: ecs_mapping: client.port: field: port interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 shards: - key: 47638692-7c4c-4053-aa3e-7186f28df349 value: 35 - key: 5e267651-fe50-443e-8d3f-3bbc9171b618 value: 58 updated_at: '2025-02-26T13:37:30.452Z' updated_by: elastic type: object properties: {} Security_Osquery_API_CreateSavedQueryRequestBody: example: description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: saved_query_id interval: '60' platform: linux,darwin query: select * from uptime; timeout: 120 version: 2.8.0 type: object properties: description: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined' ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: $ref: '#/components/schemas/Security_Osquery_API_Interval' platform: $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' query: $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' removed: $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' snapshot: $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' version: $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' Security_Osquery_API_CreateSavedQueryResponse: example: data: {} type: object properties: {} Security_Osquery_API_DefaultSuccessResponse: type: object properties: {} Security_Osquery_API_ECSMapping: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields example: host.uptime: field: total_seconds type: object Security_Osquery_API_ECSMappingItem: type: object properties: field: description: The ECS field to map to. example: host.uptime type: string value: description: The value to map to the ECS field. example: total_seconds oneOf: - type: string - items: type: string type: array Security_Osquery_API_ECSMappingOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' nullable: true Security_Osquery_API_Enabled: description: Enables the pack. example: true type: boolean Security_Osquery_API_EnabledOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Enabled' nullable: true Security_Osquery_API_FindLiveQueryDetailsResponse: example: data: '@timestamp': '2022-07-26T09:59:32.220Z' action_id: 3c42c847-eb30-4452-80e0-728584042334 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 expiration: '2022-07-26T10:04:32.220Z' queries: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 docs: 0 ecs_mapping: host.uptime: field: total_seconds failed: 1 id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 pending: 0 query: select * from uptime; responded: 1 saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d status: completed successful: 0 status: completed user_id: elastic type: object properties: {} Security_Osquery_API_FindLiveQueryResponse: example: data: items: - fields: '@timestamp': '2023-10-31T00:00:00Z' action_id: 3c42c847-eb30-4452-80e0-728584042334 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 expiration: '2023-10-31T00:00:00Z' queries: - action_id: 609c4c66-ba3d-43fa-afdd-53e244577aa0 agents: - 16d7caf5-efd2-4212-9b62-73dafc91fa13 ecs_mapping: host.uptime: field: total_seconds id: 6724a474-cbba-41ef-a1aa-66aebf0879e2 query: select * from uptime; saved_query_id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d user_id: elastic type: object properties: {} Security_Osquery_API_FindPackResponse: example: data: created_at: '2022-07-25T19:41:10.263Z' created_by: elastic description: '' enabled: true id: 3c42c847-eb30-4452-80e0-728584042334 name: test_pack namespaces: - default policy_ids: [] queries: uptime: ecs_mapping: message: field: days interval: 3600 query: select * from uptime read_only: false type: osquery-pack updated_at: '2022-07-25T20:12:01.455Z' updated_by: elastic type: object properties: {} Security_Osquery_API_FindPacksResponse: example: data: - attributes: created_at: '2023-10-31T00:00:00Z' created_by: elastic description: My pack description enabled: true name: My Pack queries: - ecs_mapping: - host.uptime: field: total_seconds id: uptime interval: '3600' query: select * from uptime; updated_at: '2023-10-31T00:00:00Z' updated_by: elastic id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d namespaces: - default type: osquery-pack page: 1 pageSize: 10 policy_ids: [] total: 1 type: object properties: {} Security_Osquery_API_FindSavedQueryDetailResponse: example: data: attributes: created_at: '2022-07-26T09:28:08.597Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: saved_query_id interval: '60' platform: linux,darwin prebuilt: false query: select * from uptime; updated_at: '2022-07-26T09:28:08.597Z' updated_by: elastic version: 2.8.0 coreMigrationVersion: 8.4.0 id: 3c42c847-eb30-4452-80e0-728584042334 namespaces: - default references: [] type: osquery-saved-query updated_at: '2022-07-26T09:28:08.600Z' version: WzQzMTcsMV0= type: object properties: {} Security_Osquery_API_FindSavedQueryResponse: example: data: - attributes: created_at: '2022-07-26T09:28:08.597Z' created_by: elastic description: Saved query description ecs_mapping: host.uptime: field: total_seconds id: saved_query_id interval: '60' platform: linux,darwin prebuilt: false query: select * from uptime; updated_at: '2022-07-26T09:28:08.597Z' updated_by: elastic version: 2.8.0 id: 42ba9c50-0cc5-11ed-aa1d-2b27890bc90d namespaces: - default type: osquery-saved-query page: 1 per_page: 100 total: 11 type: object properties: {} Security_Osquery_API_GetLiveQueryResultsResponse: description: The response for getting live query results. example: data: edges: - {} - {} total: 2 type: object properties: {} Security_Osquery_API_Interval: description: An interval, in seconds, on which to run the query. example: '60' type: string Security_Osquery_API_IntervalOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Interval' nullable: true Security_Osquery_API_KueryOrUndefined: description: The kuery to filter the results by. example: 'agent.id: 16d7caf5-efd2-4212-9b62-73dafc91fa13' nullable: true type: string Security_Osquery_API_ObjectQueries: additionalProperties: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' description: An object of queries. type: object Security_Osquery_API_ObjectQueriesItem: type: object properties: ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: $ref: '#/components/schemas/Security_Osquery_API_QueryId' platform: $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' query: $ref: '#/components/schemas/Security_Osquery_API_Query' removed: $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' saved_query_id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' snapshot: $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' version: $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' Security_Osquery_API_PackDescription: description: The pack description. example: Pack description type: string Security_Osquery_API_PackDescriptionOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_PackDescription' nullable: true Security_Osquery_API_PackId: description: The ID of the pack you want to run, retrieve, update, or delete. example: 3c42c847-eb30-4452-80e0-728584042334 type: string Security_Osquery_API_PackIdOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_PackId' nullable: true Security_Osquery_API_PackName: description: The pack name. type: string Security_Osquery_API_PageOrUndefined: description: The page number to return. The default is 1. example: 1 nullable: true type: integer Security_Osquery_API_PageSizeOrUndefined: description: The number of results to return per page. The default is 20. example: 20 nullable: true type: integer Security_Osquery_API_Platform: description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. example: linux,darwin type: string Security_Osquery_API_PlatformOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Platform' nullable: true Security_Osquery_API_PolicyIds: description: A list of agents policy IDs. example: - policyId1 - policyId2 items: type: string type: array Security_Osquery_API_PolicyIdsOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' nullable: true Security_Osquery_API_Query: description: The SQL query you want to run. example: select * from uptime; type: string Security_Osquery_API_QueryId: description: The ID of the query. example: 3c42c847-eb30-4452-80e0-728584042334 type: string Security_Osquery_API_QueryOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Query' nullable: true Security_Osquery_API_Removed: description: Indicates whether the query is removed. example: false type: boolean Security_Osquery_API_RemovedOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Removed' nullable: true Security_Osquery_API_SavedQueryDescription: description: The saved query description. example: Saved query description type: string Security_Osquery_API_SavedQueryDescriptionOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' nullable: true Security_Osquery_API_SavedQueryId: description: The ID of a saved query. example: 3c42c847-eb30-4452-80e0-728584042334 type: string Security_Osquery_API_SavedQueryIdOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' nullable: true Security_Osquery_API_Shards: additionalProperties: type: number description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. example: policy_id: 50 type: object Security_Osquery_API_Snapshot: description: Indicates whether the query is a snapshot. example: true type: boolean Security_Osquery_API_SnapshotOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Snapshot' nullable: true Security_Osquery_API_SortOrderOrUndefined: description: Specifies the sort order. enum: - asc - desc example: desc type: string Security_Osquery_API_SortOrUndefined: default: createdAt description: The field that is used to sort the results. example: createdAt nullable: true type: string Security_Osquery_API_UpdatePacksRequestBody: example: name: updated_my_pack_name type: object properties: description: $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' enabled: $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' name: $ref: '#/components/schemas/Security_Osquery_API_PackName' policy_ids: $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' queries: $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' shards: $ref: '#/components/schemas/Security_Osquery_API_Shards' Security_Osquery_API_UpdatePacksResponse: example: data: created_at: '2025-02-26T13:37:30.452Z' created_by: elastic description: My pack enabled: true name: updated_my_pack_name queries: ports: ecs_mapping: client.port: field: port interval: 60 query: SELECT * FROM listening_ports; removed: false snapshot: true timeout: 120 saved_object_id: 1c266590-381f-428c-878f-c80c1334f856 shards: - key: 47638692-7c4c-4053-aa3e-7186f28df349 value: 35 - key: 5e267651-fe50-443e-8d3f-3bbc9171b618 value: 58 updated_at: '2025-02-26T13:40:16.297Z' updated_by: elastic type: object properties: {} Security_Osquery_API_UpdateSavedQueryRequestBody: example: id: updated_my_saved_query_name type: object properties: description: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined' ecs_mapping: $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' id: $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' interval: $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' platform: $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' query: $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' removed: $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' snapshot: $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' version: $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' Security_Osquery_API_UpdateSavedQueryResponse: example: data: {} type: object properties: {} Security_Osquery_API_Version: description: Uses the Osquery versions greater than or equal to the specified version string. example: 1.0.0 type: string Security_Osquery_API_VersionOrUndefined: $ref: '#/components/schemas/Security_Osquery_API_Version' nullable: true Security_Timeline_API_AssociatedFilterType: description: Filter notes based on their association with a document or saved object. enum: - all - document_only - saved_object_only - document_and_saved_object - orphan type: string Security_Timeline_API_BareNote: allOf: - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' - type: object properties: eventId: description: The `_id` of the associated event for this note. example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc nullable: true type: string note: description: The text of the note example: This is an example text nullable: true type: string timelineId: description: The `savedObjectId` of the Timeline that this note is associated with example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - timelineId Security_Timeline_API_BarePinnedEvent: allOf: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' - type: object properties: eventId: description: The `_id` of the associated event for this pinned event. example: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bc type: string timelineId: description: The `savedObjectId` of the timeline that this pinned event is associated with example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string required: - eventId - timelineId Security_Timeline_API_ColumnHeaderResult: type: object properties: aggregatable: nullable: true type: boolean category: nullable: true type: string columnHeaderType: nullable: true type: string description: nullable: true type: string example: nullable: true type: string id: nullable: true type: string indexes: items: type: string nullable: true type: array name: nullable: true type: string placeholder: nullable: true type: string searchable: nullable: true type: boolean type: nullable: true type: string Security_Timeline_API_DataProviderQueryMatch: type: object properties: enabled: nullable: true type: boolean excluded: nullable: true type: boolean id: nullable: true type: string kqlQuery: nullable: true type: string name: nullable: true type: string queryMatch: $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' nullable: true type: $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' nullable: true Security_Timeline_API_DataProviderResult: type: object properties: and: items: $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' nullable: true type: array enabled: nullable: true type: boolean excluded: nullable: true type: boolean id: nullable: true type: string kqlQuery: nullable: true type: string name: nullable: true type: string queryMatch: $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' nullable: true type: $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' nullable: true Security_Timeline_API_DataProviderType: description: The type of data provider. enum: - default - template type: string Security_Timeline_API_DocumentIds: oneOf: - items: type: string type: array - type: string Security_Timeline_API_FavoriteTimelineResponse: type: object properties: code: nullable: true type: number favorite: items: $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' type: array message: nullable: true type: string savedObjectId: type: string templateTimelineId: nullable: true type: string templateTimelineVersion: nullable: true type: number timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' version: type: string required: - savedObjectId - version Security_Timeline_API_FavoriteTimelineResult: description: Indicates when and who marked a Timeline as a favorite. example: favoriteDate: 1741337636741 userName: elastic type: object properties: favoriteDate: nullable: true type: number fullName: nullable: true type: string userName: nullable: true type: string Security_Timeline_API_FilterTimelineResult: example: meta: alias: Custom filter name disabled: false index: .alerts-security.alerts-default,logs-* key: '@timestamp' negate: false, type: exists value: exists query: '{"exists":{"field":"@timestamp"}}' type: object properties: exists: nullable: true type: string match_all: nullable: true type: string meta: nullable: true type: object properties: alias: nullable: true type: string controlledBy: nullable: true type: string disabled: nullable: true type: boolean field: nullable: true type: string formattedValue: nullable: true type: string index: nullable: true type: string key: nullable: true type: string negate: nullable: true type: boolean params: nullable: true type: string type: nullable: true type: string value: nullable: true type: string missing: nullable: true type: string query: nullable: true type: string range: nullable: true type: string script: nullable: true type: string Security_Timeline_API_GetNotesResult: type: object properties: notes: items: $ref: '#/components/schemas/Security_Timeline_API_Note' type: array totalCount: type: number required: - totalCount - notes Security_Timeline_API_ImportTimelineResult: type: object properties: errors: description: The list of failed Timeline imports items: type: object properties: error: description: The error containing the reason why the timeline could not be imported type: object properties: message: description: The reason why the timeline could not be imported example: Malformed JSON type: string status_code: description: The HTTP status code of the error example: 400 type: number id: description: The ID of the timeline that failed to import example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 type: string type: array success: description: Indicates whether any of the Timelines were successfully imports type: boolean success_count: description: The amount of successfully imported/updated Timelines example: 99 type: number timelines_installed: description: The amount of successfully installed Timelines example: 80 type: number timelines_updated: description: The amount of successfully updated Timelines example: 19 type: number Security_Timeline_API_ImportTimelines: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - type: object properties: eventNotes: items: $ref: '#/components/schemas/Security_Timeline_API_BareNote' nullable: true type: array globalNotes: items: $ref: '#/components/schemas/Security_Timeline_API_BareNote' nullable: true type: array pinnedEventIds: items: type: string nullable: true type: array savedObjectId: nullable: true type: string version: nullable: true type: string required: - savedObjectId - version - pinnedEventIds - eventNotes - globalNotes Security_Timeline_API_Note: allOf: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - type: object properties: noteId: description: The `savedObjectId` of the note example: 709f99c6-89b6-4953-9160-35945c8e174e type: string version: description: The version of the note example: WzQ2LDFd type: string required: - noteId - version Security_Timeline_API_NoteCreatedAndUpdatedMetadata: type: object properties: created: description: The time the note was created, using a 13-digit Epoch timestamp. example: 1587468588922 nullable: true type: number createdBy: description: The user who created the note. example: casetester nullable: true type: string updated: description: The last time the note was updated, using a 13-digit Epoch timestamp example: 1741344876825 nullable: true type: number updatedBy: description: The user who last updated the note example: casetester nullable: true type: string Security_Timeline_API_PersistPinnedEventResponse: oneOf: - allOf: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventBaseResponseBody' - nullable: true type: object Security_Timeline_API_PersistTimelineResponse: type: object properties: data: type: object properties: persistTimeline: type: object properties: timeline: $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' required: - timeline required: - persistTimeline required: - data Security_Timeline_API_PinnedEvent: allOf: - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - type: object properties: pinnedEventId: description: The `savedObjectId` of this pinned event example: 10r1929b-0af7-42bd-85a8-56e234f98h2f3 type: string version: description: The version of this pinned event example: WzQ2LDFe type: string required: - pinnedEventId - version Security_Timeline_API_PinnedEventBaseResponseBody: type: object properties: code: type: number message: type: string required: - code Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: type: object properties: created: description: The time the pinned event was created, using a 13-digit Epoch timestamp. example: 1587468588922 nullable: true type: number createdBy: description: The user who created the pinned event. example: casetester nullable: true type: string updated: description: The last time the pinned event was updated, using a 13-digit Epoch timestamp example: 1741344876825 nullable: true type: number updatedBy: description: The user who last updated the pinned event example: casetester nullable: true type: string Security_Timeline_API_QueryMatchResult: type: object properties: displayField: nullable: true type: string displayValue: nullable: true type: string field: nullable: true type: string operator: nullable: true type: string value: oneOf: - nullable: true type: string - items: type: string nullable: true type: array Security_Timeline_API_ResolvedTimeline: type: object properties: alias_purpose: $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' alias_target_id: type: string outcome: $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' timeline: $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' required: - timeline - outcome Security_Timeline_API_ResponseNote: type: object properties: code: type: number message: type: string note: $ref: '#/components/schemas/Security_Timeline_API_Note' required: - code - message - note Security_Timeline_API_RowRendererId: description: Identifies the available row renderers enum: - alert - alerts - auditd - auditd_file - library - netflow - plain - registry - suricata - system - system_dns - system_endgame_process - system_file - system_fim - system_security_event - system_socket - threat_match - zeek type: string Security_Timeline_API_SavedObjectIds: oneOf: - items: type: string type: array - type: string Security_Timeline_API_SavedObjectResolveAliasPurpose: enum: - savedObjectConversion - savedObjectImport type: string Security_Timeline_API_SavedObjectResolveOutcome: enum: - exactMatch - aliasMatch - conflict type: string Security_Timeline_API_SavedTimeline: type: object properties: columns: description: The Timeline's columns example: - columnHeaderType: not-filtered id: '@timestamp' - columnHeaderType: not-filtered id: event.category items: $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' nullable: true type: array created: description: The time the Timeline was created, using a 13-digit Epoch timestamp. example: 1587468588922 nullable: true type: number createdBy: description: The user who created the Timeline. example: casetester nullable: true type: string dataProviders: description: Object containing query clauses example: - enabled: true excluded: false id: id-d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b name: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b queryMatch: field: _id, operator: ':' value: d3a1d35a3e84a81b2f8f3859e064c224cdee1b4bcbf66f57d124dcc739c98e6b, items: $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' nullable: true type: array dataViewId: description: ID of the Timeline's Data View example: security-solution-default nullable: true type: string dateRange: description: The Timeline's search period. example: end: 1587456479201 start: 1587370079200 nullable: true type: object properties: end: oneOf: - nullable: true type: string - nullable: true type: number start: oneOf: - nullable: true type: string - nullable: true type: number description: description: The Timeline's description example: Investigating exposure of CVE XYZ nullable: true type: string eqlOptions: description: EQL query that is used in the correlation tab example: eventCategoryField: event.category query: sequence\n[process where process.name == "sudo"]\n[any where true] size: 100 timestampField: '@timestamp' nullable: true type: object properties: eventCategoryField: nullable: true type: string query: nullable: true type: string size: oneOf: - nullable: true type: string - nullable: true type: number tiebreakerField: nullable: true type: string timestampField: nullable: true type: string eventType: deprecated: true description: Event types displayed in the Timeline example: all nullable: true type: string excludedRowRendererIds: description: A list of row renderers that should not be used when in `Event renderers` mode items: $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' nullable: true type: array favorite: items: $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' nullable: true type: array filters: description: A list of filters that should be applied to the query items: $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' nullable: true type: array indexNames: description: A list of index names to use in the query (e.g. when the default data view has been modified) example: - .logs* items: type: string nullable: true type: array kqlMode: description: |- Indicates whether the KQL bar filters the query results or searches for additional results, where: * `filter`: filters query results * `search`: displays additional search results example: search nullable: true type: string kqlQuery: $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' nullable: true savedQueryId: description: The ID of the saved query that might be used in the Query tab example: c7b16904-02d7-4f32-b8f2-cc20f9625d6e nullable: true type: string savedSearchId: description: The ID of the saved search that is used in the ES|QL tab example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string sort: $ref: '#/components/schemas/Security_Timeline_API_Sort' nullable: true status: $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' nullable: true templateTimelineId: description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. example: 6ce1b592-84e3-4b4a-9552-f189d4b82075 nullable: true type: string templateTimelineVersion: description: Timeline template version number. For Timelines, the value is `null`. example: 12 nullable: true type: number timelineType: $ref: '#/components/schemas/Security_Timeline_API_TimelineType' nullable: true title: description: The Timeline's title. example: CVE XYZ investigation nullable: true type: string updated: description: The last time the Timeline was updated, using a 13-digit Epoch timestamp example: 1741344876825 nullable: true type: number updatedBy: description: The user who last updated the Timeline example: casetester nullable: true type: string Security_Timeline_API_SavedTimelineWithSavedObjectId: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - type: object properties: savedObjectId: description: The `savedObjectId` of the Timeline or Timeline template example: 15c1929b-0af7-42bd-85a8-56e234cc7c4e type: string version: description: The version of the Timeline or Timeline template example: WzE0LDFd type: string required: - savedObjectId - version Security_Timeline_API_SerializedFilterQueryResult: description: KQL bar query. example: filterQuery: null kuery: expression: '_id : *' kind: kuery serializedQuery: '{"bool":{"should":[{"exists":{"field":"_id"}}],"minimum_should_match":1}}' type: object properties: filterQuery: nullable: true type: object properties: kuery: nullable: true type: object properties: expression: nullable: true type: string kind: nullable: true type: string serializedQuery: nullable: true type: string Security_Timeline_API_Sort: oneOf: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - items: $ref: '#/components/schemas/Security_Timeline_API_SortObject' type: array Security_Timeline_API_SortFieldTimeline: description: The field to sort the timelines by. enum: - title - description - updated - created type: string Security_Timeline_API_SortObject: description: Object indicating how rows are sorted in the Timeline's grid example: columnId: '@timestamp' sortDirection: desc type: object properties: columnId: nullable: true type: string columnType: nullable: true type: string sortDirection: nullable: true type: string Security_Timeline_API_TimelineResponse: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' - type: object properties: eventIdToNoteIds: description: A list of all the notes that are associated to this Timeline. items: $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true type: array noteIds: description: A list of all the ids of notes that are associated to this Timeline. example: - 709f99c6-89b6-4953-9160-35945c8e174e items: type: string nullable: true type: array notes: description: A list of all the notes that are associated to this Timeline. items: $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true type: array pinnedEventIds: description: A list of all the ids of pinned events that are associated to this Timeline. example: - 983f99c6-89b6-4953-9160-35945c8a194f items: type: string nullable: true type: array pinnedEventsSaveObject: description: A list of all the pinned events that are associated to this Timeline. items: $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' nullable: true type: array Security_Timeline_API_TimelineSavedToReturnObject: allOf: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - type: object properties: eventIdToNoteIds: items: $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true type: array noteIds: items: type: string nullable: true type: array notes: items: $ref: '#/components/schemas/Security_Timeline_API_Note' nullable: true type: array pinnedEventIds: items: type: string nullable: true type: array pinnedEventsSaveObject: items: $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' nullable: true type: array savedObjectId: type: string version: type: string required: - savedObjectId - version Security_Timeline_API_TimelineStatus: description: The status of the Timeline. enum: - active - draft - immutable type: string Security_Timeline_API_TimelineType: description: The type of Timeline. enum: - default - template type: string Short_URL_APIs_urlResponse: type: object properties: accessCount: type: integer accessDate: type: string createDate: type: string id: description: The identifier for the short URL. type: string locator: type: object properties: id: description: The identifier for the locator. type: string state: description: The locator parameters. type: object version: description: The version of Kibana when the short URL was created. type: string slug: description: | A random human-readable slug is automatically generated if the `humanReadableSlug` parameter is set to `true`. If it is set to `false`, a random short string is generated. type: string SLOs_400_response: title: Bad request type: object properties: error: example: Bad Request type: string message: example: 'Invalid value ''foo'' supplied to: [...]' type: string statusCode: example: 400 type: number required: - statusCode - error - message SLOs_401_response: title: Unauthorized type: object properties: error: example: Unauthorized type: string message: example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" type: string statusCode: example: 401 type: number required: - statusCode - error - message SLOs_403_response: title: Unauthorized type: object properties: error: example: Unauthorized type: string message: example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" type: string statusCode: example: 403 type: number required: - statusCode - error - message SLOs_404_response: title: Not found type: object properties: error: example: Not Found type: string message: example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found type: string statusCode: example: 404 type: number required: - statusCode - error - message SLOs_409_response: title: Conflict type: object properties: error: example: Conflict type: string message: example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists type: string statusCode: example: 409 type: number required: - statusCode - error - message SLOs_budgeting_method: description: The budgeting method to use when computing the rollup data. enum: - occurrences - timeslices example: occurrences title: Budgeting method type: string SLOs_create_slo_request: description: | The create SLO API request body varies depending on the type of indicator, time window and budgeting method. properties: budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' description: description: A description for the SLO. type: string groupBy: $ref: '#/components/schemas/SLOs_group_by' id: description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars example: my-super-slo-id type: string indicator: oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' name: description: A name for the SLO. type: string objective: $ref: '#/components/schemas/SLOs_objective' settings: $ref: '#/components/schemas/SLOs_settings' tags: description: List of tags items: type: string type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' required: - name - description - indicator - timeWindow - budgetingMethod - objective title: Create SLO request type: object SLOs_create_slo_response: title: Create SLO response type: object properties: id: example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string required: - id SLOs_delete_slo_instances_request: description: | The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. properties: list: description: An array of slo id and instance id items: type: object properties: instanceId: description: The SLO instance identifier example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string sloId: description: The SLO unique identifier example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string required: - sloId - instanceId type: array required: - list title: Delete SLO instances request type: object SLOs_error_budget: title: Error budget type: object properties: consumed: description: The error budget consummed, as a percentage of the initial value. example: 0.8 type: number initial: description: The initial error budget, as 1 - objective example: 0.02 type: number isEstimated: description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. example: true type: boolean remaining: description: The error budget remaining, as a percentage of the initial value. example: 0.2 type: number required: - initial - consumed - remaining - isEstimated SLOs_filter: description: Defines properties for a filter properties: meta: $ref: '#/components/schemas/SLOs_filter_meta' query: type: object title: Filter type: object SLOs_filter_meta: description: Defines properties for a filter properties: alias: nullable: true type: string controlledBy: type: string disabled: type: boolean field: type: string group: type: string index: type: string isMultiIndex: type: boolean key: type: string negate: type: boolean params: type: object type: type: string value: type: string title: FilterMeta type: object SLOs_find_slo_response: description: | A paginated response of SLOs matching the query. properties: page: example: 1 type: number perPage: example: 25 type: number results: items: $ref: '#/components/schemas/SLOs_slo_with_summary_response' type: array total: example: 34 type: number title: Find SLO response type: object SLOs_group_by: description: optional group by field or fields to use to generate an SLO per distinct value example: - - service.name - service.name - - service.name - service.environment oneOf: - type: string - items: type: string type: array title: Group by SLOs_indicator_properties_apm_availability: description: Defines properties for the APM availability indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: environment: description: The APM service environment or "*" example: production type: string filter: description: KQL query used for filtering the data example: 'service.foo : "bar"' type: string index: description: The index used by APM metrics example: metrics-apm*,apm* type: string service: description: The APM service name example: o11y-app type: string transactionName: description: The APM transaction name or "*" example: GET /my/api type: string transactionType: description: The APM transaction type or "*" example: request type: string required: - service - environment - transactionType - transactionName - index type: description: The type of indicator. example: sli.apm.transactionDuration type: string required: - type - params title: APM availability SLOs_indicator_properties_apm_latency: description: Defines properties for the APM latency indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: environment: description: The APM service environment or "*" example: production type: string filter: description: KQL query used for filtering the data example: 'service.foo : "bar"' type: string index: description: The index used by APM metrics example: metrics-apm*,apm* type: string service: description: The APM service name example: o11y-app type: string threshold: description: The latency threshold in milliseconds example: 250 type: number transactionName: description: The APM transaction name or "*" example: GET /my/api type: string transactionType: description: The APM transaction type or "*" example: request type: string required: - service - environment - transactionType - transactionName - index - threshold type: description: The type of indicator. example: sli.apm.transactionDuration type: string required: - type - params title: APM latency SLOs_indicator_properties_custom_kql: description: Defines properties for a custom query indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: dataViewId: description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: $ref: '#/components/schemas/SLOs_kql_with_filters' good: $ref: '#/components/schemas/SLOs_kql_with_filters_good' index: description: The index or index pattern to use example: my-service-* type: string timestampField: description: | The timestamp field used in the source indice. example: timestamp type: string total: $ref: '#/components/schemas/SLOs_kql_with_filters_total' required: - index - timestampField - good - total type: description: The type of indicator. example: sli.kql.custom type: string required: - type - params title: Custom Query SLOs_indicator_properties_custom_metric: description: Defines properties for a custom metric indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: dataViewId: description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string good: description: | An object defining the "good" metrics and equation type: object properties: equation: description: The equation to calculate the "good" metric. example: A type: string metrics: description: List of metrics with their name, aggregation type, and field. items: type: object properties: aggregation: description: The aggregation type of the metric. Only valid option is "sum" enum: - sum example: sum type: string field: description: The field of the metric. example: processor.processed type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: "success"' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation - field type: array required: - metrics - equation index: description: The index or index pattern to use example: my-service-* type: string timestampField: description: | The timestamp field used in the source indice. example: timestamp type: string total: description: | An object defining the "total" metrics and equation type: object properties: equation: description: The equation to calculate the "total" metric. example: A type: string metrics: description: List of metrics with their name, aggregation type, and field. items: type: object properties: aggregation: description: The aggregation type of the metric. Only valid option is "sum" enum: - sum example: sum type: string field: description: The field of the metric. example: processor.processed type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: *' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation - field type: array required: - metrics - equation required: - index - timestampField - good - total type: description: The type of indicator. example: sli.metric.custom type: string required: - type - params title: Custom metric SLOs_indicator_properties_histogram: description: Defines properties for a histogram indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: dataViewId: description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string good: description: | An object defining the "good" events type: object properties: aggregation: description: The type of aggregation to use. enum: - value_count - range example: value_count type: string field: description: The field use to aggregate the good events. example: processor.latency type: string filter: description: The filter for good events. example: 'processor.outcome: "success"' type: string from: description: The starting value of the range. Only required for "range" aggregations. example: 0 type: number to: description: The ending value of the range. Only required for "range" aggregations. example: 100 type: number required: - aggregation - field index: description: The index or index pattern to use example: my-service-* type: string timestampField: description: | The timestamp field used in the source indice. example: timestamp type: string total: description: | An object defining the "total" events type: object properties: aggregation: description: The type of aggregation to use. enum: - value_count - range example: value_count type: string field: description: The field use to aggregate the good events. example: processor.latency type: string filter: description: The filter for total events. example: 'processor.outcome : *' type: string from: description: The starting value of the range. Only required for "range" aggregations. example: 0 type: number to: description: The ending value of the range. Only required for "range" aggregations. example: 100 type: number required: - aggregation - field required: - index - timestampField - good - total type: description: The type of indicator. example: sli.histogram.custom type: string required: - type - params title: Histogram indicator SLOs_indicator_properties_timeslice_metric: description: Defines properties for a timeslice metric indicator type type: object properties: params: description: An object containing the indicator parameters. nullable: false type: object properties: dataViewId: description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string filter: description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string index: description: The index or index pattern to use example: my-service-* type: string metric: description: | An object defining the metrics, equation, and threshold to determine if it's a good slice or not type: object properties: comparator: description: The comparator to use to compare the equation to the threshold. enum: - GT - GTE - LT - LTE example: GT type: string equation: description: The equation to calculate the metric. example: A type: string metrics: description: List of metrics with their name, aggregation type, and field. items: anyOf: - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' type: array threshold: description: The threshold used to determine if the metric is a good slice or not. example: 100 type: number required: - metrics - equation - comparator - threshold timestampField: description: | The timestamp field used in the source indice. example: timestamp type: string required: - index - timestampField - metric type: description: The type of indicator. example: sli.metric.timeslice type: string required: - type - params title: Timeslice metric SLOs_kql_with_filters: description: Defines properties for a filter oneOf: - description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string - type: object properties: filters: items: $ref: '#/components/schemas/SLOs_filter' type: array kqlQuery: type: string title: KQL with filters SLOs_kql_with_filters_good: description: The KQL query used to define the good events. oneOf: - description: the KQL query to filter the documents with. example: 'request.latency <= 150 and request.status_code : "2xx"' type: string - type: object properties: filters: items: $ref: '#/components/schemas/SLOs_filter' type: array kqlQuery: type: string title: KQL query for good events SLOs_kql_with_filters_total: description: The KQL query used to define all events. oneOf: - description: the KQL query to filter the documents with. example: 'field.environment : "production" and service.name : "my-service"' type: string - type: object properties: filters: items: $ref: '#/components/schemas/SLOs_filter' type: array kqlQuery: type: string title: KQL query for all events SLOs_objective: description: Defines properties for the SLO objective type: object properties: target: description: the target objective between 0 and 1 excluded example: 0.99 exclusiveMaximum: true exclusiveMinimum: true maximum: 100 minimum: 0 type: number timesliceTarget: description: the target objective for each slice when using a timeslices budgeting method example: 0.995 maximum: 100 minimum: 0 type: number timesliceWindow: description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} example: 5m type: string required: - target title: Objective SLOs_settings: description: Defines properties for SLO settings. properties: frequency: default: 1m description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. example: 5m type: string preventInitialBackfill: default: false description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. example: true type: boolean syncDelay: default: 1m description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. example: 5m type: string syncField: description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. example: event.ingested type: string title: Settings type: object SLOs_slo_definition_response: title: SLO definition response type: object properties: budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' createdAt: description: The creation date example: '2023-01-12T10:03:19.000Z' type: string description: description: The description of the SLO. example: My SLO description type: string enabled: description: Indicate if the SLO is enabled example: true type: boolean groupBy: $ref: '#/components/schemas/SLOs_group_by' id: description: The identifier of the SLO. example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string indicator: discriminator: mapping: sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' propertyName: type oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' name: description: The name of the SLO. example: My Service SLO type: string objective: $ref: '#/components/schemas/SLOs_objective' revision: description: The SLO revision example: 2 type: number settings: $ref: '#/components/schemas/SLOs_settings' tags: description: List of tags items: type: string type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' updatedAt: description: The last update date example: '2023-01-12T10:03:19.000Z' type: string version: description: The internal SLO version example: 2 type: number required: - id - name - description - indicator - timeWindow - budgetingMethod - objective - settings - revision - enabled - groupBy - tags - createdAt - updatedAt - version SLOs_slo_with_summary_response: title: SLO response type: object properties: budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' createdAt: description: The creation date example: '2023-01-12T10:03:19.000Z' type: string description: description: The description of the SLO. example: My SLO description type: string enabled: description: Indicate if the SLO is enabled example: true type: boolean groupBy: $ref: '#/components/schemas/SLOs_group_by' id: description: The identifier of the SLO. example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string indicator: discriminator: mapping: sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' propertyName: type oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' instanceId: description: the value derived from the groupBy field, if present, otherwise '*' example: host-abcde type: string name: description: The name of the SLO. example: My Service SLO type: string objective: $ref: '#/components/schemas/SLOs_objective' revision: description: The SLO revision example: 2 type: number settings: $ref: '#/components/schemas/SLOs_settings' summary: $ref: '#/components/schemas/SLOs_summary' tags: description: List of tags items: type: string type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' updatedAt: description: The last update date example: '2023-01-12T10:03:19.000Z' type: string version: description: The internal SLO version example: 2 type: number required: - id - name - description - indicator - timeWindow - budgetingMethod - objective - settings - revision - summary - enabled - groupBy - instanceId - tags - createdAt - updatedAt - version SLOs_summary: description: The SLO computed data properties: errorBudget: $ref: '#/components/schemas/SLOs_error_budget' sliValue: example: 0.9836 type: number status: $ref: '#/components/schemas/SLOs_summary_status' required: - status - sliValue - errorBudget title: Summary type: object SLOs_summary_status: enum: - NO_DATA - HEALTHY - DEGRADING - VIOLATED example: HEALTHY title: summary status type: string SLOs_time_window: description: Defines properties for the SLO time window type: object properties: duration: description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' example: 30d type: string type: description: Indicates weither the time window is a rolling or a calendar aligned time window. enum: - rolling - calendarAligned example: rolling type: string required: - duration - type title: Time window SLOs_timeslice_metric_basic_metric_with_field: type: object properties: aggregation: description: The aggregation type of the metric. enum: - sum - avg - min - max - std_deviation - last_value - cardinality example: sum type: string field: description: The field of the metric. example: processor.processed type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: "success"' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation - field title: Timeslice Metric Basic Metric with Field SLOs_timeslice_metric_doc_count_metric: type: object properties: aggregation: description: The aggregation type of the metric. Only valid option is "doc_count" enum: - doc_count example: doc_count type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: "success"' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string required: - name - aggregation title: Timeslice Metric Doc Count Metric SLOs_timeslice_metric_percentile_metric: type: object properties: aggregation: description: The aggregation type of the metric. Only valid option is "percentile" enum: - percentile example: percentile type: string field: description: The field of the metric. example: processor.processed type: string filter: description: The filter to apply to the metric. example: 'processor.outcome: "success"' type: string name: description: The name of the metric. Only valid options are A-Z example: A pattern: ^[A-Z]$ type: string percentile: description: The percentile value. example: 95 type: number required: - name - aggregation - field - percentile title: Timeslice Metric Percentile Metric SLOs_update_slo_request: description: | The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. properties: budgetingMethod: $ref: '#/components/schemas/SLOs_budgeting_method' description: description: A description for the SLO. type: string groupBy: $ref: '#/components/schemas/SLOs_group_by' indicator: oneOf: - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' name: description: A name for the SLO. type: string objective: $ref: '#/components/schemas/SLOs_objective' settings: $ref: '#/components/schemas/SLOs_settings' tags: description: List of tags items: type: string type: array timeWindow: $ref: '#/components/schemas/SLOs_time_window' title: Update SLO request type: object Synthetics_browserMonitorFields: allOf: - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - additionalProperties: true type: object properties: ignore_https_errors: default: false description: Ignore HTTPS errors. type: boolean inline_script: description: The inline script. type: string playwright_options: description: Playwright options. type: object screenshots: default: 'on' description: The screenshot option. enum: - 'on' - 'off' - only-on-failure type: string synthetics_args: description: Synthetics agent CLI arguments. type: array type: description: The monitor type. enum: - browser type: string required: - inline_script - type title: Browser monitor fields Synthetics_commonMonitorFields: title: Common monitor fields type: object properties: alert: description: | The alert configuration. The default is `{ status: { enabled: true }, tls: { enabled: true } }`. type: object enabled: default: true description: Specify whether the monitor is enabled. type: boolean locations: description: | The location to deploy the monitor. Monitors can be deployed in multiple locations so that you can detect differences in availability and response times across those locations. To list available locations you can: - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. - Go to *Synthetics > Management* and click *Create monitor*. Locations will be listed in *Locations*. externalDocs: url: https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts items: type: string type: array name: description: The monitor name. type: string namespace: default: default description: | The namespace field should be lowercase and not contain spaces. The namespace must not include any of the following characters: `*`, `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or `-`. type: string params: description: The monitor parameters. type: string private_locations: description: | The private locations to which the monitors will be deployed. These private locations refer to locations hosted and managed by you, whereas `locations` are hosted by Elastic. You can specify a private location using the location's name. To list available private locations you can: - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. - Go to *Synthetics > Settings* and click *Private locationsr*. Private locations will be listed in the table. > info > You can provide `locations` or `private_locations` or both. At least one is required. items: type: string type: array retest_on_failure: default: true description: | Turn retesting for when a monitor fails on or off. By default, monitors are automatically retested if the monitor goes from "up" to "down". If the result of the retest is also "down", an error will be created and if configured, an alert sent. The monitor will then resume running according to the defined schedule. Using `retest_on_failure` can reduce noise related to transient problems. type: boolean schedule: description: | The monitor's schedule in minutes. Supported values are `1`, `3`, `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is `3` minutes for HTTP, TCP, and ICMP monitors. The default value is `10` minutes for Browser monitors. type: number service.name: description: The APM service name. type: string tags: description: An array of tags. items: type: string type: array timeout: default: 16 description: | The monitor timeout in seconds. The monitor will fail if it doesn't complete within this time. type: number required: - name Synthetics_getParameterResponse: title: Get parameter response type: object properties: description: description: | The description of the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. type: string id: description: The unique identifier of the parameter. type: string key: description: The key of the parameter. type: string namespaces: description: | The namespaces associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. items: type: string type: array tags: description: | An array of tags associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. items: type: string type: array value: description: | The value associated with the parameter. It will be included in the response if the user has write permissions. type: string required: null Synthetics_getPrivateLocation: additionalProperties: true properties: agentPolicyId: description: The ID of the agent policy associated with the private location. type: string geo: description: Geographic coordinates (WGS84) for the location. type: object properties: lat: description: The latitude of the location. type: number lon: description: The longitude of the location. type: number required: - lat - lon id: description: The unique identifier of the private location. type: string isInvalid: description: | Indicates whether the location is invalid. If `true`, the location is invalid, which means the agent policy associated with the location is deleted. type: boolean label: description: A label for the private location. type: string namespace: description: The namespace of the location, which is the same as the namespace of the agent policy associated with the location. type: string title: Post a private location type: object Synthetics_httpMonitorFields: allOf: - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - additionalproperties: true type: object properties: check: description: The check request settings. type: objects properties: request: description: An optional request to send to the remote host. type: object properties: body: description: Optional request body content. type: string headers: description: | A dictionary of additional HTTP headers to send. By default, Synthetics will set the User-Agent header to identify itself. type: object method: description: The HTTP method to use. enum: - HEAD - GET - POST - OPTIONS type: string response: additionalProperties: true description: The expected response. type: object properties: body: type: object headers: description: A dictionary of expected HTTP headers. If the header is not found, the check fails. type: object ipv4: default: true description: If `true`, ping using the ipv4 protocol. type: boolean ipv6: default: true description: If `true`, ping using the ipv6 protocol. type: boolean max_redirects: default: 0 description: The maximum number of redirects to follow. type: number mode: default: any description: | The mode of the monitor. If it is `all`, the monitor pings all resolvable IPs for a hostname. If it is `any`, the monitor pings only one IP address for a hostname. If you're using a DNS-load balancer and want to ping every IP address for the specified hostname, you should use `all`. enum: - all - any type: string password: description: | The password for authenticating with the server. The credentials are passed with the request. type: string proxy_headers: description: Additional headers to send to proxies during CONNECT requests. type: object proxy_url: description: The URL of the proxy to use for this monitor. type: string response: description: Controls the indexing of the HTTP response body contents to the `http.response.body.contents field`. type: object ssl: description: | The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. type: object type: description: The monitor type. enum: - http type: string url: description: The URL to monitor. type: string username: description: | The username for authenticating with the server. The credentials are passed with the request. type: string required: - type - url title: HTTP monitor fields Synthetics_icmpMonitorFields: allOf: - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - additionalProperties: true type: object properties: host: description: The host to ping. type: string type: description: The monitor type. enum: - icmp type: string wait: default: 1 description: The wait time in seconds. type: number required: - host - type title: ICMP monitor fields Synthetics_parameterRequest: title: Parameter request type: object properties: description: description: A description of the parameter. type: string key: description: The key of the parameter. type: string share_across_spaces: description: Specify whether the parameter should be shared across spaces. type: boolean tags: description: An array of tags to categorize the parameter. items: type: string type: array value: description: The value associated with the parameter. type: string required: - key - value Synthetics_postParameterResponse: title: Post parameter response type: object properties: description: description: A description of the parameter. type: string id: description: The unique identifier for the parameter. type: string key: description: The parameter key. type: string share_across_spaces: description: Indicates whether the parameter is shared across spaces. type: boolean tags: description: An array of tags associated with the parameter. items: type: string type: array value: description: The value associated with the parameter. type: string Synthetics_tcpMonitorFields: allOf: - $ref: '#/components/schemas/Synthetics_commonMonitorFields' - additionalProperties: true type: object properties: host: description: | The host to monitor; it can be an IP address or a hostname. The host can include the port using a colon, for example "example.com:9200". type: string proxy_url: description: | The URL of the SOCKS5 proxy to use when connecting to the server. The value must be a URL with a scheme of `socks5://`. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL. When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the `proxy_use_local_resolver` option. type: string proxy_use_local_resolver: default: false description: | Specify that hostnames are resolved locally instead of being resolved on the proxy server. If `false`, name resolution occurs on the proxy server. type: boolean ssl: description: | The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. type: object type: description: The monitor type. enum: - tcp type: string required: - host - type title: TCP monitor fields Task_manager_health_APIs_configuration: description: | This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. type: object Task_manager_health_APIs_health_response: title: Task health response properties type: object properties: id: type: string last_update: type: string stats: type: object properties: capacity_estimation: description: | This object provides a rough estimate about the sufficiency of its capacity. These are estimates based on historical data and should not be used as predictions. type: object configuration: $ref: '#/components/schemas/Task_manager_health_APIs_configuration' runtime: description: | This object tracks runtime performance of Task Manager, tracking task drift, worker load, and stats broken down by type, including duration and run results. type: object workload: $ref: '#/components/schemas/Task_manager_health_APIs_workload' status: type: string timestamp: type: string Task_manager_health_APIs_workload: description: | This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. type: object Upgrade_assistant_APIs_errorMessage: description: The error that caused the reindex to fail, if it failed. type: string Upgrade_assistant_APIs_indexName: description: The name of the old index. type: string Upgrade_assistant_APIs_lastCompletedStep: description: | The last successfully completed step of the reindex. For example: - `0`: The reindex task has been created in Kibana. - `10`: The index group services stopped. Only applies to some system indices. - `20`: The index is set to readonly. - `30`: The new destination index has been created. - `40`: The reindex task in Elasticsearch has started. - `50`: The reindex task in Elasticsearch has completed. - `60`: Aliases were created to point to the new index, and the old index has been deleted. - `70`: The index group services have resumed. Only applies to some system indices. type: integer Upgrade_assistant_APIs_locked: type: string Upgrade_assistant_APIs_newIndexName: description: The name of the new index. type: string Upgrade_assistant_APIs_reindexOptions: description: The presence of this key indicates that the reindex job will occur in the batch. type: object properties: queueSettings: type: object properties: queuedAt: description: A Unix timestamp of when the reindex task was placed in the queue. type: number Upgrade_assistant_APIs_reindexTaskId: description: | The task ID of the reindex task in Elasticsearch. This value appears when the reindexing starts. type: string Upgrade_assistant_APIs_reindexTaskPercComplete: description: | The progress of the reindexing task in Elasticsearch. It appears in decimal form, from 0 to 1. type: number Upgrade_assistant_APIs_runningReindexCount: type: number Upgrade_assistant_APIs_status: description: | The reindex status. For example: - `0`: In progress - `1`: Completed - `2`: Failed - `3`: Paused type: integer bedrock_config: title: Connector request properties for an Amazon Bedrock connector description: Defines properties for connectors when type is `.bedrock`. type: object required: - apiUrl properties: apiUrl: type: string description: The Amazon Bedrock request URL. defaultModel: type: string description: | The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. default: anthropic.claude-3-5-sonnet-20240620-v1:0 crowdstrike_config: title: Connector request config properties for a Crowdstrike connector required: - url description: Defines config properties for connectors when type is `.crowdstrike`. type: object properties: url: description: | The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string d3security_config: title: Connector request properties for a D3 Security connector description: Defines properties for connectors when type is `.d3security`. type: object required: - url properties: url: type: string description: | The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. email_config: title: Connector request properties for an email connector description: Defines properties for connectors when type is `.email`. required: - from type: object properties: clientId: description: | The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. type: string nullable: true from: description: | The from address for all emails sent by the connector. It must be specified in `user@host-name` format. type: string hasAuth: description: | Specifies whether a user and password are required inside the secrets configuration. default: true type: boolean host: description: | The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. type: string oauthTokenUrl: type: string nullable: true port: description: | The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. type: integer secure: description: | Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. type: boolean service: description: | The name of the email service. type: string enum: - elastic_cloud - exchange_server - gmail - other - outlook365 - ses tenantId: description: | The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. type: string nullable: true gemini_config: title: Connector request properties for an Google Gemini connector description: Defines properties for connectors when type is `.gemini`. type: object required: - apiUrl - gcpRegion - gcpProjectID properties: apiUrl: type: string description: The Google Gemini request URL. defaultModel: type: string description: The generative artificial intelligence model for Google Gemini to use. default: gemini-1.5-pro-002 gcpRegion: type: string description: The GCP region where the Vertex AI endpoint enabled. gcpProjectID: type: string description: The Google ProjectID that has Vertex AI endpoint enabled. resilient_config: title: Connector request properties for a IBM Resilient connector required: - apiUrl - orgId description: Defines properties for connectors when type is `.resilient`. type: object properties: apiUrl: description: The IBM Resilient instance URL. type: string orgId: description: The IBM Resilient organization ID. type: string index_config: title: Connector request properties for an index connector required: - index description: Defines properties for connectors when type is `.index`. type: object properties: executionTimeField: description: A field that indicates when the document was indexed. default: null type: string nullable: true index: description: The Elasticsearch index to be written to. type: string refresh: description: | The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. default: false type: boolean jira_config: title: Connector request properties for a Jira connector required: - apiUrl - projectKey description: Defines properties for connectors when type is `.jira`. type: object properties: apiUrl: description: The Jira instance URL. type: string projectKey: description: The Jira project key. type: string genai_azure_config: title: Connector request properties for an OpenAI connector that uses Azure OpenAI description: | Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. type: object required: - apiProvider - apiUrl properties: apiProvider: type: string description: The OpenAI API provider. enum: - Azure OpenAI apiUrl: type: string description: The OpenAI API endpoint. genai_openai_config: title: Connector request properties for an OpenAI connector description: | Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. type: object required: - apiProvider - apiUrl properties: apiProvider: type: string description: The OpenAI API provider. enum: - OpenAI apiUrl: type: string description: The OpenAI API endpoint. defaultModel: type: string description: The default model to use for requests. opsgenie_config: title: Connector request properties for an Opsgenie connector required: - apiUrl description: Defines properties for connectors when type is `.opsgenie`. type: object properties: apiUrl: description: | The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string pagerduty_config: title: Connector request properties for a PagerDuty connector description: Defines properties for connectors when type is `.pagerduty`. type: object properties: apiUrl: description: The PagerDuty event URL. type: string nullable: true example: https://events.pagerduty.com/v2/enqueue sentinelone_config: title: Connector request properties for a SentinelOne connector required: - url description: Defines properties for connectors when type is `.sentinelone`. type: object properties: url: description: | The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. type: string servicenow_config: title: Connector request properties for a ServiceNow ITSM connector required: - apiUrl description: Defines properties for connectors when type is `.servicenow`. type: object properties: apiUrl: type: string description: The ServiceNow instance URL. clientId: description: | The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. type: string isOAuth: description: | The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). default: false type: boolean jwtKeyId: description: | The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. type: string userIdentifierValue: description: | The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. type: string usesTableApi: description: | Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. default: true type: boolean servicenow_itom_config: title: Connector request properties for a ServiceNow ITOM connector required: - apiUrl description: Defines properties for connectors when type is `.servicenow-itom`. type: object properties: apiUrl: type: string description: The ServiceNow instance URL. clientId: description: | The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. type: string isOAuth: description: | The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). default: false type: boolean jwtKeyId: description: | The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. type: string userIdentifierValue: description: | The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. type: string slack_api_config: title: Connector request properties for a Slack connector description: Defines properties for connectors when type is `.slack_api`. type: object properties: allowedChannels: type: array description: A list of valid Slack channels. items: type: object required: - id - name maxItems: 25 properties: id: type: string description: The Slack channel ID. example: C123ABC456 minLength: 1 name: type: string description: The Slack channel name. minLength: 1 swimlane_config: title: Connector request properties for a Swimlane connector required: - apiUrl - appId - connectorType description: Defines properties for connectors when type is `.swimlane`. type: object properties: apiUrl: description: The Swimlane instance URL. type: string appId: description: The Swimlane application ID. type: string connectorType: description: The type of connector. Valid values are `all`, `alerts`, and `cases`. type: string enum: - all - alerts - cases mappings: title: Connector mappings properties for a Swimlane connector description: The field mapping. type: object properties: alertIdConfig: title: Alert identifier mapping description: Mapping for the alert ID. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. caseIdConfig: title: Case identifier mapping description: Mapping for the case ID. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. caseNameConfig: title: Case name mapping description: Mapping for the case name. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. commentsConfig: title: Case comment mapping description: Mapping for the case comments. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. descriptionConfig: title: Case description mapping description: Mapping for the case description. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. ruleNameConfig: title: Rule name mapping description: Mapping for the name of the alert's rule. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. severityConfig: title: Severity mapping description: Mapping for the severity. type: object required: - fieldType - id - key - name properties: fieldType: type: string description: The type of field in Swimlane. id: type: string description: The identifier for the field in Swimlane. key: type: string description: The key for the field in Swimlane. name: type: string description: The name of the field in Swimlane. thehive_config: title: Connector request properties for a TheHive connector description: Defines configuration properties for connectors when type is `.thehive`. type: object required: - url properties: organisation: type: string description: | The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. url: type: string description: | The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. tines_config: title: Connector request properties for a Tines connector description: Defines properties for connectors when type is `.tines`. type: object required: - url properties: url: description: | The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. type: string torq_config: title: Connector request properties for a Torq connector description: Defines properties for connectors when type is `.torq`. type: object required: - webhookIntegrationUrl properties: webhookIntegrationUrl: description: The endpoint URL of the Elastic Security integration in Torq. type: string auth_type: title: Authentication type type: string nullable: true enum: - webhook-authentication-basic - webhook-authentication-ssl description: | The type of authentication to use: basic, SSL, or none. ca: title: Certificate authority type: string description: | A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. cert_type: title: Certificate type type: string description: | If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. enum: - ssl-crt-key - ssl-pfx has_auth: title: Has authentication type: boolean description: If true, a username and password for login type authentication must be provided. default: true verification_mode: title: Verification mode type: string enum: - certificate - full - none default: full description: | Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. webhook_config: title: Connector request properties for a Webhook connector description: Defines properties for connectors when type is `.webhook`. type: object properties: authType: $ref: '#/components/schemas/auth_type' ca: $ref: '#/components/schemas/ca' certType: $ref: '#/components/schemas/cert_type' hasAuth: $ref: '#/components/schemas/has_auth' headers: type: object nullable: true description: A set of key-value pairs sent as headers with the request. method: type: string default: post enum: - post - put description: | The HTTP request method, either `post` or `put`. url: type: string description: | The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. verificationMode: $ref: '#/components/schemas/verification_mode' cases_webhook_config: title: Connector request properties for Webhook - Case Management connector required: - createIncidentJson - createIncidentResponseKey - createIncidentUrl - getIncidentResponseExternalTitleKey - getIncidentUrl - updateIncidentJson - updateIncidentUrl - viewIncidentUrl description: Defines properties for connectors when type is `.cases-webhook`. type: object properties: authType: $ref: '#/components/schemas/auth_type' ca: $ref: '#/components/schemas/ca' certType: $ref: '#/components/schemas/cert_type' createCommentJson: type: string description: | A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. example: '{"body": {{{case.comment}}}}' createCommentMethod: type: string description: | The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. default: put enum: - patch - post - put createCommentUrl: type: string description: | The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. example: https://example.com/issue/{{{external.system.id}}}/comment createIncidentJson: type: string description: | A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' createIncidentMethod: type: string description: | The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. enum: - patch - post - put default: post createIncidentResponseKey: type: string description: The JSON key in the create external case response that contains the case ID. createIncidentUrl: type: string description: | The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. getIncidentResponseExternalTitleKey: type: string description: The JSON key in get external case response that contains the case title. getIncidentUrl: type: string description: | The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. example: https://example.com/issue/{{{external.system.id}}} hasAuth: $ref: '#/components/schemas/has_auth' headers: type: string description: | A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. updateIncidentJson: type: string description: | The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}' updateIncidentMethod: type: string description: | The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. default: put enum: - patch - post - put updateIncidentUrl: type: string description: | The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. example: https://example.com/issue/{{{external.system.ID}}} verificationMode: $ref: '#/components/schemas/verification_mode' viewIncidentUrl: type: string description: | The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}} xmatters_config: title: Connector request properties for an xMatters connector description: Defines properties for connectors when type is `.xmatters`. type: object properties: configUrl: description: | The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. type: string nullable: true usesBasic: description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). type: boolean default: true bedrock_secrets: title: Connector secrets properties for an Amazon Bedrock connector description: Defines secrets for connectors when type is `.bedrock`. type: object required: - accessKey - secret properties: accessKey: type: string description: The AWS access key for authentication. secret: type: string description: The AWS secret for authentication. crowdstrike_secrets: title: Connector secrets properties for a Crowdstrike connector description: Defines secrets for connectors when type is `.crowdstrike`. type: object required: - clientId - clientSecret properties: clientId: description: The CrowdStrike API client identifier. type: string clientSecret: description: The CrowdStrike API client secret to authenticate the `clientId`. type: string d3security_secrets: title: Connector secrets properties for a D3 Security connector description: Defines secrets for connectors when type is `.d3security`. required: - token type: object properties: token: type: string description: The D3 Security token. email_secrets: title: Connector secrets properties for an email connector description: Defines secrets for connectors when type is `.email`. type: object properties: clientSecret: type: string description: | The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. password: type: string description: | The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. user: type: string description: | The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. gemini_secrets: title: Connector secrets properties for a Google Gemini connector description: Defines secrets for connectors when type is `.gemini`. type: object required: - credentialsJson properties: credentialsJson: type: string description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. resilient_secrets: title: Connector secrets properties for IBM Resilient connector required: - apiKeyId - apiKeySecret description: Defines secrets for connectors when type is `.resilient`. type: object properties: apiKeyId: type: string description: The authentication key ID for HTTP Basic authentication. apiKeySecret: type: string description: The authentication key secret for HTTP Basic authentication. jira_secrets: title: Connector secrets properties for a Jira connector required: - apiToken - email description: Defines secrets for connectors when type is `.jira`. type: object properties: apiToken: description: The Jira API authentication token for HTTP basic authentication. type: string email: description: The account email for HTTP Basic authentication. type: string teams_secrets: title: Connector secrets properties for a Microsoft Teams connector description: Defines secrets for connectors when type is `.teams`. type: object required: - webhookUrl properties: webhookUrl: type: string description: | The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. genai_secrets: title: Connector secrets properties for an OpenAI connector description: Defines secrets for connectors when type is `.gen-ai`. type: object properties: apiKey: type: string description: The OpenAI API key. opsgenie_secrets: title: Connector secrets properties for an Opsgenie connector required: - apiKey description: Defines secrets for connectors when type is `.opsgenie`. type: object properties: apiKey: description: The Opsgenie API authentication key for HTTP Basic authentication. type: string pagerduty_secrets: title: Connector secrets properties for a PagerDuty connector description: Defines secrets for connectors when type is `.pagerduty`. type: object required: - routingKey properties: routingKey: description: | A 32 character PagerDuty Integration Key for an integration on a service. type: string sentinelone_secrets: title: Connector secrets properties for a SentinelOne connector description: Defines secrets for connectors when type is `.sentinelone`. type: object required: - token properties: token: description: The A SentinelOne API token. type: string servicenow_secrets: title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. type: object properties: clientSecret: type: string description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. password: type: string description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. privateKey: type: string description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. privateKeyPassword: type: string description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. username: type: string description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. slack_api_secrets: title: Connector secrets properties for a Web API Slack connector description: Defines secrets for connectors when type is `.slack`. required: - token type: object properties: token: type: string description: Slack bot user OAuth token. swimlane_secrets: title: Connector secrets properties for a Swimlane connector description: Defines secrets for connectors when type is `.swimlane`. type: object properties: apiToken: description: Swimlane API authentication token. type: string thehive_secrets: title: Connector secrets properties for a TheHive connector description: Defines secrets for connectors when type is `.thehive`. required: - apiKey type: object properties: apiKey: type: string description: The API key for authentication in TheHive. tines_secrets: title: Connector secrets properties for a Tines connector description: Defines secrets for connectors when type is `.tines`. type: object required: - email - token properties: email: description: The email used to sign in to Tines. type: string token: description: The Tines API token. type: string torq_secrets: title: Connector secrets properties for a Torq connector description: Defines secrets for connectors when type is `.torq`. type: object required: - token properties: token: description: The secret of the webhook authentication header. type: string crt: title: Certificate type: string description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. key: title: Certificate key type: string description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. pfx: title: Personal information exchange type: string description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. webhook_secrets: title: Connector secrets properties for a Webhook connector description: Defines secrets for connectors when type is `.webhook`. type: object properties: crt: $ref: '#/components/schemas/crt' key: $ref: '#/components/schemas/key' pfx: $ref: '#/components/schemas/pfx' password: type: string description: | The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. user: type: string description: | The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. cases_webhook_secrets: title: Connector secrets properties for Webhook - Case Management connector type: object properties: crt: $ref: '#/components/schemas/crt' key: $ref: '#/components/schemas/key' pfx: $ref: '#/components/schemas/pfx' password: type: string description: | The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. user: type: string description: | The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. xmatters_secrets: title: Connector secrets properties for an xMatters connector description: Defines secrets for connectors when type is `.xmatters`. type: object properties: password: description: | A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. type: string secretsUrl: description: | The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. type: string user: description: | A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. type: string run_acknowledge_resolve_pagerduty: title: PagerDuty connector parameters description: Test an action that acknowledges or resolves a PagerDuty alert. type: object required: - dedupKey - eventAction properties: dedupKey: description: The deduplication key for the PagerDuty alert. type: string maxLength: 255 eventAction: description: The type of event. type: string enum: - acknowledge - resolve run_documents: title: Index connector parameters description: Test an action that indexes a document into Elasticsearch. type: object required: - documents properties: documents: type: array description: The documents in JSON format for index connectors. items: type: object additionalProperties: true run_message_email: title: Email connector parameters description: | Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. type: object required: - message - subject - anyOf: - to - cc - bcc properties: bcc: type: array items: type: string description: | A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `<user@host-name>` format cc: type: array items: type: string description: | A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `<user@host-name>` format message: type: string description: The email message text. Markdown format is supported. subject: type: string description: The subject line of the email. to: type: array description: | A list of email addresses. Addresses can be specified in `user@host-name` format or in name `<user@host-name>` format. items: type: string run_message_serverlog: title: Server log connector parameters description: Test an action that writes an entry to the Kibana server log. type: object required: - message properties: level: type: string description: The log level of the message for server log connectors. enum: - debug - error - fatal - info - trace - warn default: info message: type: string description: The message for server log connectors. run_message_slack: title: Slack connector parameters description: | Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. type: object required: - message properties: message: type: string description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. run_trigger_pagerduty: title: PagerDuty connector parameters description: Test an action that triggers a PagerDuty alert. type: object required: - eventAction properties: class: description: The class or type of the event. type: string example: cpu load component: description: The component of the source machine that is responsible for the event. type: string example: eth0 customDetails: description: Additional details to add to the event. type: object dedupKey: description: | All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. type: string maxLength: 255 eventAction: description: The type of event. type: string enum: - trigger group: description: The logical grouping of components of a service. type: string example: app-stack links: description: A list of links to add to the event. type: array items: type: object properties: href: description: The URL for the link. type: string text: description: A plain text description of the purpose of the link. type: string severity: description: The severity of the event on the affected system. type: string enum: - critical - error - info - warning default: info source: description: | The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. type: string summary: description: A summery of the event. type: string maxLength: 1024 timestamp: description: An ISO-8601 timestamp that indicates when the event was detected or generated. type: string format: date-time run_addevent: title: The addEvent subaction type: object required: - subAction description: The `addEvent` subaction for ServiceNow ITOM connectors. properties: subAction: type: string description: The action to test. enum: - addEvent subActionParams: type: object description: The set of configuration properties for the action. properties: additional_info: type: string description: Additional information about the event. description: type: string description: The details about the event. event_class: type: string description: A specific instance of the source. message_key: type: string description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `<rule ID>:<alert instance ID>`. metric_name: type: string description: The name of the metric. node: type: string description: The host that the event was triggered for. resource: type: string description: The name of the resource. severity: type: string description: The severity of the event. source: type: string description: The name of the event source type. time_of_event: type: string description: The time of the event. type: type: string description: The type of event. run_closealert: title: The closeAlert subaction type: object required: - subAction - subActionParams description: The `closeAlert` subaction for Opsgenie connectors. properties: subAction: type: string description: The action to test. enum: - closeAlert subActionParams: type: object required: - alias properties: alias: type: string description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. note: type: string description: Additional information for the alert. source: type: string description: The display name for the source of the alert. user: type: string description: The display name for the owner. run_closeincident: title: The closeIncident subaction type: object required: - subAction - subActionParams description: The `closeIncident` subaction for ServiceNow ITSM connectors. properties: subAction: type: string description: The action to test. enum: - closeIncident subActionParams: type: object required: - incident properties: incident: type: object anyOf: - required: - correlation_id - required: - externalId properties: correlation_id: type: string nullable: true description: | An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. maxLength: 100 default: '{{rule.id}}:{{alert.id}}' externalId: type: string nullable: true description: The unique identifier (`incidentId`) for the incident in ServiceNow. run_createalert: title: The createAlert subaction type: object required: - subAction - subActionParams description: The `createAlert` subaction for Opsgenie and TheHive connectors. properties: subAction: type: string description: The action to test. enum: - createAlert subActionParams: type: object properties: actions: type: array description: The custom actions available to the alert in Opsgenie connectors. items: type: string alias: type: string description: The unique identifier used for alert deduplication in Opsgenie. description: type: string description: A description that provides detailed information about the alert. details: type: object description: The custom properties of the alert in Opsgenie connectors. additionalProperties: true example: key1: value1 key2: value2 entity: type: string description: The domain of the alert in Opsgenie connectors. For example, the application or server name. message: type: string description: The alert message in Opsgenie connectors. note: type: string description: Additional information for the alert in Opsgenie connectors. priority: type: string description: The priority level for the alert in Opsgenie connectors. enum: - P1 - P2 - P3 - P4 - P5 responders: type: array description: | The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. items: type: object properties: id: type: string description: The identifier for the entity. name: type: string description: The name of the entity. type: type: string description: The type of responders, in this case `escalation`. enum: - escalation - schedule - team - user username: type: string description: A valid email address for the user. severity: type: integer minimum: 1 maximum: 4 description: | The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). source: type: string description: The display name for the source of the alert in Opsgenie and TheHive connectors. sourceRef: type: string description: A source reference for the alert in TheHive connectors. tags: type: array description: The tags for the alert in Opsgenie and TheHive connectors. items: type: string title: type: string description: | A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. tlp: type: integer minimum: 0 maximum: 4 default: 2 description: | The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). type: type: string description: The type of alert in TheHive connectors. user: type: string description: The display name for the owner. visibleTo: type: array description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. items: type: object required: - type properties: id: type: string description: The identifier for the entity. name: type: string description: The name of the entity. type: type: string description: Valid values are `team` and `user`. enum: - team - user username: type: string description: The user name. This property is required only when the `type` is `user`. run_fieldsbyissuetype: title: The fieldsByIssueType subaction type: object required: - subAction - subActionParams description: The `fieldsByIssueType` subaction for Jira connectors. properties: subAction: type: string description: The action to test. enum: - fieldsByIssueType subActionParams: type: object required: - id properties: id: type: string description: The Jira issue type identifier. example: 10024 run_getchoices: title: The getChoices subaction type: object required: - subAction - subActionParams description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: subAction: type: string description: The action to test. enum: - getChoices subActionParams: type: object description: The set of configuration properties for the action. required: - fields properties: fields: type: array description: An array of fields. items: type: string run_getfields: title: The getFields subaction type: object required: - subAction description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. properties: subAction: type: string description: The action to test. enum: - getFields run_getincident: title: The getIncident subaction type: object description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. required: - subAction - subActionParams properties: subAction: type: string description: The action to test. enum: - getIncident subActionParams: type: object required: - externalId properties: externalId: type: string description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. example: 71778 run_issue: title: The issue subaction type: object required: - subAction description: The `issue` subaction for Jira connectors. properties: subAction: type: string description: The action to test. enum: - issue subActionParams: type: object required: - id properties: id: type: string description: The Jira issue identifier. example: 71778 run_issues: title: The issues subaction type: object required: - subAction - subActionParams description: The `issues` subaction for Jira connectors. properties: subAction: type: string description: The action to test. enum: - issues subActionParams: type: object required: - title properties: title: type: string description: The title of the Jira issue. run_issuetypes: title: The issueTypes subaction type: object required: - subAction description: The `issueTypes` subaction for Jira connectors. properties: subAction: type: string description: The action to test. enum: - issueTypes run_postmessage: title: The postMessage subaction type: object description: | Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. required: - subAction - subActionParams properties: subAction: type: string description: The action to test. enum: - postMessage subActionParams: type: object description: The set of configuration properties for the action. properties: channelIds: type: array maxItems: 1 description: | The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. items: type: string channels: type: array deprecated: true description: | The name of a channel that your Slack app has access to. maxItems: 1 items: type: string text: type: string description: | The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. minLength: 1 run_pushtoservice: title: The pushToService subaction type: object required: - subAction - subActionParams description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. properties: subAction: type: string description: The action to test. enum: - pushToService subActionParams: type: object description: The set of configuration properties for the action. properties: comments: type: array description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. items: type: object properties: comment: type: string description: A comment related to the incident. For example, describe how to troubleshoot the issue. commentId: type: integer description: A unique identifier for the comment. incident: type: object description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. properties: additional_fields: type: string nullable: true maxLength: 20 description: | Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. alertId: type: string description: The alert identifier for Swimlane connectors. caseId: type: string description: The case identifier for the incident for Swimlane connectors. caseName: type: string description: The case name for the incident for Swimlane connectors. category: type: string description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. correlation_display: type: string description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. correlation_id: type: string description: | The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. description: type: string description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. dest_ip: description: | A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. oneOf: - type: string - type: array items: type: string externalId: type: string description: | The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. id: type: string description: The external case identifier for Webhook - Case Management connectors. impact: type: string description: The impact of the incident for ServiceNow ITSM connectors. issueType: type: integer description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. labels: type: array items: type: string description: | The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. malware_hash: description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. oneOf: - type: string - type: array items: type: string malware_url: type: string description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. oneOf: - type: string - type: array items: type: string otherFields: type: object additionalProperties: true maxProperties: 20 description: | Custom field identifiers and their values for Jira connectors. parent: type: string description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. priority: type: string description: The priority of the incident in Jira and ServiceNow SecOps connectors. ruleName: type: string description: The rule name for Swimlane connectors. severity: type: integer description: | The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). short_description: type: string description: | A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. source_ip: description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. oneOf: - type: string - type: array items: type: string status: type: string description: The status of the incident for Webhook - Case Management connectors. subcategory: type: string description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. summary: type: string description: A summary of the incident for Jira connectors. tags: type: array items: type: string description: A list of tags for TheHive and Webhook - Case Management connectors. title: type: string description: | A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. tlp: type: integer minimum: 0 maximum: 4 default: 2 description: | The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). urgency: type: string description: The urgency of the incident for ServiceNow ITSM connectors. run_validchannelid: title: The validChannelId subaction type: object description: | Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. required: - subAction - subActionParams properties: subAction: type: string description: The action to test. enum: - validChannelId subActionParams: type: object required: - channelId properties: channelId: type: string description: The Slack channel identifier. example: C123ABC456 params_property_apm_anomaly: required: - windowSize - windowUnit - environment - anomalySeverityType properties: serviceName: type: string description: Filter the rule to apply to a specific service name. transactionType: type: string description: Filter the rule to apply to a specific transaction type. windowSize: type: number example: 6 description: | The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. windowUnit: type: string description: | The type of units for the time window. For example: minutes, hours, or days. enum: - m - h - d environment: type: string description: Filter the rule to apply to a specific environment. anomalySeverityType: type: string description: | The severity of anomalies that will generate alerts: critical, major, minor, or warning. enum: - critical - major - minor - warning params_property_apm_error_count: required: - windowSize - windowUnit - threshold - environment properties: serviceName: type: string description: Filter the errors coming from your application to apply the rule to a specific service. windowSize: type: number description: | The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. example: 6 windowUnit: type: string description: | The type of units for the time window: minutes, hours, or days. enum: - m - h - d environment: type: string description: Filter the errors coming from your application to apply the rule to a specific environment. threshold: type: number description: The error count threshold. groupBy: type: array default: - service.name - service.environment uniqueItems: true items: type: string enum: - service.name - service.environment - transaction.name - error.grouping_key description: | Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. errorGroupingKey: type: string description: | Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. params_property_apm_transaction_duration: required: - windowSize - windowUnit - threshold - environment - aggregationType properties: serviceName: type: string description: Filter the rule to apply to a specific service. transactionType: type: string description: Filter the rule to apply to a specific transaction type. transactionName: type: string description: Filter the rule to apply to a specific transaction name. windowSize: type: number description: | The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. example: 6 windowUnit: type: string description: | The type of units for the time window. For example: minutes, hours, or days. enum: - m - h - d environment: type: string description: Filter the rule to apply to a specific environment. threshold: type: number description: The latency threshold value. groupBy: type: array default: - service.name - service.environment - transaction.type uniqueItems: true items: type: string enum: - service.name - service.environment - transaction.type - transaction.name description: | Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. aggregationType: type: string enum: - avg - 95th - 99th description: The type of aggregation to perform. params_property_apm_transaction_error_rate: required: - windowSize - windowUnit - threshold - environment properties: serviceName: type: string description: The service name from APM transactionType: type: string description: The transaction type from APM transactionName: type: string description: The transaction name from APM windowSize: type: number description: The window size example: 6 windowUnit: type: string description: The window size unit enum: - m - h - d environment: type: string description: The environment from APM threshold: type: number description: The error rate threshold value groupBy: type: array default: - service.name - service.environment - transaction.type uniqueItems: true items: type: string enum: - service.name - service.environment - transaction.type - transaction.name aggfield: description: | The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. type: string aggtype: description: The type of aggregation to perform. type: string enum: - avg - count - max - min - sum default: count excludehitsfrompreviousrun: description: | Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. type: boolean groupby: description: | Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. type: string enum: - all - top default: all size: description: | The number of documents to pass to the configured actions when the threshold condition is met. type: integer termfield: description: | The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. oneOf: - type: string - type: array items: type: string maxItems: 4 termsize: description: | This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. type: integer threshold: description: | The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. type: array items: type: integer example: 4000 thresholdcomparator: description: The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between". type: string enum: - '>' - '>=' - < - <= - between - notBetween example: '>' timefield: description: The field that is used to calculate the time window. type: string timewindowsize: description: | The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. type: integer example: 5 timewindowunit: description: | The type of units for the time window: seconds, minutes, hours, or days. type: string enum: - s - m - h - d example: m params_es_query_dsl_rule: title: Elasticsearch DSL query rule params description: | An Elasticsearch query rule can run a query defined in Elasticsearch Query DSL and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`. type: object required: - esQuery - index - threshold - thresholdComparator - timeField - timeWindowSize - timeWindowUnit properties: aggField: $ref: '#/components/schemas/aggfield' aggType: $ref: '#/components/schemas/aggtype' esQuery: description: The query definition, which uses Elasticsearch Query DSL. type: string excludeHitsFromPreviousRun: $ref: '#/components/schemas/excludehitsfrompreviousrun' groupBy: $ref: '#/components/schemas/groupby' index: description: The indices to query. oneOf: - type: array items: type: string - type: string searchType: description: The type of query, in this case a query that uses Elasticsearch Query DSL. type: string enum: - esQuery default: esQuery example: esQuery size: $ref: '#/components/schemas/size' termField: $ref: '#/components/schemas/termfield' termSize: $ref: '#/components/schemas/termsize' threshold: $ref: '#/components/schemas/threshold' thresholdComparator: $ref: '#/components/schemas/thresholdcomparator' timeField: $ref: '#/components/schemas/timefield' timeWindowSize: $ref: '#/components/schemas/timewindowsize' timeWindowUnit: $ref: '#/components/schemas/timewindowunit' params_es_query_esql_rule: title: Elasticsearch ES|QL query rule params description: | An Elasticsearch query rule can run an ES|QL query and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`. type: object required: - esqlQuery - searchType - size - threshold - thresholdComparator - timeWindowSize - timeWindowUnit properties: aggField: $ref: '#/components/schemas/aggfield' aggType: $ref: '#/components/schemas/aggtype' esqlQuery: type: object required: - esql properties: esql: description: The query definition, which uses Elasticsearch Query Language. type: string excludeHitsFromPreviousRun: $ref: '#/components/schemas/excludehitsfrompreviousrun' groupBy: $ref: '#/components/schemas/groupby' searchType: description: The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL). type: string enum: - esqlQuery example: esqlQuery size: type: integer description: | When `searchType` is `esqlQuery`, this property is required but it does not affect the rule behavior. example: 0 termSize: $ref: '#/components/schemas/termsize' threshold: type: array items: type: integer minimum: 0 maximum: 0 description: | The threshold value that is used with the `thresholdComparator`. When `searchType` is `esqlQuery`, this property is required and must be set to zero. thresholdComparator: type: string description: | The comparison function for the threshold. When `searchType` is `esqlQuery`, this property is required and must be set to ">". Since the `threshold` value must be `0`, the result is that an alert occurs whenever the query returns results. enum: - '>' example: '>' timeField: $ref: '#/components/schemas/timefield' timeWindowSize: $ref: '#/components/schemas/timewindowsize' timeWindowUnit: $ref: '#/components/schemas/timewindowunit' filter: type: object description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. properties: meta: type: object properties: alias: type: string nullable: true controlledBy: type: string disabled: type: boolean field: type: string group: type: string index: type: string isMultiIndex: type: boolean key: type: string negate: type: boolean params: type: object type: type: string value: type: string query: type: object $state: type: object params_es_query_kql_rule: title: Elasticsearch KQL query rule params description: | An Elasticsearch query rule can run a query defined in KQL or Lucene and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`. type: object required: - searchType - size - threshold - thresholdComparator - timeWindowSize - timeWindowUnit properties: aggField: $ref: '#/components/schemas/aggfield' aggType: $ref: '#/components/schemas/aggtype' excludeHitsFromPreviousRun: $ref: '#/components/schemas/excludehitsfrompreviousrun' groupBy: $ref: '#/components/schemas/groupby' searchConfiguration: description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. type: object properties: filter: type: array items: $ref: '#/components/schemas/filter' index: description: The indices to query. oneOf: - type: string - type: array items: type: string query: type: object properties: language: type: string example: kuery query: type: string searchType: description: The type of query, in this case a text-based query that uses KQL or Lucene. type: string enum: - searchSource example: searchSource size: $ref: '#/components/schemas/size' termField: $ref: '#/components/schemas/termfield' termSize: $ref: '#/components/schemas/termsize' threshold: $ref: '#/components/schemas/threshold' thresholdComparator: $ref: '#/components/schemas/thresholdcomparator' timeField: $ref: '#/components/schemas/timefield' timeWindowSize: $ref: '#/components/schemas/timewindowsize' timeWindowUnit: $ref: '#/components/schemas/timewindowunit' params_index_threshold_rule: title: Index threshold rule params description: An index threshold rule runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met. These parameters are appropriate when `rule_type_id` is `.index-threshold`. type: object required: - index - threshold - thresholdComparator - timeField - timeWindowSize - timeWindowUnit properties: aggField: $ref: '#/components/schemas/aggfield' aggType: $ref: '#/components/schemas/aggtype' filterKuery: description: A KQL expression thats limits the scope of alerts. type: string groupBy: $ref: '#/components/schemas/groupby' index: description: The indices to query. type: array items: type: string termField: $ref: '#/components/schemas/termfield' termSize: $ref: '#/components/schemas/termsize' threshold: $ref: '#/components/schemas/threshold' thresholdComparator: $ref: '#/components/schemas/thresholdcomparator' timeField: $ref: '#/components/schemas/timefield' timeWindowSize: $ref: '#/components/schemas/timewindowsize' timeWindowUnit: $ref: '#/components/schemas/timewindowunit' params_property_infra_inventory: properties: criteria: type: array items: type: object properties: metric: type: string enum: - count - cpu - diskLatency - load - memory - memoryTotal - tx - rx - logRate - diskIOReadBytes - diskIOWriteBytes - s3TotalRequests - s3NumberOfObjects - s3BucketSize - s3DownloadBytes - s3UploadBytes - rdsConnections - rdsQueriesExecuted - rdsActiveTransactions - rdsLatency - sqsMessagesVisible - sqsMessagesDelayed - sqsMessagesSent - sqsMessagesEmpty - sqsOldestMessage - custom timeSize: type: number timeUnit: type: string enum: - s - m - h - d sourceId: type: string threshold: type: array items: type: number comparator: type: string enum: - < - <= - '>' - '>=' - between - outside customMetric: type: object properties: type: type: string enum: - custom field: type: string aggregation: type: string enum: - avg - max - min - rate id: type: string label: type: string warningThreshold: type: array items: type: number warningComparator: type: string enum: - < - <= - '>' - '>=' - between - outside filterQuery: type: string filterQueryText: type: string nodeType: type: string enum: - host - pod - container - awsEC2 - awsS3 - awsSQS - awsRDS sourceId: type: string alertOnNoData: type: boolean params_property_log_threshold: oneOf: - title: Count type: object required: - count - timeSize - timeUnit - logView properties: criteria: type: array items: type: object properties: field: type: string example: my.field comparator: type: string enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase value: oneOf: - type: number example: 42 - type: string example: value count: type: object properties: comparator: type: string enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase value: type: number example: 100 timeSize: type: number example: 6 timeUnit: type: string enum: - s - m - h - d logView: type: object properties: logViewId: type: string type: type: string enum: - log-view-reference example: log-view-reference groupBy: type: array items: type: string - title: Ratio type: object required: - count - timeSize - timeUnit - logView properties: criteria: type: array items: minItems: 2 maxItems: 2 type: array items: type: object properties: field: type: string example: my.field comparator: type: string enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase value: oneOf: - type: number example: 42 - type: string example: value count: type: object properties: comparator: type: string enum: - more than - more than or equals - less than - less than or equals - equals - does not equal - matches - does not match - matches phrase - does not match phrase value: type: number example: 100 timeSize: type: number example: 6 timeUnit: type: string enum: - s - m - h - d logView: type: object properties: logViewId: type: string type: type: string enum: - log-view-reference example: log-view-reference groupBy: type: array items: type: string params_property_infra_metric_threshold: properties: criteria: type: array items: oneOf: - title: non count criterion type: object properties: threshold: type: array items: type: number comparator: type: string enum: - < - <= - '>' - '>=' - between - outside timeUnit: type: string timeSize: type: number warningThreshold: type: array items: type: number warningComparator: type: string enum: - < - <= - '>' - '>=' - between - outside metric: type: string aggType: type: string enum: - avg - max - min - cardinality - rate - count - sum - p95 - p99 - custom - title: count criterion type: object properties: threshold: type: array items: type: number comparator: type: string enum: - < - <= - '>' - '>=' - between - outside timeUnit: type: string timeSize: type: number warningThreshold: type: array items: type: number warningComparator: type: string enum: - < - <= - '>' - '>=' - between - outside aggType: type: string enum: - count - title: custom criterion type: object properties: threshold: type: array items: type: number comparator: type: string enum: - < - <= - '>' - '>=' - between - outside timeUnit: type: string timeSize: type: number warningThreshold: type: array items: type: number warningComparator: type: string enum: - < - <= - '>' - '>=' - between - outside aggType: type: string enum: - custom customMetric: type: array items: oneOf: - type: object properties: name: type: string aggType: type: string enum: - avg - sum - max - min - cardinality field: type: string - type: object properties: name: type: string aggType: type: string enum: - count filter: type: string equation: type: string label: type: string groupBy: oneOf: - type: string - type: array items: type: string filterQuery: type: string sourceId: type: string alertOnNoData: type: boolean alertOnGroupDisappear: type: boolean params_property_slo_burn_rate: properties: sloId: description: The SLO identifier used by the rule type: string example: 8853df00-ae2e-11ed-90af-09bb6422b258 burnRateThreshold: description: The burn rate threshold used to trigger the alert type: number example: 14.4 maxBurnRateThreshold: description: The maximum burn rate threshold value defined by the SLO error budget type: number example: 168 longWindow: description: The duration of the long window used to compute the burn rate type: object properties: value: description: The duration value type: number example: 6 unit: description: The duration unit type: string example: h shortWindow: description: The duration of the short window used to compute the burn rate type: object properties: value: description: The duration value type: number example: 30 unit: description: The duration unit type: string example: m params_property_synthetics_uptime_tls: properties: search: type: string certExpirationThreshold: type: number certAgeThreshold: type: number params_property_synthetics_monitor_status: required: - numTimes - shouldCheckStatus - shouldCheckAvailability properties: availability: type: object properties: range: type: number rangeUnit: type: string threshold: type: string filters: oneOf: - type: string - type: object deprecated: true properties: monitor.type: type: array items: type: string observer.geo.name: type: array items: type: string tags: type: array items: type: string url.port: type: array items: type: string locations: deprecated: true type: array items: type: string numTimes: type: number search: type: string shouldCheckStatus: type: boolean shouldCheckAvailability: type: boolean timerangeCount: type: number timerangeUnit: type: string timerange: deprecated: true type: object properties: from: type: string to: type: string version: type: number isAutoGenerated: type: boolean securitySchemes: apiKeyAuth: description: | These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: `Authorization: ApiKey base64AccessApiKey` in: header name: Authorization type: apiKey basicAuth: scheme: basic type: http x-topics: - title: Kibana spaces content: | Spaces enable you to organize your dashboards and other saved objects into meaningful categories. You can use the default space or create your own spaces. To run APIs in non-default spaces, you must add `s/{space_id}/` to the path. For example: ``` curl -X GET "http://localhost:5601/s/marketing/api/data_views" ``` If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. To learn more, check out [Spaces](https://www.elastic.co/guide/en/kibana/8.18/xpack-spaces.html).