diff --git a/.github/agents/open_api_review.md b/.github/agents/open_api_review.md new file mode 100644 index 000000000..354ef62a0 --- /dev/null +++ b/.github/agents/open_api_review.md @@ -0,0 +1,64 @@ +--- +# Fill in the fields below to create a basic custom agent for your repository. +# The Copilot CLI can be used for local testing: https://gh.io/customagents/cli +# To make this agent available, merge this file into the default repository branch. +# For format details, see: https://gh.io/customagents/config + +name: open-api-schema-review +description: An agent to review a terraform resource and ensure compliance with the open api schema +--- + +You are a review specialist focused on ensuring all fields specified in the open api schema are correctly handled in a terraform resource + +You will be provided with a terraform resource to review eg `internal/kibana/security_detection_rule` which will include the following files: +`schema.go` - Defines the structure of the terraform resource data as well as various validations + +You can use the open api schema file `generated/kbapi/oas-filtered.yaml` as a source of truth for fields. This includes fields, their descriptions, +which fields are required, etc. + + +Your responsibilities: + +Review each field in the schema and verify it is consistent with the open api spec (`oas-filtered.yaml`). + +As an example for this field in the schema +``` + "type": schema.StringAttribute{ + MarkdownDescription: "Rule type. Supported types: query, eql, esql, machine_learning, new_terms, saved_query, threat_match, threshold.", + Required: true, + Validators: []validator.String{ + stringvalidator.OneOf("query", "eql", "esql", "machine_learning", "new_terms", "saved_query", "threat_match", "threshold"), + }, + PlanModifiers: []planmodifier.String{ + stringplanmodifier.RequiresReplace(), + }, + }, +``` + +Corresponds to the following segment of the open api spec. + +``` + Security_Detections_API_RuleResponse: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRule' + - $ref: '#/components/schemas/Security_Detections_API_QueryRule' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' + discriminator: + mapping: + eql: '#/components/schemas/Security_Detections_API_EqlRule' + esql: '#/components/schemas/Security_Detections_API_EsqlRule' + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRule' + new_terms: '#/components/schemas/Security_Detections_API_NewTermsRule' + query: '#/components/schemas/Security_Detections_API_QueryRule' + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRule' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRule' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' + propertyName: type +``` + +Build a compatibility report based on your findings \ No newline at end of file diff --git a/generated/kbapi/.gitignore b/generated/kbapi/.gitignore index 1ec8ffcc0..582c9c52d 100644 --- a/generated/kbapi/.gitignore +++ b/generated/kbapi/.gitignore @@ -1,2 +1 @@ oas.yaml -oas-filtered.yaml diff --git a/generated/kbapi/oas-filtered.yaml b/generated/kbapi/oas-filtered.yaml new file mode 100644 index 000000000..6444fe808 --- /dev/null +++ b/generated/kbapi/oas-filtered.yaml @@ -0,0 +1,82507 @@ +paths: + /api/actions/connector/{id}/_execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems. + operationId: post-actions-connector-id-execute + parameters: + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + params: + additionalProperties: {} + oneOf: + - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty' + - $ref: '#/components/schemas/run_documents' + - $ref: '#/components/schemas/run_message_email' + - $ref: '#/components/schemas/run_message_serverlog' + - $ref: '#/components/schemas/run_message_slack' + - $ref: '#/components/schemas/run_trigger_pagerduty' + - $ref: '#/components/schemas/run_addevent' + - $ref: '#/components/schemas/run_closealert' + - $ref: '#/components/schemas/run_closeincident' + - $ref: '#/components/schemas/run_createalert' + - $ref: '#/components/schemas/run_fieldsbyissuetype' + - $ref: '#/components/schemas/run_getagentdetails' + - $ref: '#/components/schemas/run_getagents' + - $ref: '#/components/schemas/run_getchoices' + - $ref: '#/components/schemas/run_getfields' + - $ref: '#/components/schemas/run_getincident' + - $ref: '#/components/schemas/run_issue' + - $ref: '#/components/schemas/run_issues' + - $ref: '#/components/schemas/run_issuetypes' + - $ref: '#/components/schemas/run_postmessage' + - $ref: '#/components/schemas/run_pushtoservice' + - $ref: '#/components/schemas/run_validchannelid' + required: + - params + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + type: object + description: Indicates a successful call. + summary: Run a connector + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + /api/actions/connector_types: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector_types
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You do not need any Kibana feature privileges to run this API. + operationId: get-actions-connector-types + parameters: + - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases). + in: query + name: feature_id + required: false + schema: + type: string + responses: + "200": + content: + application/json: {} + description: Indicates a successful call. + summary: Get connector types + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + /api/agent_builder/a2a/{agentId}: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/a2a/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This endpoint is designed for A2A protocol clients and should not be used directly via REST APIs. Use an A2A SDK or A2A Inspector instead.

[Required authorization] Route required privileges: read_onechat. + operationId: post-agent-builder-a2a-agentid + parameters: + - description: The unique identifier of the agent to send the A2A task to. + in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: {} + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Send A2A task + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/agent_builder/a2a/{agentId}.json: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/a2a/{agentId}.json
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get agent discovery metadata in JSON format. Use this endpoint to provide agent information for A2A protocol integration and discovery.

[Required authorization] Route required privileges: read_onechat. + operationId: get-agent-builder-a2a-agentid.json + parameters: + - description: The unique identifier of the agent to get A2A metadata for. + in: path + name: agentId + required: true + schema: + type: string + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Get A2A agent card + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/agent_builder/agents: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available agents. Use this endpoint to retrieve complete agent information including their current configuration and assigned tools.

[Required authorization] Route required privileges: read_onechat. + operationId: get-agent-builder-agents + parameters: [] + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: List agents + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent. Use this endpoint to define the agent's behavior, appearance, and capabilities through comprehensive configuration options.

[Required authorization] Route required privileges: manage_onechat. + operationId: post-agent-builder-agents + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + avatar_color: + description: Optional hex color code for the agent avatar. + type: string + avatar_symbol: + description: Optional symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Configuration settings for the agent. + properties: + instructions: + description: Optional system instructions that define the agent behavior. + type: string + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: object + type: array + required: + - tools + type: object + description: + description: Description of what the agent does. + type: string + id: + description: Unique identifier for the agent. + type: string + labels: + description: Optional labels for categorizing and organizing agents. + items: + description: Label for categorizing the agent. + type: string + type: array + name: + description: Display name for the agent. + type: string + required: + - id + - name + - description + - configuration + type: object + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Create an agent + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/agent_builder/agents/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific agent by ID. Use this endpoint to retrieve the complete agent definition including all configuration details and tool assignments.

[Required authorization] Route required privileges: read_onechat. + operationId: get-agent-builder-agents-id + parameters: + - description: The unique identifier of the agent to retrieve. + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Get an agent by ID + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing agent configuration. Use this endpoint to modify any aspect of the agent's behavior, appearance, or capabilities.

[Required authorization] Route required privileges: manage_onechat. + operationId: put-agent-builder-agents-id + parameters: + - description: The unique identifier of the agent to update. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + avatar_color: + description: Updated hex color code for the agent avatar. + type: string + avatar_symbol: + description: Updated symbol/initials for the agent avatar. + type: string + configuration: + additionalProperties: false + description: Updated configuration settings for the agent. + properties: + instructions: + description: Updated system instructions that define the agent behavior. + type: string + tools: + items: + additionalProperties: false + description: Tool selection configuration for the agent. + properties: + tool_ids: + description: Array of tool IDs that the agent can use. + items: + description: Tool ID to be available to the agent. + type: string + type: array + required: + - tool_ids + type: object + type: array + type: object + description: + description: Updated description of what the agent does. + type: string + labels: + description: Updated labels for categorizing and organizing agents. + items: + description: Updated label for categorizing the agent. + type: string + type: array + name: + description: Updated display name for the agent. + type: string + type: object + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Update an agent + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/agents/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID. This action cannot be undone.

[Required authorization] Route required privileges: manage_onechat. + operationId: delete-agent-builder-agents-id + parameters: + - description: The unique identifier of the agent to delete. + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Delete an agent + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/agent_builder/conversations: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all conversations for a user. Use the optional agent ID to filter conversations by a specific agent.

[Required authorization] Route required privileges: read_onechat. + operationId: get-agent-builder-conversations + parameters: + - description: Optional agent ID to filter conversations by a specific agent. + in: query + name: agent_id + required: false + schema: + type: string + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: List conversations + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/agent_builder/conversations/{conversation_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/conversations/{conversation_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific conversation by ID. Use this endpoint to retrieve the complete conversation history including all messages and metadata.

[Required authorization] Route required privileges: read_onechat. + operationId: get-agent-builder-conversations-conversation-id + parameters: + - description: The unique identifier of the conversation to retrieve. + in: path + name: conversation_id + required: true + schema: + type: string + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Get conversation by ID + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/conversations/{conversation_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a conversation by ID. This action cannot be undone.

[Required authorization] Route required privileges: read_onechat. + operationId: delete-agent-builder-conversations-conversation-id + parameters: + - description: The unique identifier of the conversation to delete. + in: path + name: conversation_id + required: true + schema: + type: string + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Delete conversation by ID + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/agent_builder/converse: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive a complete response. This synchronous endpoint waits for the agent to fully process your request before returning the final result. Use this for simple chat interactions where you need the complete response.

[Required authorization] Route required privileges: read_onechat. + operationId: post-agent-builder-converse + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: Optional attachments to send with the message. + items: + additionalProperties: false + properties: + data: + additionalProperties: {} + description: Payload of the attachment. + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + - data + type: object + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: {} + required: + - id + - description + - schema + type: object + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + type: boolean + type: object + connector_id: + description: Optional connector ID for the agent to use for external integrations. + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + input: + description: The user input message to send to the agent. + type: string + required: + - input + type: object + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Send chat message + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/agent_builder/converse/async: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/converse/async
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Send a message to an agent and receive real-time streaming events. This asynchronous endpoint provides live updates as the agent processes your request, allowing you to see intermediate steps and progress. Use this for interactive experiences where you want to monitor the agent's thinking process. + + ## Event types + + The endpoint emits Server-Sent Events (SSE) with the following custom event types: + + `conversation_id_set` + + Sets the conversation ID. + + Schema: + ```json + { + "conversation_id": "uuid" + } + ``` + + --- + + `conversation_created` + + Fires when a new conversation is persisted and assigned an ID. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "conversation title" + } + ``` + + --- + + `conversation_updated` + + Fires when a conversation is updated. + + Schema: + ```json + { + "conversation_id": "uuid", + "title": "updated conversation title" + } + ``` + + --- + + `reasoning` + + Handles reasoning-related data. + + Schema: + ```json + { + "reasoning": "plain text reasoning content", + "transient": false + } + ``` + + --- + + `tool_call` + + Triggers when a tool is invoked. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "params": {} + } + ``` + + --- + + `tool_progress` + + Reports progress of a running tool. + + Schema: + ```json + { + "tool_call_id": "uuid", + "message": "progress message" + } + ``` + + --- + + `tool_result` + + Returns results from a completed tool call. + + Schema: + ```json + { + "tool_call_id": "uuid", + "tool_id": "tool_name", + "results": [] + } + ``` + + **Note:** `results` is an array of `ToolResult` objects. + + --- + + `message_chunk` + + Streams partial text chunks. + + Schema: + ```json + { + "message_id": "uuid", + "text_chunk": "partial text" + } + ``` + + --- + + `message_complete` + + Indicates message stream is finished. + + Schema: + ```json + { + "message_id": "uuid", + "message_content": "full text content of the message" + } + ``` + + --- + + `thinking_complete` + + Marks the end of the thinking/reasoning phase. + + Schema: + ```json + { + "time_to_first_token": 0 + } + ``` + + **Note:** `time_to_first_token` is in milliseconds. + + --- + + `round_complete` + + Marks end of one conversation round. + + Schema: + ```json + { + "round": {} + } + ``` + + **Note:** `round` contains the full round json object. + + --- + + ## Event flow + + A typical conversation round emits events in this sequence: + + 1. `reasoning` (potentially multiple, some transient) + 2. `tool_call` (if tools are used) + 3. `tool_progress` (zero or more progress updates) + 4. `tool_result` (when tool completes) + 5. `thinking_complete` + 6. `message_chunk` (multiple, as text streams) + 7. `message_complete` + 8. `round_complete`

[Required authorization] Route required privileges: read_onechat. + operationId: post-agent-builder-converse-async + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + agent_id: + default: elastic-ai-agent + description: The ID of the agent to chat with. Defaults to the default Elastic AI agent. + type: string + attachments: + description: Optional attachments to send with the message. + items: + additionalProperties: false + properties: + data: + additionalProperties: {} + description: Payload of the attachment. + type: object + hidden: + description: When true, the attachment will not be displayed in the UI. + type: boolean + id: + description: Optional id for the attachment. + type: string + type: + description: Type of the attachment. + type: string + required: + - type + - data + type: object + type: array + browser_api_tools: + description: Optional browser API tools to be registered as LLM tools with browser.* namespace. These tools execute on the client side. + items: + additionalProperties: false + properties: + description: + description: Description of what the browser API tool does. + type: string + id: + description: Unique identifier for the browser API tool. + type: string + schema: {} + required: + - id + - description + - schema + type: object + type: array + capabilities: + additionalProperties: false + description: Controls agent capabilities during conversation. Currently supports visualization rendering for tabular tool results. + properties: + visualizations: + description: When true, allows the agent to render tabular data from tool results as interactive visualizations using custom XML elements in responses. + type: boolean + type: object + connector_id: + description: Optional connector ID for the agent to use for external integrations. + type: string + conversation_id: + description: Optional existing conversation ID to continue a previous conversation. + type: string + input: + description: The user input message to send to the agent. + type: string + required: + - input + type: object + responses: + "200": + content: + text/event-stream: {} + description: Indicates a successful response + summary: Send chat message (streaming) + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/agent_builder/mcp: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/mcp
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: This endpoint is designed for MCP clients (Claude Desktop, Cursor, VS Code, etc.) and should not be used directly via REST APIs. Use MCP Inspector or native MCP clients instead.

[Required authorization] Route required privileges: read_onechat. + operationId: post-agent-builder-mcp + parameters: [] + requestBody: + content: + application/json: + schema: {} + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: MCP server + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/agent_builder/tools: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all available tools. Use this endpoint to retrieve complete tool definitions including their schemas and configuration requirements.

[Required authorization] Route required privileges: read_onechat. + operationId: get-agent-builder-tools + parameters: [] + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: List tools + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new tool. Use this endpoint to define a custom tool with specific functionality and configuration for use by agents.

[Required authorization] Route required privileges: manage_onechat. + operationId: post-agent-builder-tools + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + configuration: + additionalProperties: {} + description: Tool-specific configuration parameters. See examples for details. + type: object + description: + default: "" + description: Description of what the tool does. + type: string + id: + description: Unique identifier for the tool. + type: string + tags: + default: [] + description: Optional tags for categorizing and organizing tools. + items: + description: Tag for categorizing the tool. + type: string + type: array + type: + description: The type of tool to create (e.g., esql, index_search). + enum: + - esql + - index_search + - workflow + type: string + required: + - id + - type + - configuration + type: object + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Create a tool + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/agent_builder/tools/_execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/agent_builder/tools/_execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Execute a tool with parameters. Use this endpoint to run a tool directly with specified inputs and optional external connector integration.

[Required authorization] Route required privileges: read_onechat. + operationId: post-agent-builder-tools-execute + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + connector_id: + description: Optional connector ID for tools that require external integrations. + type: string + tool_id: + description: The ID of the tool to execute. + type: string + tool_params: + additionalProperties: {} + description: Parameters to pass to the tool execution. See examples for details + type: object + required: + - tool_id + - tool_params + type: object + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Execute a Tool + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/agent_builder/tools/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/agent_builder/tools/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a specific tool by ID. Use this endpoint to retrieve the complete tool definition including its schema and configuration requirements.

[Required authorization] Route required privileges: read_onechat. + operationId: get-agent-builder-tools-id + parameters: + - description: The unique identifier of the tool to retrieve. + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Get a tool by id + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/agent_builder/tools/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a tool by ID. This action cannot be undone.

[Required authorization] Route required privileges: manage_onechat. + operationId: delete-agent-builder-tools-id + parameters: + - description: The unique identifier of the tool to delete. + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Delete a tool + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/agent_builder/tools/{toolId}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/agent_builder/tools/{toolId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing tool. Use this endpoint to modify any aspect of the tool's configuration or metadata.

[Required authorization] Route required privileges: manage_onechat. + operationId: put-agent-builder-tools-toolid + parameters: + - description: The unique identifier of the tool to update. + in: path + name: toolId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + configuration: + additionalProperties: {} + description: Updated tool-specific configuration parameters. See examples for details. + type: object + description: + description: Updated description of what the tool does. + type: string + tags: + description: Updated tags for categorizing and organizing tools. + items: + description: Updated tag for categorizing the tool. + type: string + type: array + type: object + responses: + "200": + content: + application/json: {} + description: Indicates a successful response + summary: Update a tool + tags: + - agent builder + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/alerting/_health: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/_health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Management > Stack Rules** feature or for at least one of the **Analytics > Discover**, **Analytics > Machine Learning**, **Observability**, or **Security** features. + operationId: getAlertingHealth + responses: + "200": + content: + application/json: + schema: + properties: + alerting_framework_health: + description: | + Three substates identify the health of the alerting framework: `decryption_health`, `execution_health`, and `read_health`. + properties: + decryption_health: + description: The timestamp and status of the rule decryption. + properties: + status: + enum: + - error + - ok + - warn + type: string + timestamp: + format: date-time + type: string + type: object + execution_health: + description: The timestamp and status of the rule run. + properties: + status: + enum: + - error + - ok + - warn + type: string + timestamp: + format: date-time + type: string + type: object + read_health: + description: The timestamp and status of the rule reading events. + properties: + status: + enum: + - error + - ok + - warn + type: string + timestamp: + format: date-time + type: string + type: object + type: object + has_permanent_encryption_key: + description: If `false`, the encrypted saved object plugin does not have a permanent encryption key. + type: boolean + is_sufficiently_secure: + description: If `false`, security is enabled but TLS is not. + type: boolean + type: object + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the alerting framework health + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: get-alerting-rule-id + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + actions: + items: + additionalProperties: false + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + properties: + query: + additionalProperties: false + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + properties: + $state: + additionalProperties: false + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + type: object + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: object + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + type: object + timeframe: + additionalProperties: false + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + type: object + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + type: object + type: object + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + type: object + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: object + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + type: object + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + properties: + dashboards: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + investigation_guide: + additionalProperties: false + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + type: object + type: object + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + properties: + error: + additionalProperties: false + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + type: object + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + type: object + required: + - status + - last_execution_date + type: object + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + properties: + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + type: object + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + properties: + alerts_count: + additionalProperties: false + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + type: object + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + type: object + mapped_params: + additionalProperties: {} + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + properties: + run: + additionalProperties: false + description: Rule run details. + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + type: object + history: + description: History of the rule run. + items: + additionalProperties: false + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: object + type: array + last_run: + additionalProperties: false + properties: + metrics: + additionalProperties: false + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + type: object + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + type: object + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + type: object + required: + - history + - calculated_metrics + - last_run + type: object + required: + - run + type: object + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + type: object + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + type: object + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: object + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + type: object + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a rule with the given ID does not exist. + summary: Get rule details + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: post-alerting-rule-id + parameters: + - description: The identifier for the rule. If it is omitted, an ID is randomly generated. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + properties: + alerts_filter: + additionalProperties: false + description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs. + properties: + query: + additionalProperties: false + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + properties: + $state: + additionalProperties: false + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + type: object + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: object + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + type: object + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + type: object + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + type: object + type: object + frequency: + additionalProperties: false + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + x-omitempty: true + required: + - summary + - notify_when + - throttle + type: object + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: object + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + type: object + artifacts: + additionalProperties: false + properties: + dashboards: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + type: object + type: object + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + enabled: + default: true + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + properties: + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + type: object + x-omitempty: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + x-omitempty: true + params: + additionalProperties: {} + anyOf: + - $ref: '#/components/schemas/params_property_apm_anomaly' + - $ref: '#/components/schemas/params_property_apm_error_count' + - $ref: '#/components/schemas/params_property_apm_transaction_duration' + - $ref: '#/components/schemas/params_property_apm_transaction_error_rate' + - $ref: '#/components/schemas/params_es_query_dsl_rule' + - $ref: '#/components/schemas/params_es_query_esql_rule' + - $ref: '#/components/schemas/params_es_query_kql_rule' + - $ref: '#/components/schemas/params_index_threshold_rule' + - $ref: '#/components/schemas/params_property_infra_inventory' + - $ref: '#/components/schemas/params_property_log_threshold' + - $ref: '#/components/schemas/params_property_infra_metric_threshold' + - $ref: '#/components/schemas/params_property_slo_burn_rate' + - $ref: '#/components/schemas/params_property_synthetics_uptime_tls' + - $ref: '#/components/schemas/params_property_synthetics_monitor_status' + default: {} + description: The parameters for the rule. + rule_type_id: + description: The rule type identifier. + type: string + schedule: + additionalProperties: false + description: The check interval, which specifies how frequently the rule conditions are checked. + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + type: object + tags: + default: [] + description: The tags for the rule. + items: + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + x-omitempty: true + required: + - name + - rule_type_id + - consumer + - schedule + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + actions: + items: + additionalProperties: false + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + properties: + query: + additionalProperties: false + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + properties: + $state: + additionalProperties: false + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + type: object + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: object + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + type: object + timeframe: + additionalProperties: false + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + type: object + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + type: object + type: object + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + type: object + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: object + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + type: object + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + properties: + dashboards: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + investigation_guide: + additionalProperties: false + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + type: object + type: object + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + properties: + error: + additionalProperties: false + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + type: object + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + type: object + required: + - status + - last_execution_date + type: object + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + properties: + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + type: object + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + properties: + alerts_count: + additionalProperties: false + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + type: object + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + type: object + mapped_params: + additionalProperties: {} + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + properties: + run: + additionalProperties: false + description: Rule run details. + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + type: object + history: + description: History of the rule run. + items: + additionalProperties: false + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: object + type: array + last_run: + additionalProperties: false + properties: + metrics: + additionalProperties: false + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + type: object + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + type: object + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + type: object + required: + - history + - calculated_metrics + - last_run + type: object + required: + - run + type: object + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + type: object + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + type: object + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: object + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + type: object + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "409": + description: Indicates that the rule id is already in use. + summary: Create a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: put-alerting-rule-id + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + actions: + default: [] + items: + additionalProperties: false + description: An action that runs under defined conditions. + properties: + alerts_filter: + additionalProperties: false + properties: + query: + additionalProperties: false + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + properties: + $state: + additionalProperties: false + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + type: object + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: object + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + type: object + timeframe: + additionalProperties: false + description: Defines a period that limits whether the action runs. + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day. + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + type: object + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + type: object + type: object + frequency: + additionalProperties: false + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + x-omitempty: true + required: + - summary + - notify_when + - throttle + type: object + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + default: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + type: object + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + type: object + artifacts: + additionalProperties: false + properties: + dashboards: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + maxItems: 10 + type: array + investigation_guide: + additionalProperties: false + properties: + blob: + maxLength: 10000 + type: string + required: + - blob + type: object + type: object + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + properties: + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + type: object + x-omitempty: true + name: + description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule. + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + x-omitempty: true + params: + additionalProperties: {} + default: {} + description: The parameters for the rule. + type: object + schedule: + additionalProperties: false + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + type: object + tags: + default: [] + items: + description: The tags for the rule. + type: string + type: array + throttle: + description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + x-omitempty: true + required: + - name + - schedule + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + actions: + items: + additionalProperties: false + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + properties: + query: + additionalProperties: false + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + properties: + $state: + additionalProperties: false + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + type: object + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: object + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + type: object + timeframe: + additionalProperties: false + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + type: object + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + type: object + type: object + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + type: object + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: object + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + type: object + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + properties: + dashboards: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + investigation_guide: + additionalProperties: false + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + type: object + type: object + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + properties: + error: + additionalProperties: false + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + type: object + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + type: object + required: + - status + - last_execution_date + type: object + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + properties: + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + type: object + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + properties: + alerts_count: + additionalProperties: false + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + type: object + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + type: object + mapped_params: + additionalProperties: {} + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + properties: + run: + additionalProperties: false + description: Rule run details. + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + type: object + history: + description: History of the rule run. + items: + additionalProperties: false + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: object + type: array + last_run: + additionalProperties: false + properties: + metrics: + additionalProperties: false + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + type: object + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + type: object + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + type: object + required: + - history + - calculated_metrics + - last_run + type: object + required: + - run + type: object + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + type: object + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + type: object + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: object + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + type: object + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a rule with the given ID does not exist. + "409": + description: Indicates that the rule has already been updated by another user. + summary: Update a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: delete-alerting-rule-id + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + "204": + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a rule with the given ID does not exist. + summary: Delete a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{id}/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: post-alerting-rule-id-disable + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + nullable: true + properties: + untrack: + description: Defines whether this rule's alerts should be untracked. + type: boolean + type: object + x-oas-optional: true + responses: + "204": + description: Indicates a successful call. + "400": + description: Indicates an invalid schema. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a rule with the given ID does not exist. + summary: Disable a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{id}/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: post-alerting-rule-id-enable + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + "204": + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a rule with the given ID does not exist. + summary: Enable a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{id}/_mute_all: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_mute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: post-alerting-rule-id-mute-all + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + "204": + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a rule with the given ID does not exist. + summary: Mute all alerts + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{id}/_unmute_all: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_unmute_all
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: post-alerting-rule-id-unmute-all + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + "204": + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a rule with the given ID does not exist. + summary: Unmute all alerts + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{id}/_update_api_key: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/_update_api_key
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: post-alerting-rule-id-update-api-key + parameters: + - description: The identifier for the rule. + in: path + name: id + required: true + schema: + type: string + responses: + "204": + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a rule with the given ID does not exist. + "409": + description: Indicates that the rule has already been updated by another user. + summary: Update the API key for a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{id}/snooze_schedule: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{id}/snooze_schedule
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + When you snooze a rule, the rule checks continue to run but alerts will not generate actions. You can snooze for a specified period of time and schedule single or recurring downtimes. + operationId: post-alerting-rule-id-snooze-schedule + parameters: + - description: Identifier of the rule. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + schedule: + additionalProperties: false + properties: + custom: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + type: object + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + type: object + type: object + required: + - schedule + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + body: + additionalProperties: false + properties: + schedule: + additionalProperties: false + properties: + custom: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + type: object + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + type: object + id: + description: Identifier of the snooze schedule. + type: string + required: + - id + type: object + required: + - schedule + type: object + required: + - body + type: object + description: Indicates a successful call. + "400": + description: Indicates an invalid schema. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a rule with the given id does not exist. + summary: Schedule a snooze for the rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 8.19.0 + /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: post-alerting-rule-rule-id-alert-alert-id-mute + parameters: + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + responses: + "204": + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a rule or alert with the given ID does not exist. + summary: Mute an alert + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: post-alerting-rule-rule-id-alert-alert-id-unmute + parameters: + - description: The identifier for the rule. + in: path + name: rule_id + required: true + schema: + type: string + - description: The identifier for the alert. + in: path + name: alert_id + required: true + schema: + type: string + responses: + "204": + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a rule or alert with the given ID does not exist. + summary: Unmute an alert + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: delete-alerting-rule-ruleid-snooze-schedule-scheduleid + parameters: + - description: The identifier for the rule. + in: path + name: ruleId + required: true + schema: + type: string + - description: The identifier for the snooze schedule. + in: path + name: scheduleId + required: true + schema: + type: string + responses: + "204": + description: Indicates a successful call. + "400": + description: Indicates an invalid schema. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a rule with the given id does not exist. + summary: Delete a snooze schedule for a rule + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 8.19.0 + /api/alerting/rule_types: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rule_types
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + If you have `read` privileges for one or more Kibana features, the API response contains information about the appropriate rule types. For example, there are rule types associated with the **Management > Stack Rules** feature, **Analytics > Discover** and **Machine Learning** features, **Observability** features, and **Security** features. To get rule types associated with the **Stack Monitoring** feature, use the `monitoring_user` built-in role. + operationId: getRuleTypes + responses: + "200": + content: + application/json: + schema: + items: + properties: + action_groups: + description: | + An explicit list of groups for which the rule type can schedule actions, each with the action group's unique ID and human readable name. Rule actions validation uses this configuration to ensure that groups are valid. + items: + properties: + id: + type: string + name: + type: string + type: object + type: array + action_variables: + description: | + A list of action variables that the rule type makes available via context and state in action parameter templates, and a short human readable description. When you create a rule in Kibana, it uses this information to prompt you for these variables in action parameter editors. + properties: + context: + items: + properties: + description: + type: string + name: + type: string + useWithTripleBracesInTemplates: + type: boolean + type: object + type: array + params: + items: + properties: + description: + type: string + name: + type: string + type: object + type: array + state: + items: + properties: + description: + type: string + name: + type: string + type: object + type: array + type: object + alerts: + description: | + Details for writing alerts as data documents for this rule type. + properties: + context: + description: | + The namespace for this rule type. + enum: + - ml.anomaly-detection + - observability.apm + - observability.logs + - observability.metrics + - observability.slo + - observability.threshold + - observability.uptime + - security + - stack + type: string + dynamic: + description: Indicates whether new fields are added dynamically. + enum: + - "false" + - runtime + - strict + - "true" + type: string + isSpaceAware: + description: | + Indicates whether the alerts are space-aware. If true, space-specific alert indices are used. + type: boolean + mappings: + properties: + fieldMap: + additionalProperties: + $ref: '#/components/schemas/Alerting_fieldmap_properties' + description: | + Mapping information for each field supported in alerts as data documents for this rule type. For more information about mapping parameters, refer to the Elasticsearch documentation. + type: object + type: object + secondaryAlias: + description: | + A secondary alias. It is typically used to support the signals alias for detection rules. + type: string + shouldWrite: + description: | + Indicates whether the rule should write out alerts as data. + type: boolean + useEcs: + description: | + Indicates whether to include the ECS component template for the alerts. + type: boolean + useLegacyAlerts: + default: false + description: | + Indicates whether to include the legacy component template for the alerts. + type: boolean + type: object + authorized_consumers: + description: The list of the plugins IDs that have access to the rule type. + properties: + alerts: + properties: + all: + type: boolean + read: + type: boolean + type: object + apm: + properties: + all: + type: boolean + read: + type: boolean + type: object + discover: + properties: + all: + type: boolean + read: + type: boolean + type: object + infrastructure: + properties: + all: + type: boolean + read: + type: boolean + type: object + logs: + properties: + all: + type: boolean + read: + type: boolean + type: object + ml: + properties: + all: + type: boolean + read: + type: boolean + type: object + monitoring: + properties: + all: + type: boolean + read: + type: boolean + type: object + siem: + properties: + all: + type: boolean + read: + type: boolean + type: object + slo: + properties: + all: + type: boolean + read: + type: boolean + type: object + stackAlerts: + properties: + all: + type: boolean + read: + type: boolean + type: object + uptime: + properties: + all: + type: boolean + read: + type: boolean + type: object + type: object + category: + description: The rule category, which is used by features such as category-specific maintenance windows. + enum: + - management + - observability + - securitySolution + type: string + default_action_group_id: + description: The default identifier for the rule type group. + type: string + does_set_recovery_context: + description: Indicates whether the rule passes context variables to its recovery action. + type: boolean + enabled_in_license: + description: Indicates whether the rule type is enabled or disabled based on the subscription. + type: boolean + has_alerts_mappings: + description: Indicates whether the rule type has custom mappings for the alert data. + type: boolean + has_fields_for_a_a_d: + type: boolean + id: + description: The unique identifier for the rule type. + type: string + is_exportable: + description: Indicates whether the rule type is exportable in **Stack Management > Saved Objects**. + type: boolean + minimum_license_required: + description: The subscriptions required to use the rule type. + type: string + name: + description: The descriptive name of the rule type. + type: string + producer: + description: An identifier for the application that produces this rule type. + type: string + recovery_action_group: + description: An action group to use when an alert goes from an active state to an inactive one. + properties: + id: + type: string + name: + type: string + type: object + rule_task_timeout: + type: string + type: object + type: array + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Alerting_401_response' + description: Authorization information is missing or invalid. + summary: Get the rule types + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/alerting/rules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/alerting/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: get-alerting-rules-find + parameters: + - description: The number of rules to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 0 + type: number + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: number + - description: An Elasticsearch simple_query_string query that filters the objects in the response. + in: query + name: search + required: false + schema: + type: string + - description: The default operator to use for the simple_query_string. + in: query + name: default_search_operator + required: false + schema: + default: OR + enum: + - OR + - AND + type: string + - description: The fields to perform the simple_query_string parsed query against. + in: query + name: search_fields + required: false + schema: + anyOf: + - items: + type: string + type: array + - type: string + - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response. + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order. + in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - description: Filters the rules that have a relation with the reference objects with a specific type and identifier. + in: query + name: has_reference + required: false + schema: + additionalProperties: false + nullable: true + properties: + id: + type: string + type: + type: string + required: + - type + - id + type: object + - description: The fields to return in the `attributes` key of the response. + in: query + name: fields + required: false + schema: + anyOf: + - items: + type: string + type: array + - type: string + - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.' + in: query + name: filter + required: false + schema: + type: string + - in: query + name: filter_consumers + required: false + schema: + items: + description: List of consumers to filter. + type: string + type: array + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + actions: + items: + additionalProperties: false + properties: + alerts_filter: + additionalProperties: false + description: Defines a period that limits whether the action runs. + properties: + query: + additionalProperties: false + properties: + dsl: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL). + type: string + filters: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + items: + additionalProperties: false + properties: + $state: + additionalProperties: false + properties: + store: + description: A filter can be either specific to an application context or applied globally. + enum: + - appState + - globalState + type: string + required: + - store + type: object + meta: + additionalProperties: {} + type: object + query: + additionalProperties: {} + type: object + required: + - meta + type: object + type: array + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + - filters + type: object + timeframe: + additionalProperties: false + properties: + days: + description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week. + items: + enum: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + type: integer + type: array + hours: + additionalProperties: false + properties: + end: + description: The end of the time frame in 24-hour notation (`hh:mm`). + type: string + start: + description: The start of the time frame in 24-hour notation (`hh:mm`). + type: string + required: + - start + - end + type: object + timezone: + description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended. + type: string + required: + - days + - hours + - timezone + type: object + type: object + connector_type_id: + description: The type of connector. This property appears in responses but cannot be set in requests. + type: string + frequency: + additionalProperties: false + properties: + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + type: string + summary: + description: Indicates whether the action is a summary. + type: boolean + throttle: + description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + required: + - summary + - notify_when + - throttle + type: object + group: + description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`. + type: string + id: + description: The identifier for the connector saved object. + type: string + params: + additionalProperties: {} + description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context. + type: object + use_alert_data_for_template: + description: Indicates whether to use alert data as a template. + type: boolean + uuid: + description: A universally unique identifier (UUID) for the action. + type: string + required: + - id + - connector_type_id + - params + type: object + type: array + active_snoozes: + items: + description: List of active snoozes for the rule. + type: string + type: array + alert_delay: + additionalProperties: false + description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions. + properties: + active: + description: The number of consecutive runs that must meet the rule conditions. + type: number + required: + - active + type: object + api_key_created_by_user: + description: Indicates whether the API key that is associated with the rule was created by the user. + nullable: true + type: boolean + api_key_owner: + description: The owner of the API key that is associated with the rule and used to run background tasks. + nullable: true + type: string + artifacts: + additionalProperties: false + properties: + dashboards: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + investigation_guide: + additionalProperties: false + properties: + blob: + description: User-created content that describes alert causes and remdiation. + type: string + required: + - blob + type: object + type: object + consumer: + description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.' + type: string + created_at: + description: The date and time that the rule was created. + type: string + created_by: + description: The identifier for the user that created the rule. + nullable: true + type: string + enabled: + description: Indicates whether you want to run the rule on an interval basis after it is created. + type: boolean + execution_status: + additionalProperties: false + properties: + error: + additionalProperties: false + properties: + message: + description: Error message. + type: string + reason: + description: Reason for error. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + type: string + required: + - reason + - message + type: object + last_duration: + description: Duration of last execution of the rule. + type: number + last_execution_date: + description: The date and time when rule was executed last. + type: string + status: + description: Status of rule execution. + enum: + - ok + - active + - error + - warning + - pending + - unknown + type: string + warning: + additionalProperties: false + properties: + message: + description: Warning message. + type: string + reason: + description: Reason for warning. + enum: + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + type: string + required: + - reason + - message + type: object + required: + - status + - last_execution_date + type: object + flapping: + additionalProperties: false + description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced. + nullable: true + properties: + look_back_window: + description: The minimum number of runs in which the threshold must be met. + maximum: 20 + minimum: 2 + type: number + status_change_threshold: + description: The minimum number of times an alert must switch states in the look back window. + maximum: 20 + minimum: 2 + type: number + required: + - look_back_window + - status_change_threshold + type: object + id: + description: The identifier for the rule. + type: string + is_snoozed_until: + description: The date when the rule will no longer be snoozed. + nullable: true + type: string + last_run: + additionalProperties: false + nullable: true + properties: + alerts_count: + additionalProperties: false + properties: + active: + description: Number of active alerts during last run. + nullable: true + type: number + ignored: + description: Number of ignored alerts during last run. + nullable: true + type: number + new: + description: Number of new alerts during last run. + nullable: true + type: number + recovered: + description: Number of recovered alerts during last run. + nullable: true + type: number + type: object + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + outcome_msg: + items: + description: Outcome message generated during last rule run. + type: string + nullable: true + type: array + outcome_order: + description: Order of the outcome. + type: number + warning: + description: Warning of last rule execution. + enum: + - read + - decrypt + - execute + - unknown + - license + - timeout + - disabled + - validate + - maxExecutableActions + - maxAlerts + - maxQueuedActions + - ruleExecution + nullable: true + type: string + required: + - outcome + - alerts_count + type: object + mapped_params: + additionalProperties: {} + type: object + monitoring: + additionalProperties: false + description: Monitoring details of the rule. + properties: + run: + additionalProperties: false + description: Rule run details. + properties: + calculated_metrics: + additionalProperties: false + description: Calculation of different percentiles and success ratio. + properties: + p50: + type: number + p95: + type: number + p99: + type: number + success_ratio: + type: number + required: + - success_ratio + type: object + history: + description: History of the rule run. + items: + additionalProperties: false + properties: + duration: + description: Duration of the rule run. + type: number + outcome: + description: Outcome of last run of the rule. Value could be succeeded, warning or failed. + enum: + - succeeded + - warning + - failed + type: string + success: + description: Indicates whether the rule run was successful. + type: boolean + timestamp: + description: Time of rule run. + type: number + required: + - success + - timestamp + type: object + type: array + last_run: + additionalProperties: false + properties: + metrics: + additionalProperties: false + properties: + duration: + description: Duration of most recent rule run. + type: number + gap_duration_s: + description: Duration in seconds of rule run gap. + nullable: true + type: number + gap_range: + additionalProperties: false + nullable: true + properties: + gte: + description: End of the gap range. + type: string + lte: + description: Start of the gap range. + type: string + required: + - lte + - gte + type: object + total_alerts_created: + description: Total number of alerts created during last rule run. + nullable: true + type: number + total_alerts_detected: + description: Total number of alerts detected during last rule run. + nullable: true + type: number + total_indexing_duration_ms: + description: Total time spent indexing documents during last rule run in milliseconds. + nullable: true + type: number + total_search_duration_ms: + description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response. + nullable: true + type: number + type: object + timestamp: + description: Time of the most recent rule run. + type: string + required: + - timestamp + - metrics + type: object + required: + - history + - calculated_metrics + - last_run + type: object + required: + - run + type: object + mute_all: + description: Indicates whether all alerts are muted. + type: boolean + muted_alert_ids: + items: + description: 'List of identifiers of muted alerts. ' + type: string + type: array + name: + description: ' The name of the rule.' + type: string + next_run: + description: Date and time of the next run of the rule. + nullable: true + type: string + notify_when: + description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + enum: + - onActionGroupChange + - onActiveAlert + - onThrottleInterval + nullable: true + type: string + params: + additionalProperties: {} + description: The parameters for the rule. + type: object + revision: + description: The rule revision number. + type: number + rule_type_id: + description: The rule type identifier. + type: string + running: + description: Indicates whether the rule is running. + nullable: true + type: boolean + schedule: + additionalProperties: false + properties: + interval: + description: The interval is specified in seconds, minutes, hours, or days. + type: string + required: + - interval + type: object + scheduled_task_id: + description: Identifier of the scheduled task. + type: string + snooze_schedule: + items: + additionalProperties: false + properties: + duration: + description: Duration of the rule snooze schedule. + type: number + id: + description: Identifier of the rule snooze schedule. + type: string + rRule: + additionalProperties: false + properties: + byhour: + items: + description: Indicates hours of the day to recur. + type: number + nullable: true + type: array + byminute: + items: + description: Indicates minutes of the hour to recur. + type: number + nullable: true + type: array + bymonth: + items: + description: Indicates months of the year that this rule should recur. + type: number + nullable: true + type: array + bymonthday: + items: + description: Indicates the days of the month to recur. + type: number + nullable: true + type: array + bysecond: + items: + description: Indicates seconds of the day to recur. + type: number + nullable: true + type: array + bysetpos: + items: + description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`. + type: number + nullable: true + type: array + byweekday: + items: + anyOf: + - type: string + - type: number + description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination. + nullable: true + type: array + byweekno: + items: + description: Indicates number of the week hours to recur. + type: number + nullable: true + type: array + byyearday: + items: + description: Indicates the days of the year that this rule should recur. + type: number + nullable: true + type: array + count: + description: Number of times the rule should recur until it stops. + type: number + dtstart: + description: Rule start date in Coordinated Universal Time (UTC). + type: string + freq: + description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY. + enum: + - 0 + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + type: integer + interval: + description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks. + type: number + tzid: + description: Indicates timezone abbreviation. + type: string + until: + description: Recur the rule until this date. + type: string + wkst: + description: Indicates the start of week, defaults to Monday. + enum: + - MO + - TU + - WE + - TH + - FR + - SA + - SU + type: string + required: + - dtstart + - tzid + type: object + skipRecurrences: + items: + description: Skips recurrence of rule on this date. + type: string + type: array + required: + - duration + - rRule + type: object + type: array + tags: + items: + description: The tags for the rule. + type: string + type: array + throttle: + deprecated: true + description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.' + nullable: true + type: string + updated_at: + description: The date and time that the rule was updated most recently. + type: string + updated_by: + description: The identifier for the user that updated this rule most recently. + nullable: true + type: string + view_in_app_relative_url: + description: Relative URL to view rule in the app. + nullable: true + type: string + required: + - id + - enabled + - name + - tags + - rule_type_id + - consumer + - schedule + - actions + - params + - created_by + - updated_by + - created_at + - updated_at + - api_key_owner + - mute_all + - muted_alert_ids + - execution_status + - revision + type: object + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + summary: Get information about rules + tags: + - alerting + x-metaTags: + - content: Kibana + name: product_name + /api/apm/agent_keys: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/agent_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new agent key for APM. + The user creating an APM agent API key must have at least the `manage_own_api_key` cluster privilege and the APM application-level privileges that it wishes to grant. + After it is created, you can copy the API key (Base64 encoded) and use it to to authorize requests from APM agents to the APM Server. + operationId: createAgentKey + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_object' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_agent_keys_response' + description: Agent key created successfully + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Create an APM agent key + tags: + - APM agent keys + x-metaTags: + - content: Kibana + name: product_name + /api/apm/fleet/apm_server_schema: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/fleet/apm_server_schema
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: saveApmServerSchema + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + requestBody: + content: + application/json: + schema: + properties: + schema: + additionalProperties: true + description: Schema object + type: object + type: object + required: true + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + type: object + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Save APM server schema + tags: + - APM server schema + x-metaTags: + - content: Kibana + name: product_name + /api/apm/services/{serviceName}/annotation: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/services/{serviceName}/annotation
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new annotation for a specific service. + operationId: createAnnotation + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_create_annotation_object' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_create_annotation_response' + description: Annotation created successfully + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create a service annotation + tags: + - APM annotations + x-codeSamples: + - lang: Curl + source: | + curl -X POST \ + http://localhost:5601/api/apm/services/opbeans-java/annotation \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \ + -d '{ + "@timestamp": "2020-05-08T10:31:30.452Z", + "service": { + "version": "1.2" + }, + "message": "Deployment 1.2" + }' + x-metaTags: + - content: Kibana + name: product_name + /api/apm/services/{serviceName}/annotation/search: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/services/{serviceName}/annotation/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Search for annotations related to a specific service. + operationId: getAnnotation + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + - description: The environment to filter annotations by + in: query + name: environment + required: false + schema: + type: string + - description: The start date for the search + in: query + name: start + required: false + schema: + type: string + - description: The end date for the search + in: query + name: end + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_annotation_search_response' + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + summary: Search for annotations + tags: + - APM annotations + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: getAgentConfigurations + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_agent_configurations_response' + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get a list of agent configurations + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: createUpdateAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: If the config exists ?overwrite=true is required + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object' + required: true + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + type: object + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Create or update agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/apm/settings/agent-configuration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: deleteAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_delete_service_object' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response' + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Delete agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/agent_name: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/agent_name
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve `agentName` for a service. + operationId: getAgentNameForService + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + in: query + name: serviceName + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_service_agent_name_response' + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get agent name for service + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/environments: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/environments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: getEnvironmentsForService + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: The name of the service + in: query + name: serviceName + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_service_environments_response' + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get environments for service + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/search: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/settings/agent-configuration/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + This endpoint enables you to search for a single agent configuration and update the 'applied_by_agent' field. + operationId: searchSingleConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_search_agent_configuration_object' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_search_agent_configuration_response' + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Lookup single agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/settings/agent-configuration/view: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/settings/agent-configuration/view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: getSingleAgentConfiguration + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Service name + in: query + name: name + schema: + type: string + - description: Service environment + in: query + name: environment + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_single_agent_configuration_response' + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_404_response' + description: Not found response + summary: Get single agent configuration + tags: + - APM agent configuration + x-metaTags: + - content: Kibana + name: product_name + /api/apm/sourcemaps: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/apm/sourcemaps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an array of Fleet artifacts, including source map uploads. You must have `read` or `all` Kibana privileges for the APM and User Experience feature. + operationId: getSourceMaps + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Page number + in: query + name: page + schema: + type: number + - description: Number of records per page + in: query + name: perPage + schema: + type: number + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_source_maps_response' + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + "501": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Get source maps + tags: + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: | + curl -X GET "http://localhost:5601/api/apm/sourcemaps" \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/apm/sourcemaps
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upload a source map for a specific service and version. You must have `all` Kibana privileges for the APM and User Experience feature. + The maximum payload size is `1mb`. If you attempt to upload a source map that exceeds the maximum payload size, you will get a 413 error. Before uploading source maps that exceed this default, change the maximum payload size allowed by Kibana with the `server.maxPayload` variable. + operationId: uploadSourceMap + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + requestBody: + content: + multipart/form-data: + schema: + $ref: '#/components/schemas/APM_UI_upload_source_map_object' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_upload_source_maps_response' + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + "501": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Upload a source map + tags: + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: "curl -X POST \"http://localhost:5601/api/apm/sourcemaps\" \\\n-H 'Content-Type: multipart/form-data' \\\n-H 'kbn-xsrf: true' \\\n-H 'Authorization: ApiKey ${YOUR_API_KEY}' \\\n-F 'service_name=\"foo\"' \\\n-F 'service_version=\"1.0.0\"' \\\n-F 'bundle_filepath=\"/test/e2e/general-usecase/bundle.js\"' \\\n-F 'sourcemap=\"{\\\"version\\\":3,\\\"file\\\":\\\"static/js/main.chunk.js\\\",\\\"sources\\\":[\\\"fleet-source-map-client/src/index.css\\\",\\\"fleet-source-map-client/src/App.js\\\",\\\"webpack:///./src/index.css?bb0a\\\",\\\"fleet-source-map-client/src/index.js\\\",\\\"fleet-source-map-client/src/reportWebVitals.js\\\"],\\\"sourcesContent\\\":[\\\"content\\\"],\\\"mappings\\\":\\\"mapping\\\",\\\"sourceRoot\\\":\\\"\\\"}\"' \n" + x-metaTags: + - content: Kibana + name: product_name + /api/apm/sourcemaps/{id}: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/apm/sourcemaps/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a previously uploaded source map. You must have `all` Kibana privileges for the APM and User Experience feature. + operationId: deleteSourceMap + parameters: + - $ref: '#/components/parameters/APM_UI_elastic_api_version' + - description: Source map identifier + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + type: object + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_400_response' + description: Bad Request response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_403_response' + description: Forbidden response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_500_response' + description: Internal Server Error response + "501": + content: + application/json: + schema: + $ref: '#/components/schemas/APM_UI_501_response' + description: Not Implemented response + summary: Delete source map + tags: + - APM sourcemaps + x-codeSamples: + - lang: Curl + source: | + curl -X DELETE "http://localhost:5601/api/apm/sourcemaps/apm:foo-1.0.0-644fd5a9" \ + -H 'Content-Type: application/json' \ + -H 'kbn-xsrf: true' \ + -H 'Authorization: ApiKey ${YOUR_API_KEY}' + x-metaTags: + - content: Kibana + name: product_name + /api/asset_criticality: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the asset criticality record for a specific entity. + operationId: GetAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + "400": + description: Invalid request + "404": + description: Criticality record not found + summary: Get an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create or update an asset criticality record for a specific entity. + + If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created. + operationId: CreateAssetCriticalityRecord + requestBody: + content: + application/json: + schema: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - properties: + refresh: + description: If 'wait_for' the request will wait for the index refresh. + enum: + - wait_for + type: string + type: object + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: Successful response + "400": + description: Invalid request + summary: Upsert an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/asset_criticality
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the asset criticality record for a specific entity. + operationId: DeleteAssetCriticalityRecord + parameters: + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + in: query + name: id_field + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false + schema: + enum: + - wait_for + type: string + responses: + "200": + content: + application/json: + schema: + properties: + deleted: + description: True if the record was deleted or false if the record did not exist. + type: boolean + record: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + description: The deleted record if it existed. + required: + - deleted + type: object + description: Successful response + "400": + description: Invalid request + summary: Delete an asset criticality record + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/asset_criticality/bulk: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/asset_criticality/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk upsert up to 1000 asset criticality records. + + If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created. + operationId: BulkUpsertAssetCriticalityRecords + requestBody: + content: + application/json: + schema: + properties: + records: + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' + - properties: + criticality_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload' + required: + - criticality_level + type: object + maxItems: 1000 + minItems: 1 + type: array + required: + - records + type: object + responses: + "200": + content: + application/json: + schema: + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats' + required: + - errors + - stats + type: object + description: Bulk upload successful + "413": + description: File too large + summary: Bulk upsert asset criticality records + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/asset_criticality/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/asset_criticality/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List asset criticality records, paging, sorting and filtering as needed. + operationId: FindAssetCriticalityRecords + parameters: + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - '@timestamp' + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + properties: + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord' + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + type: object + description: Successfully retrieved asset criticality records + summary: List asset criticality records + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/attack_discovery/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Performs bulk updates on multiple Attack discoveries, including workflow status changes and visibility settings. This endpoint allows efficient batch processing of alert modifications without requiring individual API calls for each alert. `Technical preview` + operationId: PostAttackDiscoveryBulk + requestBody: + content: + application/json: + schema: + properties: + update: + description: Configuration object containing all parameters for the bulk update operation + properties: + enable_field_rendering: + default: false + description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack discovery views within Kibana. Defaults to `false`. + type: boolean + ids: + description: Array of Attack discovery IDs to update + items: + type: string + type: array + kibana_alert_workflow_status: + description: When provided, update the kibana.alert.workflow_status of the attack discovery alerts + enum: + - open + - acknowledged + - closed + type: string + visibility: + description: When provided, update the visibility of the alert, as determined by the kibana.alert.attack_discovery.users field + enum: + - not_shared + - shared + type: string + with_replacements: + default: true + description: When true, returns the updated Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. This substitutes anonymized values with human-readable equivalents. Defaults to `true`. + type: boolean + required: + - ids + type: object + required: + - update + type: object + description: Bulk update parameters for Attack discoveries + required: true + responses: + "200": + content: + application/json: + schema: + properties: + data: + description: Array of updated Attack discovery alert objects. Each item includes the applied modifications from the bulk update request. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + required: + - data + type: object + description: Successful response containing the updated Attack discovery alerts + "400": + content: + application/json: + schema: + properties: + error: + description: Error type + type: string + message: + description: Human-readable error message describing what went wrong with the bulk update request + type: string + status_code: + description: HTTP status code + type: number + required: + - status_code + - error + - message + type: object + description: Generic Error + summary: Bulk update Attack discoveries + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_bulk' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data-raw '{ + "update": { + "ids": [ + "c0c8a8bbb4a6561856a974ee9e461f0c82e673a1f0d83f86c5a8d80fc8de4c4f", + "5aa8f2900c0b03854b3b1a52a19558c5ea9893865c78235d4ad3dcc46196f4c7" + ], + "kibana_alert_workflow_status": "acknowledged" + } + }' + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/attack_discovery/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find Attack discoveries that match the search criteria. Supports free text search, filtering, pagination, and sorting. `Technical preview` + operationId: AttackDiscoveryFind + parameters: + - description: Filter results to Attack discoveries that include any of the provided alert IDs + in: query + name: alert_ids + required: false + schema: + items: + type: string + type: array + - description: Filter results to Attack discoveries created by any of the provided human readable connector names. Note that values must match the human readable `connector_name` property of an Attack discovery, e.g. "GPT-5 Chat", which are distinct from `connector_id` values used to generate Attack discoveries. + in: query + name: connector_names + required: false + schema: + items: + type: string + type: array + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack discovery views within Kibana. Defaults to `false`. + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + in: query + name: end + required: false + schema: + type: string + - description: Filter results to the Attack discoveries with the specified IDs + in: query + name: ids + required: false + schema: + items: + type: string + type: array + - description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across the matched Attack discoveries + in: query + name: include_unique_alert_ids + required: false + schema: + type: boolean + - description: Page number to return (used for pagination). Defaults to 1. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10. + in: query + name: per_page + required: false + schema: + default: 10 + minimum: 1 + type: integer + - description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags, etc.) + in: query + name: search + required: false + schema: + type: string + - description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries are returned. Use `true` to return only shared discoveries, `false` to return only those visible to the current user. + in: query + name: shared + required: false + schema: + type: boolean + - description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryFindSortField' + default: '@timestamp' + - description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_SortOrder' + default: desc + - description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + in: query + name: start + required: false + schema: + type: string + - description: Filter by alert workflow status. Provide one or more of the allowed workflow states. + in: query + name: status + required: false + schema: + items: + enum: + - acknowledged + - closed + - open + type: string + type: array + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + "200": + content: + application/json: + schema: + properties: + connector_names: + description: List of human readable connector names that are present in the matched Attack discoveries. Useful for building client filters or summaries. + items: + type: string + type: array + data: + description: Array of matched Attack discovery objects. Each item follows the `AttackDiscoveryApiAlert` schema. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + page: + description: Current page number of the paginated result set. + type: integer + per_page: + description: Number of items requested per page. + type: integer + total: + description: Total number of Attack discoveries matching the query (across all pages). + type: integer + unique_alert_ids: + description: List of unique alert IDs aggregated from the matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + items: + type: string + type: array + unique_alert_ids_count: + description: Number of unique alert IDs across all matched Attack discoveries. Only present if `include_unique_alert_ids=true` in the request. + type: integer + required: + - connector_names + - data + - page + - per_page + - total + - unique_alert_ids_count + type: object + description: Successful response + "400": + content: + application/json: + schema: + properties: + error: + description: Error type + type: string + message: + description: Human-readable error message + type: string + status_code: + description: HTTP status code + type: number + type: object + description: Generic Error + summary: Find Attack discoveries that match the search criteria + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/_find?end=now&include_unique_alert_ids=false&page=1&per_page=10&search=&sort_field=%40timestamp&sort_order=desc&start=now-24h&status=open&status=acknowledged' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/attack_discovery/_generate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initiates the generation of attack discoveries by analyzing security alerts using AI. Returns an execution UUID that can be used to track the generation progress and retrieve results. Results may also be retrieved via the find endpoint. `Technical preview` + operationId: PostAttackDiscoveryGenerate + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenerationConfig' + required: true + responses: + "200": + content: + application/json: + schema: + properties: + execution_uuid: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier for the attack discovery generation process. Use this UUID to track the generation progress and retrieve results via the find endpoint. + required: + - execution_uuid + type: object + description: Attack discovery generation initiated successfully + "400": + content: + application/json: + schema: + properties: + error: + description: Error type + type: string + message: + description: Human-readable error message describing what went wrong + type: string + status_code: + description: HTTP status code + type: number + required: + - status_code + - error + - message + type: object + description: Bad request - Invalid input parameters or configuration + summary: Generate attack discoveries from alerts + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/_generate' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "alertsIndexPattern": ".alerts-security.alerts-default", + "anonymizationFields": [ + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "@timestamp", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.feature", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "saiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.data", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.entropy", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "s6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.extension", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.metrics", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "taiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.operation", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "tqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "t6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.files.score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "Ransomware.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "Z6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "agent.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aaiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.availability_zone", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "aqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.provider", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "a6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "cloud.region", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "destination.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "baiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "bqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "dns.question.type", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "b6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.category", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cKiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.dataset", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "caiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.module", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "cqiJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "event.outcome", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "c6iJW5gB4U27o8XO8oLf" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.Ext.original.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.hash.sha256", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "daiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "dqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "file.path", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "d6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "group.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.asset.criticality", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "eqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "e6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.os.version", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "faiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_level", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "fqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "host.risk.calculated_score_norm", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "f6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.original_time", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.risk_score", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.description", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "gqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "g6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.references", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.framework", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "haiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "hqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "h6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.tactic.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "iqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "i6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.rule.threat.technique.subtechnique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "jqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.severity", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "j6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "kibana.alert.workflow_status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "message", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "network.protocol", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "kqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.bytes_compressed_present", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "nKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.all_names", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "naiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.primary.matches", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "nqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.memory_region.malware_signature.primary.signature.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "n6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.Ext.token.integrity_level_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.args", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "k6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.exists", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "lKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.signing_id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "laiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "lqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.subject_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "l6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.code_signature.trusted", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "mKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.command_line", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "maiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.executable", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "mqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.exit_code", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "m6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.md5", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.sha1", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "oqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.hash.sha256", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "o6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "pKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.args", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "paiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.args_count", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "pqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.exists", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "p6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.status", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.subject_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.code_signature.trusted", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "qqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.command_line", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "q6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.executable", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "rKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.parent.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "raiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.pe.original_file_name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "rqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.pid", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "r6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "process.working_directory", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "sKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "rule.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "uqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "rule.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "u6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "source.ip", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.framework", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "vqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "v6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.tactic.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "wKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "waiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "wqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "w6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.id", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.name", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "threat.technique.subtechnique.reference", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "xqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.asset.criticality", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "x6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.domain", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "yKiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "yaiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.risk.calculated_level", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "yqiJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.risk.calculated_score_norm", + "allowed": true, + "anonymized": false, + "namespace": "default", + "id": "y6iJW5gB4U27o8XO8oLg" + }, + { + "timestamp": "2025-07-30T13:33:44.029Z", + "createdAt": "2025-07-30T13:33:44.029Z", + "field": "user.target.name", + "allowed": true, + "anonymized": true, + "namespace": "default", + "id": "zKiJW5gB4U27o8XO8oLg" + } + ], + "replacements": {}, + "size": 100, + "subAction": "invokeAI", + "apiConfig": { + "connectorId": "example-connector-id", + "actionTypeId": ".gen-ai" + }, + "connectorName": "GPT-5 Chat", + "end": "now", + "start": "now-24h" + }' + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/attack_discovery/generations: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the latest attack discovery generations metadata (that are not dismissed) for the current user. This endpoint retrieves generation metadata including execution status and statistics for Attack discovery generations. `Technical preview` + operationId: GetAttackDiscoveryGenerations + parameters: + - description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now", "now-24h"). + in: query + name: end + required: false + schema: + type: string + - description: The maximum number of generations to retrieve + in: query + name: size + required: false + schema: + default: 50 + minimum: 1 + type: number + - description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative date math (e.g. "now-7d"). + in: query + name: start + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + properties: + generations: + description: List of attack discovery generations + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + type: array + required: + - generations + type: object + description: Successful response + "400": + content: + application/json: + schema: + properties: + error: + description: Error type + type: string + message: + description: Human-readable error message + type: string + status_code: + description: HTTP status code + type: number + type: object + description: Bad request + summary: Get the latest attack discovery generations metadata for the current user + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations?size=50&start=now-24h&end=now' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/attack_discovery/generations/{execution_uuid}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/generations/{execution_uuid}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Returns a specific Attack discovery generation, including all generated Attack discoveries and associated metadata, including execution status and statistics. `Technical preview` + operationId: GetAttackDiscoveryGeneration + parameters: + - description: The unique identifier for the Attack discovery generation execution. This UUID is returned at the start of an Attack discovery generation. + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled, the same example would be rendered as `james`. This is primarily used for Attack discovery views within Kibana. Defaults to `false`. + in: query + name: enable_field_rendering + required: false + schema: + default: false + type: boolean + - description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to `true`. + in: query + name: with_replacements + required: false + schema: + default: true + type: boolean + responses: + "200": + content: + application/json: + schema: + properties: + data: + description: Array of Attack discoveries generated during this execution. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiAlert' + type: array + generation: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGeneration' + description: Optional metadata about the attack discovery generation process, metadata including execution status and statistics. This metadata may not be available for all generations. + required: + - data + type: object + description: Successful response + "400": + content: + application/json: + schema: + properties: + error: + description: Error type + type: string + message: + description: Human-readable error message describing what went wrong with the request + type: string + status_code: + description: HTTP status code + type: number + required: + - status_code + - error + - message + type: object + description: Generic Error + summary: Get a single Attack discovery generation, including its discoveries and (optional) generation metadata + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/generations/2e13f386-46cf-4d65-9e2b-68609e132ba5' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/attack_discovery/generations/{execution_uuid}/_dismiss: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/generations/{execution_uuid}/_dismiss
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Dismisses an attack discovery generation for the current user, indicating that it's status should not be reported in the UI. This sets the generation's status to "dismissed" and affects how the generation appears in subsequent queries. `Technical preview` + operationId: PostAttackDiscoveryGenerationsDismiss + parameters: + - description: The unique identifier for the Attack discovery generation execution. This UUID is returned when an attack discovery generation is created and can be found in generation responses. + in: path + name: execution_uuid + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + "200": + content: + application/json: + schema: + properties: + alerts_context_count: + description: The number of alerts that were sent as context to the LLM for this generation. + type: number + connector_id: + description: The unique identifier of the connector used to generate the attack discoveries. + type: string + connector_stats: + description: Statistical information about the connector's performance for this user, providing insights into usage patterns and success rates. + properties: + average_successful_duration_nanoseconds: + description: The average duration in nanoseconds for successful generations using this connector by the current user. + type: number + successful_generations: + description: The total number of Attack discoveries successfully created for this generation + type: number + type: object + discoveries: + description: The number of attack discoveries that were generated during this execution. + type: number + end: + description: The timestamp when the generation process completed, in ISO 8601 format. This field may be absent for generations that haven't finished. + type: string + execution_uuid: + description: The unique identifier for this attack discovery generation execution. This UUID can be used to reference this specific generation in other API calls. + type: string + loading_message: + description: A human-readable message describing the current state or progress of the generation process. Provides context about what the AI is analyzing. + type: string + reason: + description: Additional context or reasoning provided when a generation fails or encounters issues. This field helps diagnose problems with the generation process. + type: string + start: + description: The timestamp when the generation process began, in ISO 8601 format. This marks the beginning of the AI analysis. + type: string + status: + description: The current status of the attack discovery generation. After dismissing, this will be set to "dismissed". + enum: + - canceled + - dismissed + - failed + - started + - succeeded + type: string + required: + - connector_id + - discoveries + - execution_uuid + - loading_message + - start + - status + type: object + description: Successful response - The attack discovery generation has been dismissed + "400": + content: + application/json: + schema: + properties: + error: + description: Error type or category + type: string + message: + description: Human-readable error message describing what went wrong with the request. + type: string + status_code: + description: HTTP status code indicating the type of client error + type: number + required: + - status_code + - error + - message + type: object + description: Generic Error + summary: Dismiss an attack discovery generation + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/generations/46b218d5-535d-4329-be56-d0f6af6986b7/_dismiss' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/attack_discovery/schedules: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates a new Attack discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found. `Technical preview` + operationId: CreateAttackDiscoverySchedules + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps' + description: Attack discovery schedule configuration including name, parameters, schedule interval, and actions + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully created Attack discovery schedule + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Generic Error + summary: Create Attack discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Create an Attack discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Daily Security Analysis", + "enabled": true, + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 100, + "start": "now-24h", + "end": "now" + }, + "schedule": { + "interval": "24h" + }, + "actions": [ + { + "action_type_id": ".cases", + "id": "system-connector-.cases", + "params": { + "subAction": "run", + "subActionParams": { + "timeWindow": "7d", + "reopenClosedCases": false, + "groupingBy": [], + "templateId": null + } + }, + "uuid": "12345678-1234-1234-1234-123456789012" + } + ] + }' + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/attack_discovery/schedules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Finds Attack discovery schedules that match the search criteria. Supports pagination and sorting by various fields. `Technical preview` + operationId: FindAttackDiscoverySchedules + parameters: + - description: Page number to return (used for pagination). Defaults to 1. + in: query + name: page + required: false + schema: + type: number + - description: Number of Attack discovery schedules to return per page (used for pagination). Defaults to 10. + in: query + name: per_page + required: false + schema: + type: number + - description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + - description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + responses: + "200": + content: + application/json: + schema: + properties: + data: + description: Array of matched Attack discovery schedule objects. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + type: array + page: + description: Current page number of the paginated result set. + type: number + per_page: + description: Number of items requested per page. + type: number + total: + description: Total number of Attack discovery schedules matching the query (across all pages). + type: number + required: + - page + - per_page + - total + - data + type: object + description: Successful response + "400": + content: + application/json: + schema: + properties: + error: + description: Error type + type: string + message: + description: Human-readable error message + type: string + status_code: + description: HTTP status code + type: number + type: object + description: Generic Error + summary: Finds Attack discovery schedules that match the search criteria + tags: + - Security Attack discovery API + x-code-samples: + - label: Example request + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/_find' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/attack_discovery/schedules/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a specific Attack discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history. `Technical preview` + operationId: GetAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully retrieved Attack Discovery schedule with complete configuration and metadata + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Generic Error + summary: Get Attack discovery schedule by ID + tags: + - Security Attack discovery API + x-code-samples: + - label: Get an Attack discovery schedule by ID + lang: curl + source: | + curl \ + --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates an existing Attack discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values. `Technical preview` + operationId: UpdateAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps' + description: Updated Attack discovery schedule configuration. All fields are required as this replaces the entire schedule configuration. + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiSchedule' + description: Successfully updated Attack Discovery schedule with the new configuration and metadata + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Generic Error + summary: Update Attack discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Update an Attack discovery schedule + lang: curl + source: | + curl \ + --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" \ + --data '{ + "name": "Updated Daily Security Analysis", + "params": { + "alerts_index_pattern": ".alerts-security.alerts-default", + "api_config": { + "actionTypeId": "bedrock", + "connectorId": "my-bedrock-connector", + "name": "Claude 3.5 Sonnet" + }, + "size": 200, + "start": "now-48h", + "end": "now" + }, + "schedule": { + "interval": "12h" + }, + "actions": [] + }' + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/attack_discovery/schedules/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Permanently deletes an Attack discovery schedule and all associated configuration. `Technical preview` + operationId: DeleteAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating a schedule and can be found in schedule listings. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + "200": + content: + application/json: + schema: + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the deleted Attack Discovery schedule + required: + - id + type: object + description: Successfully deleted Attack Discovery schedule, returning the ID of the deleted schedule for confirmation + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Generic Error + summary: Delete Attack discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Delete an Attack discovery schedule + lang: curl + source: | + curl \ + --request DELETE 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/attack_discovery/schedules/{id}/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables an Attack discovery schedule, preventing it from running according to its configured interval. The schedule configuration is preserved and can be re-enabled later. Any currently running executions will complete, but no new executions will be started. `Technical preview` + operationId: DisableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when creating a schedule and can be found in schedule listings. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + "200": + content: + application/json: + schema: + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the disabled Attack Discovery schedule + required: + - id + type: object + description: Successfully disabled Attack Discovery schedule, returning the schedule ID for confirmation + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Generic Error + summary: Disable Attack discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Disable an Attack discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_disable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/attack_discovery/schedules/{id}/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/attack_discovery/schedules/{id}/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables a previously disabled Attack discovery schedule, allowing it to run according to its configured interval. Once enabled, the schedule will begin executing at the next scheduled time based on its interval configuration. `Technical preview` + operationId: EnableAttackDiscoverySchedules + parameters: + - description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating a schedule and can be found in schedule listings. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + responses: + "200": + content: + application/json: + schema: + properties: + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The unique identifier of the enabled Attack Discovery schedule + required: + - id + type: object + description: Successfully enabled Attack Discovery schedule, returning the schedule ID for confirmation + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryGenericError' + description: Generic Error + summary: Enable Attack discovery schedule + tags: + - Security Attack discovery API + x-code-samples: + - label: Enable an Attack discovery schedule + lang: curl + source: | + curl \ + --request POST 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012/_enable' \ + --header "Authorization: $API_KEY" \ + --header "Content-Type: application/json" + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/cases: + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/cases
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. + operationId: updateCaseDefaultSpace + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_update_case_request' + responses: + "200": + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Cases_case_response_properties' + type: array + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Update cases + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. + operationId: createCaseDefaultSpace + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_create_case_request' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Create a case + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/cases
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` or `all` privileges and the `delete` sub-feature privilege for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_ids' + responses: + "204": + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Delete cases + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: findCasesDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_assignees_filter' + - $ref: '#/components/parameters/Cases_category' + - $ref: '#/components/parameters/Cases_defaultSearchOperator' + - $ref: '#/components/parameters/Cases_from' + - $ref: '#/components/parameters/Cases_owner_filter' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_reporters' + - $ref: '#/components/parameters/Cases_search' + - $ref: '#/components/parameters/Cases_searchFields' + - $ref: '#/components/parameters/Cases_severity' + - $ref: '#/components/parameters/Cases_sortField' + - $ref: '#/components/parameters/Cases_sort_order' + - $ref: '#/components/parameters/Cases_status' + - $ref: '#/components/parameters/Cases_tags' + - $ref: '#/components/parameters/Cases_to' + responses: + "200": + content: + application/json: + schema: + properties: + cases: + items: + $ref: '#/components/schemas/Cases_case_response_properties' + maxItems: 10000 + type: array + count_closed_cases: + type: integer + count_in_progress_cases: + type: integer + count_open_cases: + type: integer + page: + type: integer + per_page: + type: integer + total: + type: integer + type: object + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Search cases + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. + operationId: getCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get case information + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/alerts: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/alerts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: getCaseAlertsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + "200": + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Cases_alert_response_properties' + type: array + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get all alerts for a case + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical preview + /api/cases/{caseId}/comments: + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/cases/{caseId}/comments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. NOTE: You cannot change the comment type or the owner of a comment. + operationId: updateCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_update_case_comment_request' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Update a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/{caseId}/comments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're creating. NOTE: Each case can have a maximum of 1,000 alerts. + operationId: addCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_add_case_comment_request' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Add a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/cases/{caseId}/comments
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes all comments and alerts from a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + responses: + "204": + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Delete all case comments and alerts + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/comments/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/comments/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves a paginated list of comments for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. + operationId: findCaseCommentsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_sort_order' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Find case comments and alerts + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/comments/{commentId}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/comments/{commentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases with the comments you're seeking. + operationId: getCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_comment_id' + responses: + "200": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Cases_alert_comment_response_properties' + - $ref: '#/components/schemas/Cases_user_comment_response_properties' + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/cases/{caseId}/comments/{commentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're deleting. + operationId: deleteCaseCommentDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_comment_id' + responses: + "204": + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Delete a case comment or alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/connector/{connectorId}/_push: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/{caseId}/connector/{connectorId}/_push
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. You must also have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're pushing. + operationId: pushCaseDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_connector_id' + requestBody: + content: + application/json: + schema: + nullable: true + type: object + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Push a case to an external service + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/files: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/{caseId}/files
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Attach a file to a case. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're updating. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - The location of the file that is being uploaded. + operationId: addCaseFileDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + requestBody: + content: + multipart/form-data: + schema: + $ref: '#/components/schemas/Cases_add_case_file_request' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_case_response_properties' + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Attach a file to a case + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/{caseId}/user_actions/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/{caseId}/user_actions/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrives a paginated list of user activity for a case. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the case you're seeking. + operationId: findCaseActivityDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_case_id' + - $ref: '#/components/parameters/Cases_page_index' + - $ref: '#/components/parameters/Cases_page_size' + - $ref: '#/components/parameters/Cases_sort_order' + - $ref: '#/components/parameters/Cases_user_action_types' + responses: + "200": + content: + application/json: + schema: + properties: + page: + type: integer + perPage: + type: integer + total: + type: integer + userActions: + items: + $ref: '#/components/schemas/Cases_user_actions_find_response_properties' + maxItems: 10000 + type: array + type: object + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Find case activity + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/alerts/{alertId}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/alerts/{alertId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: getCasesByAlertDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_alert_id' + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + "200": + content: + application/json: + schema: + items: + properties: + id: + description: The case identifier. + type: string + title: + description: The case title. + type: string + type: object + maxItems: 10000 + type: array + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get cases for an alert + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical preview + /api/cases/configure: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get setting details such as the closure type, custom fields, templatse, and the default connector for cases. You must have `read` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the cases were created. + operationId: getCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + "200": + content: + application/json: + schema: + items: + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + type: object + created_at: + format: date-time + type: string + created_by: + properties: + email: + nullable: true + type: string + full_name: + nullable: true + type: string + profile_uid: + type: string + username: + nullable: true + type: string + required: + - email + - full_name + - username + type: object + customFields: + description: Custom fields configuration details. + items: + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + type: object + type: array + error: + nullable: true + type: string + id: + type: string + mappings: + items: + properties: + action_type: + type: string + source: + type: string + target: + type: string + type: object + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + format: date-time + nullable: true + type: string + updated_by: + nullable: true + properties: + email: + nullable: true + type: string + full_name: + nullable: true + type: string + profile_uid: + type: string + username: + nullable: true + type: string + required: + - email + - full_name + - username + type: object + version: + type: string + type: object + type: array + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get case settings + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/cases/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Case settings include external connection details, custom fields, and templates. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. If you set a default connector, it is automatically selected when you create cases in Kibana. If you use the create case API, however, you must still specify all of the connector details. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where you are creating cases. + operationId: setCaseConfigurationDefaultSpace + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_set_case_configuration_request' + responses: + "200": + content: + application/json: + schema: + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + type: object + created_at: + format: date-time + type: string + created_by: + properties: + email: + nullable: true + type: string + full_name: + nullable: true + type: string + profile_uid: + type: string + username: + nullable: true + type: string + required: + - email + - full_name + - username + type: object + customFields: + description: Custom fields configuration details. + items: + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + type: object + type: array + error: + nullable: true + type: string + id: + type: string + mappings: + items: + properties: + action_type: + type: string + source: + type: string + target: + type: string + type: object + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + format: date-time + nullable: true + type: string + updated_by: + nullable: true + properties: + email: + nullable: true + type: string + full_name: + nullable: true + type: string + profile_uid: + type: string + username: + nullable: true + type: string + required: + - email + - full_name + - username + type: object + version: + type: string + type: object + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Add case settings + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/configure/{configurationId}: + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/cases/configure/{configurationId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Updates setting details such as the closure type, custom fields, templates, and the default connector for cases. Connectors are used to interface with external systems. You must create a connector before you can use it in your cases. You must have `all` privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on where the case was created. + operationId: updateCaseConfigurationDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_configuration_id' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_update_case_configuration_request' + responses: + "200": + content: + application/json: + schema: + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + type: object + created_at: + format: date-time + type: string + created_by: + properties: + email: + nullable: true + type: string + full_name: + nullable: true + type: string + profile_uid: + type: string + username: + nullable: true + type: string + required: + - email + - full_name + - username + type: object + customFields: + description: Custom fields configuration details. + items: + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + type: object + type: array + error: + nullable: true + type: string + id: + type: string + mappings: + items: + properties: + action_type: + type: string + source: + type: string + target: + type: string + type: object + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + updated_at: + format: date-time + nullable: true + type: string + updated_by: + nullable: true + properties: + email: + nullable: true + type: string + full_name: + nullable: true + type: string + profile_uid: + type: string + username: + nullable: true + type: string + required: + - email + - full_name + - username + type: object + version: + type: string + type: object + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Update case settings + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/configure/connectors/_find: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/configure/connectors/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information about connectors that are supported for use in cases. You must have `read` privileges for the **Actions and Connectors** feature in the **Management** section of the Kibana feature privileges. + operationId: findCaseConnectorsDefaultSpace + responses: + "200": + content: + application/json: + schema: + items: + properties: + actionTypeId: + $ref: '#/components/schemas/Cases_connector_types' + config: + additionalProperties: true + properties: + apiUrl: + type: string + projectKey: + type: string + type: object + id: + type: string + isDeprecated: + type: boolean + isMissingSecrets: + type: boolean + isPreconfigured: + type: boolean + name: + type: string + referencedByCount: + type: integer + type: object + maxItems: 1000 + type: array + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get case connectors + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/reporters: + get: + description: | + Returns information about the users who opened cases. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases. The API returns information about the users as they existed at the time of the case creation, including their name, full name, and email address. If any of those details change thereafter or if a user is deleted, the information returned by this API is unchanged. + operationId: getCaseReportersDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + "200": + content: + application/json: + schema: + items: + properties: + email: + nullable: true + type: string + full_name: + nullable: true + type: string + profile_uid: + type: string + username: + nullable: true + type: string + required: + - email + - full_name + - username + type: object + maxItems: 10000 + type: array + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get case creators + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/cases/tags: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/cases/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Aggregates and returns a list of case tags. You must have read privileges for the **Cases** feature in the **Management**, **Observability**, or **Security** section of the Kibana feature privileges, depending on the owner of the cases you're seeking. + operationId: getCaseTagsDefaultSpace + parameters: + - $ref: '#/components/parameters/Cases_owner_filter' + responses: + "200": + content: + application/json: + schema: + items: + type: string + maxItems: 10000 + type: array + description: Indicates a successful call. + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Cases_4xx_response' + description: Authorization information is missing or invalid. + summary: Get case tags + tags: + - cases + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view/{viewId}/fields: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/fields
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update fields presentation metadata such as count, customLabel, customDescription, and format. + operationId: updateFieldsMetadataDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + schema: + properties: + fields: + description: The field object. + type: object + required: + - fields + type: object + required: true + responses: + "200": + content: + application/json: + schema: + properties: + acknowledged: + type: boolean + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update data view fields metadata + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view/{viewId}/runtime_field: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + schema: + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + type: object + required: true + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call. + summary: Create a runtime field + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: createUpdateRuntimeFieldDefault + parameters: + - description: | + The ID of the data view fields you want to update. + in: path + name: viewId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + type: object + required: true + responses: + "200": + content: + application/json: + schema: + properties: + data_view: + type: object + fields: + items: + type: object + type: array + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: getRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + "200": + content: + application/json: + schema: + properties: + data_view: + type: object + fields: + items: + type: object + type: array + type: object + description: Indicates a successful call. + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: updateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json: + schema: + properties: + runtimeField: + description: | + The runtime field definition object. + + You can update following fields: + + - `type` + - `script` + type: object + required: + - runtimeField + type: object + required: true + responses: + "200": + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}/runtime_field/{fieldName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: deleteRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + "200": + description: Indicates a successful call. + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field from a data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/default: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: getDefaultDataViewDefault + responses: + "200": + content: + application/json: + schema: + properties: + data_view_id: + type: string + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/default
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: setDefaultDatailViewDefault + parameters: [] + requestBody: + content: + application/json: + schema: + properties: + data_view_id: + description: | + The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view. + nullable: true + type: string + x-omitempty: true + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + type: object + required: true + responses: + "200": + content: + application/json: + schema: + properties: + acknowledged: + type: boolean + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/swap_references: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended. + operationId: swapDataViewsDefault + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + "200": + content: + application/json: + schema: + properties: + deleteStatus: + properties: + deletePerformed: + type: boolean + remainingRefs: + type: integer + type: object + result: + items: + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: object + type: array + type: object + description: Indicates a successful call. + summary: Swap saved object references + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + /api/data_views/swap_references/_preview: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/swap_references/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview the impact of swapping saved object references from one data view identifier to another. + operationId: previewSwapDataViewsDefault + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + "200": + content: + application/json: + schema: + properties: + result: + items: + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: object + type: array + type: object + description: Indicates a successful call. + summary: Preview a saved object reference swap + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/index: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: ReadAlertsIndex + responses: + "200": + content: + application/json: + schema: + properties: + index_mapping_outdated: + nullable: true + type: boolean + name: + type: string + required: + - name + - index_mapping_outdated + type: object + description: Successful response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not found + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Reads the alert index name if it exists + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: CreateAlertsIndex + responses: + "200": + content: + application/json: + schema: + properties: + acknowledged: + type: boolean + required: + - acknowledged + type: object + description: Successful response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not found + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Create an alerts index + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: DeleteAlertsIndex + responses: + "200": + content: + application/json: + schema: + properties: + acknowledged: + type: boolean + required: + - acknowledged + type: object + description: Successful response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Not enough permissions response + "404": + content: + application/json: + schema: + type: string + description: Index does not exist response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an alerts index + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/privileges: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieves whether or not the user is authenticated, and the user's Kibana + space and index privileges, which determine if the user can create an + index for the Elastic Security alerts generated by + detection engine rules. + operationId: ReadPrivileges + responses: + "200": + content: + application/json: + schema: + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + type: object + description: Successful response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Returns user privileges for the Kibana space + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_bulk_action: + post: + description: "**Spaces method and path for this operation:**\n\n
post /s/{space_id}/api/detection_engine/rules/_bulk_action
\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nApply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs.\n\nThe edit action allows you to add, delete, or set tags, index patterns, investigation fields, rule actions and schedules for multiple rules at once. \nThe edit action is idempotent, meaning that if you add a tag to a rule that already has that tag, no changes are made. The same is true for other edit actions, for example removing an index pattern that is not specified in a rule will not result in any changes. The only exception is the `add_rule_actions` and `set_rule_actions` action, which is non-idempotent. This means that if you add or set a rule action to a rule that already has that action, a new action is created with a new unique ID.\n> warn\n> When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.\n\n> If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.\n" + operationId: PerformRulesBulkAction + parameters: + - description: | + Enables dry run mode for the request call. + + Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. + + To enable dry run mode on a request, add the query parameter `dry_run=true` to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. + > info + > Dry run mode is not supported for the `export` bulk action. A 400 error will be returned in the request response. + in: query + name: dry_run + required: false + schema: + type: boolean + requestBody: + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun' + - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleFillGaps' + - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' + responses: + "200": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse' + - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse' + description: OK + summary: Apply a bulk action to detection rules + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_export: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file: + - Actions + - Exception lists + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/guide/en/security/current/value-lists-exceptions.html#manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ExportRules + parameters: + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: | + File name for saving the exported rules. + > info + > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string + requestBody: + content: + application/json: + schema: + nullable: true + properties: + objects: + description: Array of objects with a rule's `rule_id` field. Do not use rule's `id` here. Exports all rules when unspecified. + items: + properties: + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + required: + - rule_id + type: object + type: array + required: + - objects + type: object + required: false + responses: + "200": + content: + application/ndjson: + schema: + description: | + An `.ndjson` file containing the returned rules. + + Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d' + { + "objects": [ + { + "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900" + }, + { + "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d" + } + ] + } + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page. + operationId: FindRules + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: | + Search query + + Filters the returned results according to the value of the specified field, using the alert.attributes.: syntax, where can be: + - name + - enabled + - tags + - createdBy + - interval + - updatedBy + > info + > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter. + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: Gaps range start + in: query + name: gaps_range_start + required: false + schema: + type: string + - description: Gaps range end + in: query + name: gaps_range_end + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + type: object + description: | + Successful response + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: List all detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X GET "localhost:5601/api/detection_engine/rules/_find?page=1&per_page=5&sort_field=enabled&sort_order=asc&filter=alert.attributes.name:windows" -H 'kbn-xsrf: true' + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/_import: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include: + - The `Content-Type: multipart/form-data` HTTP header. + - A link to the `.ndjson` file containing the rules. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + > info + > To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for more information. + + > info + > Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules. + + > You can use Kibana’s [Saved Objects](https://www.elastic.co/guide/en/kibana/current/managing-saved-objects.html) UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to [export](https://www.elastic.co/docs/api/doc/kibana/operation/operation-exportsavedobjectsdefault) and [import](https://www.elastic.co/docs/api/doc/kibana/operation/operation-importsavedobjectsdefault) any necessary connectors before importing detection rules. + + > Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the [Manage value lists](https://www.elastic.co/guide/en/security/current/value-lists-exceptions.html#manage-value-lists) UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately. + operationId: ImportRules + parameters: + - description: Determines whether existing rules with the same `rule_id` are overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: Determines whether existing exception lists with the same `list_id` are overwritten. Both the exception list container and its items are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + schema: + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + type: object + required: true + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + action_connectors_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_WarningSchema' + type: array + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_errors: + items: + $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + type: object + description: Indicates a successful call. + summary: Import detection rules + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl -X POST "/api/detection_engine/rules/_import" + -u : -H 'kbn-xsrf: true' + -H 'Content-Type: multipart/form-data' + --form "file=@" + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/{id}/exceptions: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/{id}/exceptions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create exception items that apply to a single detection rule. + operationId: CreateRuleExceptionListItems + parameters: + - description: Detection rule's identifier + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_RuleId' + requestBody: + content: + application/json: + schema: + properties: + items: + items: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps' + type: array + required: + - items + type: object + description: Rule exception items. + required: true + responses: + "200": + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create rule exception items + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/prepackaged: + put: + description: "**Spaces method and path for this operation:**\n\n
put /s/{space_id}/api/detection_engine/rules/prepackaged
\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nInstall and update all Elastic prebuilt detection rules and Timelines.\n\nThis endpoint allows you to install and update prebuilt detection rules and Timelines provided by Elastic. \nWhen you call this endpoint, it will:\n- Install any new prebuilt detection rules that are not currently installed in your system.\n- Update any existing prebuilt detection rules that have been modified or improved by Elastic.\n- Install any new prebuilt Timelines that are not currently installed in your system.\n- Update any existing prebuilt Timelines that have been modified or improved by Elastic.\n\nThis ensures that your detection engine is always up-to-date with the latest rules and Timelines, \nproviding you with the most current and effective threat detection capabilities.\n" + operationId: InstallPrebuiltRulesAndTimelines + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + rules_installed: + description: The number of rules installed + minimum: 0 + type: integer + rules_updated: + description: The number of rules updated + minimum: 0 + type: integer + timelines_installed: + description: The number of timelines installed + minimum: 0 + type: integer + timelines_updated: + description: The number of timelines updated + minimum: 0 + type: integer + required: + - rules_installed + - rules_updated + - timelines_installed + - timelines_updated + type: object + description: Indicates a successful call + summary: Install prebuilt detection rules and Timelines + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/prepackaged/_status: + get: + description: "**Spaces method and path for this operation:**\n\n
get /s/{space_id}/api/detection_engine/rules/prepackaged/_status
\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nRetrieve the status of all Elastic prebuilt detection rules and Timelines. \n\nThis endpoint provides detailed information about the number of custom rules, installed prebuilt rules, available prebuilt rules that are not installed, outdated prebuilt rules, installed prebuilt timelines, available prebuilt timelines that are not installed, and outdated prebuilt timelines.\n" + operationId: ReadPrebuiltRulesAndTimelinesStatus + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + rules_custom_installed: + description: The total number of custom rules + minimum: 0 + type: integer + rules_installed: + description: The total number of installed prebuilt rules + minimum: 0 + type: integer + rules_not_installed: + description: The total number of available prebuilt rules that are not installed + minimum: 0 + type: integer + rules_not_updated: + description: The total number of outdated prebuilt rules + minimum: 0 + type: integer + timelines_installed: + description: The total number of installed prebuilt timelines + minimum: 0 + type: integer + timelines_not_installed: + description: The total number of available prebuilt timelines that are not installed + minimum: 0 + type: integer + timelines_not_updated: + description: The total number of outdated prebuilt timelines + minimum: 0 + type: integer + required: + - rules_custom_installed + - rules_installed + - rules_not_installed + - rules_not_updated + - timelines_installed + - timelines_not_installed + - timelines_not_updated + type: object + description: Indicates a successful call + summary: Retrieve the status of prebuilt detection rules and Timelines + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/rules/preview: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules/preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: RulePreview + parameters: + - description: Enables logging and returning in response ES queries, performed during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean + requestBody: + content: + application/json: + schema: + anyOf: + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + - allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams' + description: An object containing tags to add or remove and alert ids the changes will be applied + required: true + responses: + "200": + content: + application/json: + schema: + properties: + isAborted: + type: boolean + logs: + items: + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs' + type: array + previewId: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - logs + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Preview rule alerts generated on specified time range + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/assignees: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/assignees
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees + requestBody: + content: + application/json: + schema: + properties: + assignees: + $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' + description: Details about the assignees to assign and unassign. + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + required: + - assignees + - ids + type: object + required: true + responses: + "200": + content: + application/ndjson: {} + description: Indicates a successful call. + "400": + description: Invalid request. + summary: Assign and unassign users from detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/finalize_migration: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/finalize_migration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Finalize successful migrations of detection alerts. This replaces the original index's alias with the successfully migrated index's alias. + The endpoint is idempotent; therefore, it can safely be used to poll a given migration and, upon completion, + finalize it. + operationId: FinalizeAlertsMigration + requestBody: + content: + application/json: + schema: + properties: + migration_ids: + description: Array of `migration_id`s to finalize. + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + type: object + description: Array of `migration_id`s to finalize + required: true + responses: + "200": + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_MigrationFinalizationResult' + type: array + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Finalize detection alert migrations + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/migration: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/migration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Initiate a migration of detection alerts. + Migrations are initiated per index. While the process is neither destructive nor interferes with existing data, it may be resource-intensive. As such, it is recommended that you plan your migrations accordingly. + operationId: CreateAlertsMigration + requestBody: + content: + application/json: + schema: + allOf: + - properties: + index: + description: Array of index names to migrate. + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + required: + - index + type: object + - $ref: '#/components/schemas/Security_Detections_API_AlertsReindexOptions' + description: Alerts migration parameters + required: true + responses: + "200": + content: + application/json: + schema: + properties: + indices: + items: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationSuccess' + - $ref: '#/components/schemas/Security_Detections_API_AlertsIndexMigrationError' + - $ref: '#/components/schemas/Security_Detections_API_SkippedAlertsIndexMigration' + type: array + required: + - indices + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Initiate a detection alert migration + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + delete: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/signals/migration
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Migrations favor data integrity over shard size. Consequently, unused or orphaned indices are artifacts of + the migration process. A successful migration will result in both the old and new indices being present. + As such, the old, orphaned index can (and likely should) be deleted. + + While you can delete these indices manually, + the endpoint accomplishes this task by applying a deletion policy to the relevant index, causing it to be deleted + after 30 days. It also deletes other artifacts specific to the migration implementation. + operationId: AlertsMigrationCleanup + requestBody: + content: + application/json: + schema: + properties: + migration_ids: + description: Array of `migration_id`s to cleanup. + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + type: object + description: Array of `migration_id`s to cleanup + required: true + responses: + "200": + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Security_Detections_API_MigrationCleanupResult' + type: array + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Clean up detection alert migrations + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/migration_status: + get: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/signals/migration_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve indices that contain detection alerts of a particular age, along with migration information for each of those indices. + operationId: ReadAlertsMigrationStatus + parameters: + - description: Maximum age of qualifying detection alerts + in: query + name: from + required: true + schema: + description: | + Time from which data is analyzed. For example, now-4200s means the rule analyzes data from 70 minutes + before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). + format: date-math + type: string + responses: + "200": + content: + application/json: + schema: + properties: + indices: + items: + $ref: '#/components/schemas/Security_Detections_API_IndexMigrationStatus' + type: array + required: + - indices + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Retrieve the status of detection alert migrations + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/search: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/search
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts + requestBody: + content: + application/json: + schema: + description: Elasticsearch query and aggregation request + properties: + _source: + oneOf: + - type: boolean + - type: string + - items: + type: string + type: array + aggs: + additionalProperties: true + type: object + fields: + items: + type: string + type: array + query: + additionalProperties: true + type: object + runtime_mappings: + additionalProperties: true + type: object + size: + minimum: 0 + type: integer + sort: + $ref: '#/components/schemas/Security_Detections_API_AlertsSort' + track_total_hits: + type: boolean + type: object + description: Search and/or aggregation query + required: true + responses: + "200": + content: + application/json: + schema: + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Find and/or aggregate detection alerts + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/status: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery' + description: An object containing desired status and explicit alert ids or a query to select alerts + required: true + responses: + "200": + content: + application/json: + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Set a detection alert status + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/signals/tags: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/signals/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + And tags to detection alerts, and remove them from alerts. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags + requestBody: + content: + application/json: + schema: + properties: + ids: + $ref: '#/components/schemas/Security_Detections_API_AlertIds' + tags: + $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' + required: + - ids + - tags + type: object + description: An object containing tags to add or remove and alert ids the changes will be applied + required: true + responses: + "200": + content: + application/json: + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' + description: Internal server error response + summary: Add and remove detection alert tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/detection_engine/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List all unique tags from all detection rules. + operationId: ReadTags + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + description: Indicates a successful call + summary: List all detection rule tags + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + /api/encrypted_saved_objects/_rotate_key: + post: + description: | + Superuser role required. + + If a saved object cannot be decrypted using the primary encryption key, then Kibana will attempt to decrypt it using the specified decryption-only keys. In most of the cases this overhead is negligible, but if you're dealing with a large number of saved objects and experiencing performance issues, you may want to rotate the encryption key. + + This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + operationId: rotateEncryptionKey + parameters: + - description: | + Specifies a maximum number of saved objects that Kibana can process in a single batch. Bulk key rotation is an iterative process since Kibana may not be able to fetch and process all required saved objects in one go and splits processing into consequent batches. By default, the batch size is 10000, which is also a maximum allowed value. + in: query + name: batch_size + required: false + schema: + default: 10000 + type: number + - description: | + Limits encryption key rotation only to the saved objects with the specified type. By default, Kibana tries to rotate the encryption key for all saved object types that may contain encrypted attributes. + in: query + name: type + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + properties: + failed: + description: | + Indicates the number of the saved objects that were still encrypted with one of the old encryption keys that Kibana failed to re-encrypt with the primary key. + type: number + successful: + description: | + Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. + + NOTE: In most cases, `total` will be greater than `successful` even if `failed` is zero. The reason is that Kibana may not need or may not be able to rotate encryption keys for all encrypted saved objects. + type: number + total: + description: | + Indicates the total number of all encrypted saved objects (optionally filtered by the requested `type`), regardless of the key Kibana used for encryption. + type: number + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + "429": + content: + application/json: + schema: + type: object + description: Already in progress. + summary: Rotate a key for encrypted saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all response actions. + operationId: EndpointGetActionsList + parameters: + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' + description: OK + summary: Get response actions + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/{action_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a response action using the action ID. + operationId: EndpointGetActionsDetails + parameters: + - in: path + name: action_id + required: true + schema: + description: The ID of the action to retrieve. + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionDetailsResponse' + description: OK + summary: Get action details + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get information for the specified response action file download. + operationId: EndpointFileInfo + parameters: + - in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + properties: + data: + properties: + actionId: + type: string + agentId: + type: string + agentType: + type: string + created: + format: date-time + type: string + id: + type: string + mimeType: + type: string + name: + type: string + size: + type: number + status: + enum: + - AWAITING_UPLOAD + - UPLOADING + - READY + - UPLOAD_ERROR + - DELETED + type: string + type: object + description: OK + summary: Get file information + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/{action_id}/file/{file_id}/download: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/{action_id}/file/{file_id}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download a file associated with a response action. + operationId: EndpointFileDownload + parameters: + - in: path + name: action_id + required: true + schema: + type: string + - description: | + The file identifier is constructed in one of two ways: + - For Elastic Defend agents (`agentType` of `endpoint`): combine the `action_id` and `agent_id` values using a dot (`.`) separator: + `{file_id}` = `{action_id}.{agent_id}` + - For all other agent types: the `file_id` is the `agent_id` for which the response action was sent to. + in: path + name: file_id + required: true + schema: + type: string + responses: + "200": + content: + application/octet-stream: + schema: + format: binary + type: string + description: OK + summary: Download a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cancel a running or pending response action (Applies only to some agent types). + operationId: CancelAction + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CancelRouteRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Successfully cancelled the response action + summary: Cancel a response action + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/execute: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/execute
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a shell command on an endpoint. + operationId: EndpointExecuteAction + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse' + description: OK + summary: Run a command + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/get_file: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/get_file
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file from an endpoint. + operationId: EndpointGetFileAction + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse' + description: OK + summary: Get a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/isolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/isolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Isolate an endpoint from the network. The endpoint remains isolated until it's released. + operationId: EndpointIsolateAction + requestBody: + content: + application/json: + schema: + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. + items: + minLength: 1 + type: string + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. + items: + minLength: 1 + type: string + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + type: object + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' + description: OK + summary: Isolate an endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/kill_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/kill_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Terminate a running process on an endpoint. + operationId: EndpointKillProcessAction + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse' + description: OK + summary: Terminate a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/running_procs: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/running_procs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all processes running on an endpoint. + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse' + description: OK + summary: Get running processes + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/runscript: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/runscript
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Run a script on a host. Currently supported only for some agent types. + operationId: RunScriptAction + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_RunScriptRouteRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse' + description: Action request was successfully created + summary: Run a script + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/scan: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/scan
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Scan a specific file or directory on an endpoint for malware. + operationId: EndpointScanAction + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse' + description: OK + summary: Scan a file or directory + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/state: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action/state
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a response actions state, which reports whether encryption is enabled. + operationId: EndpointGetActionsState + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse' + description: OK + summary: Get actions state + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/suspend_process: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/suspend_process
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Suspend a running process on an endpoint. + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse' + description: OK + summary: Suspend a process + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/unisolate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/unisolate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Release an isolated endpoint, allowing it to rejoin a network. + operationId: EndpointUnisolateAction + requestBody: + content: + application/json: + schema: + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. + items: + minLength: 1 + type: string + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. + items: + minLength: 1 + type: string + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + type: object + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' + description: OK + summary: Release an isolated endpoint + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action/upload: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/action/upload
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upload a file to an endpoint. + operationId: EndpointUploadAction + requestBody: + content: + multipart/form-data: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse' + description: OK + summary: Upload a file + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/action_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the status of response actions for the specified agent IDs. + operationId: EndpointGetActionsStatus + parameters: + - in: query + name: query + required: true + schema: + properties: + agent_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + type: object + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse' + description: OK + summary: Get response actions status + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/metadata: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: GetEndpointMetadataList + parameters: + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Kuery' + - in: query + name: hostStatuses + required: true + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_HostStatuses' + - in: query + name: sortField + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortField' + - in: query + name: sortDirection + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SortDirection' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_MetadataListResponse' + description: OK + summary: Get a metadata list + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/metadata/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/metadata/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: GetEndpointMetadata + parameters: + - in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointMetadataResponse' + description: OK + summary: Get metadata + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/policy_response: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/policy_response
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: GetPolicyResponse + parameters: + - in: query + name: query + required: true + schema: + properties: + agentId: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + type: object + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + description: OK + summary: Get a policy response + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint/protection_updates_note/{package_policy_id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: GetProtectionUpdatesNote + parameters: + - in: path + name: package_policy_id + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: OK + summary: Get a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint/protection_updates_note/{package_policy_id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + properties: + note: + type: string + type: object + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse' + description: OK + summary: Create or update a protection updates note + tags: + - Security Endpoint Management API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint_list: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create the exception list for Elastic Endpoint rule exceptions. When you create the exception list, it will have a `list_id` of `endpoint_list`. If the Elastic Endpoint exception list already exists, your request will return an empty response. + operationId: CreateEndpointList + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint_list/items: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: ReadEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + "200": + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' + type: array + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an Elastic Endpoint exception list item, and associate it with the Elastic Endpoint exception list. + operationId: CreateEndpointListItem + requestBody: + content: + application/json: + schema: + properties: + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + type: object + description: Exception list item's properties + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + "409": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item already exists + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Create an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: UpdateEndpointListItem + requestBody: + content: + application/json: + schema: + properties: + _version: + type: string + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + description: Either `id` or `item_id` must be specified + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + type: object + description: Exception list item's properties + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Update an Elastic Endpoint rule exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/endpoint_list/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an Elastic Endpoint exception list item, specified by the `id` or `item_id` field. + operationId: DeleteEndpointListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list item not found + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Delete an Elastic Endpoint exception list item + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/endpoint_list/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/endpoint_list/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all Elastic Endpoint exception list items. + operationId: FindEndpointListItems + parameters: + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter' + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Invalid input data + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse' + description: Insufficient privileges + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Endpoint list not found + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse' + description: Internal server error + summary: Get Elastic Endpoint exception list items + tags: + - Security Endpoint Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/delete: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/engine/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: DeleteMonitoringEngine + parameters: + - description: Whether to delete all the privileged user data + in: query + name: data + required: false + schema: + default: false + type: boolean + responses: + "200": + content: + application/json: + schema: + properties: + deleted: + type: boolean + required: + - deleted + type: object + description: Successful response + summary: Delete the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: DisableMonitoringEngine + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + summary: Disable the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: InitMonitoringEngine + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Successful response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringEngineDescriptor' + description: Internal Server Error + summary: Initialize the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/engine/schedule_now: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: ScheduleMonitoringEngine + responses: + "200": + content: + application/json: + schema: + properties: + success: + description: Indicates the scheduling was successful + type: boolean + type: object + description: Successful response + "409": + content: + application/json: + schema: + properties: + message: + description: Error message indicating the engine is already running + type: string + type: object + description: Conflict - Monitoring engine is already running + summary: Schedule the Privilege Monitoring Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/privileges/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: PrivMonHealth + responses: + "200": + content: + application/json: + schema: + properties: + error: + properties: + message: + type: string + required: + - status + type: object + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' + users: + description: User statistics for privilege monitoring + properties: + current_count: + description: Current number of privileged users being monitored + type: integer + max_allowed: + description: Maximum number of privileged users allowed to be monitored + type: integer + required: + - current_count + - max_allowed + type: object + required: + - status + type: object + description: Successful response + summary: Health check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/privileges/privileges: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/privileges/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Check if the current user has all required permissions for Privilege Monitoring + operationId: PrivMonPrivileges + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityAnalyticsPrivileges' + description: Successful response + summary: Run a privileges check on Privilege Monitoring + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: CreatePrivMonUser + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_UserName' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User created successfully + summary: Create a new monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users/_csv: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/monitoring/users/_csv
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: PrivmonBulkUploadUsersCSV + requestBody: + content: + multipart/form-data: + schema: + properties: + file: + description: The CSV file to upload. + format: binary + type: string + required: + - file + type: object + responses: + "200": + content: + application/json: + schema: + properties: + errors: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem' + type: array + stats: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivmonUserCsvUploadStats' + required: + - errors + - stats + type: object + description: Bulk upload successful + "413": + description: File too large + summary: Upsert multiple monitored users via CSV upload + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users/{id}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: UpdatePrivMonUser + parameters: + - in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + description: User updated successfully + summary: Update a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_analytics/monitoring/users/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: DeletePrivMonUser + parameters: + - in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + properties: + acknowledged: + description: Indicates if the deletion was successful + type: boolean + message: + description: A message providing additional information about the deletion status + type: string + required: + - success + type: object + description: User deleted successfully + summary: Delete a monitored user + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/monitoring/users/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/monitoring/users/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: ListPrivMonUsers + parameters: + - description: KQL query to filter the list of monitored users + in: query + name: kql + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserDoc' + type: array + description: List of monitored users + summary: List all monitored users + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/install: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/install
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: InstallPrivilegedAccessDetectionPackage + responses: + "200": + content: + application/json: + schema: + properties: + message: + type: string + required: + - message + type: object + description: Successful response + summary: Installs the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_analytics/privileged_user_monitoring/pad/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_analytics/privileged_user_monitoring/pad/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: GetPrivilegedAccessDetectionPackageStatus + responses: + "200": + content: + application/json: + schema: + properties: + jobs: + items: + properties: + description: + type: string + job_id: + type: string + state: + enum: + - closing + - closed + - opened + - failed + - opening + type: string + required: + - job_id + - state + type: object + type: array + ml_module_setup_status: + enum: + - complete + - incomplete + type: string + package_installation_status: + enum: + - complete + - incomplete + type: string + required: + - package_installation_status + - ml_module_setup_status + - jobs + type: object + description: Privileged access detection status retrieved + summary: Gets the status of the privileged access detection package for the Entity Analytics privileged user monitoring experience + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: InitEntityStore + requestBody: + content: + application/json: + schema: + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + entityTypes: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp. + type: string + type: object + description: Schema for the entity store initialization + required: true + responses: + "200": + content: + application/json: + schema: + properties: + engines: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + succeeded: + type: boolean + type: object + description: Successful response + "400": + description: Invalid request + summary: Initialize the Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/engines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: ListEntityEngines + responses: + "200": + content: + application/json: + schema: + properties: + count: + type: integer + engines: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + type: array + type: object + description: Successful response + summary: List the Entity Engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/engines/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: GetEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + summary: Get an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/entity_store/engines/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: DeleteEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - description: Control flag to also delete the entity data. + in: query + name: data + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + properties: + deleted: + type: boolean + type: object + description: Successful response + summary: Delete the Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}/init: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/init
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: InitEntityEngine + parameters: + - description: The entity type of the engine. + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + properties: + delay: + default: 1m + description: The delay before the transform will run. + pattern: '[smdh]$' + type: string + docsPerSecond: + default: -1 + description: The number of documents per second to process. + type: integer + enrichPolicyExecutionInterval: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Interval' + fieldHistoryLength: + default: 10 + description: The number of historical values to keep for each field. + type: integer + filter: + type: string + frequency: + default: 1m + description: The frequency at which the transform will run. + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 3h + description: The amount of time the transform looks back to calculate the aggregations. + pattern: '[smdh]$' + type: string + maxPageSearchSize: + default: 500 + description: The initial page size to use for the composite aggregation of each checkpoint. + type: integer + timeout: + default: 180s + description: The timeout for initializing the aggregating transform. + pattern: '[smdh]$' + type: string + timestampField: + default: '@timestamp' + description: The field to use as the timestamp for the entity type. + type: string + type: object + description: Schema for the engine initialization + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + description: Successful response + "400": + description: Invalid request + summary: Initialize an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}/start: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/start
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: StartEntityEngine + parameters: + - description: The entity type of the engine + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + "200": + content: + application/json: + schema: + properties: + started: + type: boolean + type: object + description: Successful response + summary: Start an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/{entityType}/stop: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/{entityType}/stop
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: StopEntityEngine + parameters: + - description: The entity type of the engine (either 'user' or 'host'). + in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + responses: + "200": + content: + application/json: + schema: + properties: + stopped: + type: boolean + type: object + description: Successful response + summary: Stop an Entity Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/engines/apply_dataview_indices: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/entity_store/engines/apply_dataview_indices
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: ApplyEntityEngineDataviewIndices + responses: + "200": + content: + application/json: + schema: + properties: + result: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + type: array + success: + type: boolean + type: object + description: Successful response + "207": + content: + application/json: + schema: + properties: + errors: + items: + type: string + type: array + result: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult' + type: array + success: + type: boolean + type: object + description: Partial successful response + "500": + content: + application/json: + schema: + properties: + body: + type: string + statusCode: + type: number + type: object + description: Error response + summary: Apply DataView indices to all installed engines + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/entities/{entityType}: + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_store/entities/{entityType}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update or create an entity in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. By default, only the following fields can be updated: * `entity.attributes.*` * `entity.lifecycle.*` * `entity.behavior.*` To update other fields, set the `force` query parameter to `true`. > info > Some fields always retain the first observed value. Updates to these fields will not appear in the final index. + > Due to technical limitations, not all updates are guaranteed to appear in the final list of observed values. + > Due to technical limitations, create is an async operation. The time for a document to be present in the > final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntity + parameters: + - in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + - in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Schema for the updating a single entity + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + description: Entity updated or created + "403": + description: Operation on a restricted field + "409": + description: Conflict. The entity was updated while another update was happening in ElasticSearch + "503": + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: "**Spaces method and path for this operation:**\n\n
delete /s/{space_id}/api/entity_store/entities/{entityType}
\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nDelete a single entity in Entity Store.\nThe entity will be immediately deleted from the latest index. It will remain available in historical snapshots if it has been snapshotted. The delete operation does not prevent the entity from being recreated if it is observed again in the future. \n" + operationId: DeleteSingleEntity + parameters: + - in: path + name: entityType + required: true + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + requestBody: + content: + application/json: + schema: + properties: + id: + description: Identifier of the entity to be deleted, commonly entity.id value. + type: string + required: + - id + type: object + description: Schema for the deleting entity + required: true + responses: + "200": + content: + application/json: + schema: + properties: + deleted: + type: boolean + type: object + description: Successful response. Entity deleted. + "404": + description: Entity Not Found. No entity with this ID and Type exists. + "503": + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Delete an entity in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/entities/bulk: + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/entity_store/entities/bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update or create many entities in Entity Store. + If the specified entity already exists, it is updated with the provided values. If the entity does not exist, a new one is created. + The creation is asynchronous. The time for a document to be present in the final index depends on the entity store transform and usually takes more than 1 minute. + operationId: UpsertEntitiesBulk + parameters: + - in: query + name: force + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntitiesContainer' + description: Schema for the updating many entities + required: true + responses: + "200": + description: Entities updated or created + "403": + description: Operation on a restricted field + "503": + description: Operation on an uninitialized Engine or in a cluster without CRUD API Enabled + summary: Upsert many entities in Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/entities/list: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/entities/list
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List entities records, paging, sorting and filtering as needed. + operationId: ListEntities + parameters: + - in: query + name: sort_field + required: false + schema: + type: string + - in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. + in: query + name: filterQuery + required: false + schema: + type: string + - in: query + name: entity_types + required: true + schema: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + type: array + responses: + "200": + content: + application/json: + schema: + properties: + inspect: + $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery' + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + type: object + description: Entities returned successfully + summary: List Entity Store Entities + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/entity_store/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/entity_store/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: GetEntityStoreStatus + parameters: + - description: If true returns a detailed status of the engine including all it's components + in: query + name: include_components + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + properties: + engines: + items: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor' + - properties: + components: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus' + type: array + type: object + type: array + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus' + required: + - status + - engines + type: object + description: Successful response + summary: Get the status of the Entity Store + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an exception list using the `id` or `list_id` field. + operationId: ReadExceptionList + parameters: + - description: Exception list's identifier. Either `id` or `list_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list details + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + An exception list groups exception items and can be associated with detection rules. You can assign exception lists to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateExceptionList + requestBody: + content: + application/json: + schema: + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + default: 1 + required: + - name + - description + - type + type: object + description: Exception list's properties + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "409": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an exception list using the `id` or `list_id` field. + operationId: UpdateExceptionList + requestBody: + content: + application/json: + schema: + properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + required: + - name + - description + - type + type: object + description: Exception list's properties + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/exception_lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an exception list using the `id` or `list_id` field. + operationId: DeleteExceptionList + parameters: + - description: Exception list's identifier. Either `id` or `list_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Human readable exception list string identifier, e.g. `trusted-linux-processes`. Either `id` or `list_id` must be specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_duplicate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/_duplicate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Duplicate an existing exception list. + operationId: DuplicateExceptionList + parameters: + - in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the duplicated list. Expiration date defined by `expire_time`. + in: query + name: include_expired_exceptions + required: true + schema: + default: "true" + enum: + - "true" + - "false" + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Exception list not found + "405": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list to duplicate not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Duplicate an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export an exception list and its associated items to an NDJSON file. + operationId: ExportExceptionList + parameters: + - in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: true + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + - description: Determines whether to include expired exceptions in the exported list. Expiration date defined by `expire_time`. + in: query + name: include_expired_exceptions + required: true + schema: + default: "true" + enum: + - "true" + - "false" + type: string + responses: + "200": + content: + application/ndjson: + schema: + description: A `.ndjson` file containing specified exception list and its items + format: binary + type: string + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Export an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all exception list containers. + operationId: FindExceptionLists + parameters: + - description: | + Filters the returned results according to the value of the specified field. + + Uses the `so type.field name:field` value syntax, where `so type` can be: + + - `exception-list`: Specify a space-aware exception list. + - `exception-list-agnostic`: Specify an exception list that is shared across spaces. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter' + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + minimum: 1 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + type: string + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception lists + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/_import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import an exception list and its associated items from an NDJSON file. + operationId: ImportExceptionList + parameters: + - description: | + Determines whether existing exception lists with the same `list_id` are overwritten. + If any exception items have the same `item_id`, those are also overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: | + Determines whether the list being imported will have a new `list_id` generated. + Additional `item_id`'s are generated for each exception item. Both the exception + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + schema: + properties: + file: + description: A `.ndjson` file containing the exception list + format: binary + type: string + type: object + required: true + responses: + "200": + content: + application/json: + schema: + properties: + errors: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray' + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: + type: boolean + required: + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Import an exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/items: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an exception list item using the `id` or `item_id` field. + operationId: ReadExceptionListItem + parameters: + - description: Exception list item's identifier. Either `id` or `item_id` must be specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified. + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an exception item and associate it with the specified exception list. + > info + > Before creating exception items, you must create an exception list. + operationId: CreateExceptionListItem + requestBody: + content: + application/json: + schema: + properties: + comments: + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + expire_time: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + required: + - list_id + - type + - name + - description + - entries + type: object + description: Exception list item's properties + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "409": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item already exists response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an exception list item using the `id` or `item_id` field. + operationId: UpdateExceptionListItem + requestBody: + content: + application/json: + schema: + properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + expire_time: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + description: Either `id` or `item_id` must be specified + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + description: Either `id` or `item_id` must be specified + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + type: object + description: Exception list item's properties + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Update an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/exception_lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an exception list item using the `id` or `item_id` field. + operationId: DeleteExceptionListItem + parameters: + - description: Exception item's identifier. Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + - description: Human readable exception item string identifier, e.g. `trusted-linux-processes`. Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + - in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list item not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Delete an exception list item + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all exception list items in the specified list. + operationId: FindExceptionListItems + parameters: + - description: The `list_id`s of the items to fetch. + in: query + name: list_id + required: true + schema: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + type: array + - description: | + Filters the returned results according to the value of the specified field, + using the `:` syntax. + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter' + type: array + - description: | + Determines whether the returned containers are Kibana associated with a Kibana space + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + type: array + - in: query + name: search + required: false + schema: + type: string + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + - description: Determines the sort order, which can be `desc` or `asc`. + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + "200": + content: + application/json: + schema: + properties: + data: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get exception list items + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exception_lists/summary: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/exception_lists/summary
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a summary of the specified exception list. + operationId: ReadExceptionListSummary + parameters: + - description: Exception list's identifier generated upon creation. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + - description: Exception list's human readable identifier. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + - in: query + name: namespace_type + required: false + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + - description: Search filter clause + in: query + name: filter + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + properties: + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Get an exception list summary + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/exceptions/shared: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/exceptions/shared
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules. + > info + > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item. + operationId: CreateSharedExceptionList + requestBody: + content: + application/json: + schema: + properties: + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + required: + - name + - description + type: object + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse' + description: Not enough privileges response + "409": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Exception list already exists response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' + description: Internal server error response + summary: Create a shared exception list + tags: + - Security Exceptions API + x-metaTags: + - content: Kibana + name: product_name + /api/features: + get: + description: | + Get information about all Kibana features. Features are used by spaces and security to refine and secure access to Kibana. + operationId: get-features + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call + summary: Get features + tags: + - system + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/fleet/agent_download_sources: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_download_sources
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + ssl: + additionalProperties: false + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: object + required: + - id + - name + - host + type: object + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get agent binary download sources + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_download_sources
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-agent-download-sources + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + ssl: + additionalProperties: false + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: object + required: + - name + - host + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + ssl: + additionalProperties: false + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: object + required: + - id + - name + - host + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Create an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_download_sources/{sourceId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read. + operationId: get-fleet-agent-download-sources-sourceid + parameters: + - in: path + name: sourceId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + ssl: + additionalProperties: false + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: object + required: + - id + - name + - host + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-agent-download-sources-sourceid + parameters: + - in: path + name: sourceId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + ssl: + additionalProperties: false + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: object + required: + - name + - host + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + host: + format: uri + type: string + id: + type: string + is_default: + default: false + type: boolean + name: + type: string + proxy_id: + description: The ID of the proxy to use for this download source. See the proxies API for more information. + nullable: true + type: string + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + ssl: + additionalProperties: false + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + type: object + required: + - id + - name + - host + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Update an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agent_download_sources/{sourceId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent binary download source by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-agent-download-sources-sourceid + parameters: + - in: path + name: sourceId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Delete an agent binary download source + tags: + - Elastic Agent binary download sources + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies + parameters: + - in: query + name: page + required: false + schema: + type: number + - in: query + name: perPage + required: false + schema: + type: number + - in: query + name: sortField + required: false + schema: + type: string + - in: query + name: sortOrder + required: false + schema: + enum: + - desc + - asc + type: string + - in: query + name: showUpgradeable + required: false + schema: + type: boolean + - in: query + name: kuery + required: false + schema: + type: string + - description: use withAgentCount instead + in: query + name: noAgentCount + required: false + schema: + deprecated: true + type: boolean + - description: get policies with agent count + in: query + name: withAgentCount + required: false + schema: + type: boolean + - description: get full policies with package policies populated + in: query + name: full + required: false + schema: + type: boolean + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/agent_policy' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies + parameters: + - in: query + name: sys_monitoring + required: false + schema: + type: boolean + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + properties: + agent_download_target_directory: + nullable: true + x-omitempty: true + agent_download_timeout: + nullable: true + x-omitempty: true + agent_limits_go_max_procs: + nullable: true + x-omitempty: true + agent_logging_files_interval: + nullable: true + x-omitempty: true + agent_logging_files_keepfiles: + nullable: true + x-omitempty: true + agent_logging_files_rotateeverybytes: + nullable: true + x-omitempty: true + agent_logging_level: + nullable: true + x-omitempty: true + agent_logging_metrics_period: + nullable: true + x-omitempty: true + agent_logging_to_files: + nullable: true + x-omitempty: true + agent_monitoring_runtime_experimental: + nullable: true + x-omitempty: true + type: object + agent_features: + items: + additionalProperties: false + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: object + type: array + agentless: + additionalProperties: false + properties: + cloud_connectors: + additionalProperties: false + properties: + enabled: + type: boolean + target_csp: + type: string + required: + - enabled + type: object + resources: + additionalProperties: false + properties: + requests: + additionalProperties: false + properties: + cpu: + type: string + memory: + type: string + type: object + type: object + type: object + data_output_id: + nullable: true + type: string + x-omitempty: true + description: + type: string + download_source_id: + nullable: true + type: string + x-omitempty: true + fleet_server_host_id: + nullable: true + type: string + x-omitempty: true + force: + type: boolean + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + $ref: '#/components/schemas/agent_policy_global_data_tags_item' + additionalProperties: false + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + type: object + type: array + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_protected: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + x-omitempty: true + monitoring_diagnostics: + additionalProperties: false + properties: + limit: + additionalProperties: false + properties: + burst: + type: number + interval: + type: string + type: object + uploader: + additionalProperties: false + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + type: object + type: object + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + type: array + monitoring_http: + additionalProperties: false + properties: + buffer: + additionalProperties: false + properties: + enabled: + default: false + type: boolean + type: object + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + type: object + monitoring_output_id: + nullable: true + type: string + x-omitempty: true + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: {} + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + x-omitempty: true + required_versions: + items: + additionalProperties: false + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + type: object + nullable: true + type: array + x-omitempty: true + space_ids: + items: + type: string + type: array + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + x-omitempty: true + unenroll_timeout: + minimum: 0 + type: number + required: + - name + - namespace + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/agent_policy' + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Create an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/_bulk_get: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: post-fleet-agent-policies-bulk-get + parameters: + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + full: + description: get full policies with package policies populated + type: boolean + ids: + description: list of package policy ids + items: + type: string + type: array + ignoreMissing: + type: boolean + required: + - ids + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + type: object + agent_features: + items: + additionalProperties: false + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: object + type: array + agentless: + additionalProperties: false + properties: + cloud_connectors: + additionalProperties: false + properties: + enabled: + type: boolean + target_csp: + type: string + required: + - enabled + type: object + resources: + additionalProperties: false + properties: + requests: + additionalProperties: false + properties: + cpu: + type: string + memory: + type: string + type: object + type: object + type: object + agents: + type: number + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + type: object + type: array + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + monitoring_diagnostics: + additionalProperties: false + properties: + limit: + additionalProperties: false + properties: + burst: + type: number + interval: + type: string + type: object + uploader: + additionalProperties: false + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + type: object + type: object + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + type: array + monitoring_http: + additionalProperties: false + properties: + buffer: + additionalProperties: false + properties: + enabled: + default: false + type: boolean + type: object + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + type: object + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: {} + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_policies: + anyOf: + - items: + type: string + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + properties: + privileges: + additionalProperties: true + properties: + cluster: + items: + type: string + type: array + type: object + type: object + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + properties: + compiled_input: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + policy_template: + type: string + streams: + items: + additionalProperties: false + properties: + compiled_stream: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + properties: + indices: + items: + type: string + type: array + type: object + type: object + type: + type: string + required: + - dataset + - type + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + release: + enum: + - ga + - beta + - experimental + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + type: object + type: array + type: + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + type: object + type: array + - additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + properties: + inputs: + additionalProperties: {} + type: object + type: object + package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + properties: + data_stream: + type: string + features: + additionalProperties: false + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + type: object + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + spaceIds: + items: + type: string + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + vars: + anyOf: + - additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + type: object + type: array + required_versions: + items: + additionalProperties: false + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + type: object + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_managed + - is_protected + - status + - updated_at + - updated_by + - revision + type: object + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Bulk get agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/agent_policy' + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: put-fleet-agent-policies-agentpolicyid + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + properties: + agent_download_target_directory: + nullable: true + x-omitempty: true + agent_download_timeout: + nullable: true + x-omitempty: true + agent_limits_go_max_procs: + nullable: true + x-omitempty: true + agent_logging_files_interval: + nullable: true + x-omitempty: true + agent_logging_files_keepfiles: + nullable: true + x-omitempty: true + agent_logging_files_rotateeverybytes: + nullable: true + x-omitempty: true + agent_logging_level: + nullable: true + x-omitempty: true + agent_logging_metrics_period: + nullable: true + x-omitempty: true + agent_logging_to_files: + nullable: true + x-omitempty: true + agent_monitoring_runtime_experimental: + nullable: true + x-omitempty: true + type: object + agent_features: + items: + additionalProperties: false + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: object + type: array + agentless: + additionalProperties: false + properties: + cloud_connectors: + additionalProperties: false + properties: + enabled: + type: boolean + target_csp: + type: string + required: + - enabled + type: object + resources: + additionalProperties: false + properties: + requests: + additionalProperties: false + properties: + cpu: + type: string + memory: + type: string + type: object + type: object + type: object + bumpRevision: + type: boolean + data_output_id: + nullable: true + type: string + x-omitempty: true + description: + type: string + download_source_id: + nullable: true + type: string + x-omitempty: true + fleet_server_host_id: + nullable: true + type: string + x-omitempty: true + force: + type: boolean + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + $ref: '#/components/schemas/agent_policy_global_data_tags_item' + additionalProperties: false + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + type: object + type: array + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_protected: + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + x-omitempty: true + monitoring_diagnostics: + additionalProperties: false + properties: + limit: + additionalProperties: false + properties: + burst: + type: number + interval: + type: string + type: object + uploader: + additionalProperties: false + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + type: object + type: object + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + type: array + monitoring_http: + additionalProperties: false + properties: + buffer: + additionalProperties: false + properties: + enabled: + default: false + type: boolean + type: object + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + type: object + monitoring_output_id: + nullable: true + type: string + x-omitempty: true + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: {} + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + x-omitempty: true + required_versions: + items: + additionalProperties: false + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + type: object + nullable: true + type: array + x-omitempty: true + space_ids: + items: + type: string + type: array + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + x-omitempty: true + unenroll_timeout: + minimum: 0 + type: number + required: + - name + - namespace + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/agent_policy' + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Update an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get auto upgrade agent status

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-policies-agentpolicyid-auto-upgrade-agents-status + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + currentVersions: + items: + additionalProperties: false + properties: + agents: + type: number + failedUpgradeActionIds: + items: + type: string + type: array + failedUpgradeAgents: + type: number + version: + type: string + required: + - version + - agents + - failedUpgradeAgents + type: object + type: array + totalAgents: + type: number + required: + - currentVersions + - totalAgents + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get auto upgrade agent status + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/copy: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copy an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-agentpolicyid-copy + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + description: + type: string + name: + minLength: 1 + type: string + required: + - name + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + properties: + agent_download_target_directory: + nullable: true + agent_download_timeout: + nullable: true + agent_limits_go_max_procs: + nullable: true + agent_logging_files_interval: + nullable: true + agent_logging_files_keepfiles: + nullable: true + agent_logging_files_rotateeverybytes: + nullable: true + agent_logging_level: + nullable: true + agent_logging_metrics_period: + nullable: true + agent_logging_to_files: + nullable: true + agent_monitoring_runtime_experimental: + nullable: true + type: object + agent_features: + items: + additionalProperties: false + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: object + type: array + agentless: + additionalProperties: false + properties: + cloud_connectors: + additionalProperties: false + properties: + enabled: + type: boolean + target_csp: + type: string + required: + - enabled + type: object + resources: + additionalProperties: false + properties: + requests: + additionalProperties: false + properties: + cpu: + type: string + memory: + type: string + type: object + type: object + type: object + agents: + type: number + data_output_id: + nullable: true + type: string + description: + type: string + download_source_id: + nullable: true + type: string + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + additionalProperties: false + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + type: object + type: array + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + monitoring_diagnostics: + additionalProperties: false + properties: + limit: + additionalProperties: false + properties: + burst: + type: number + interval: + type: string + type: object + uploader: + additionalProperties: false + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + type: object + type: object + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + type: array + monitoring_http: + additionalProperties: false + properties: + buffer: + additionalProperties: false + properties: + enabled: + default: false + type: boolean + type: object + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + type: object + monitoring_output_id: + nullable: true + type: string + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: {} + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + package_policies: + anyOf: + - items: + type: string + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + properties: + privileges: + additionalProperties: true + properties: + cluster: + items: + type: string + type: array + type: object + type: object + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + properties: + compiled_input: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + policy_template: + type: string + streams: + items: + additionalProperties: false + properties: + compiled_stream: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + properties: + indices: + items: + type: string + type: array + type: object + type: object + type: + type: string + required: + - dataset + - type + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + release: + enum: + - ga + - beta + - experimental + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + type: object + type: array + type: + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + type: object + type: array + - additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + properties: + inputs: + additionalProperties: {} + type: object + type: object + package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + properties: + data_stream: + type: string + features: + additionalProperties: false + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + type: object + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + spaceIds: + items: + type: string + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + vars: + anyOf: + - additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + type: object + type: array + required_versions: + items: + additionalProperties: false + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + type: object + nullable: true + type: array + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_managed + - is_protected + - status + - updated_at + - updated_by + - revision + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Copy an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-agent-policies-agentpolicyid-download + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: download + required: false + schema: + type: boolean + - in: query + name: standalone + required: false + schema: + type: boolean + - in: query + name: kubernetes + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + type: string + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + "404": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: Not found. + summary: Download an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/full: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/full
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a full agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read. + operationId: get-fleet-agent-policies-agentpolicyid-full + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + - in: query + name: download + required: false + schema: + type: boolean + - in: query + name: standalone + required: false + schema: + type: boolean + - in: query + name: kubernetes + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + anyOf: + - type: string + - additionalProperties: false + properties: + agent: + additionalProperties: false + properties: + download: + additionalProperties: false + properties: + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + properties: + ssl: + additionalProperties: true + properties: + key: + additionalProperties: true + properties: + id: + type: string + type: object + required: + - key + type: object + type: object + sourceURI: + type: string + ssl: + additionalProperties: false + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + type: object + target_directory: + type: string + timeout: + type: string + required: + - sourceURI + type: object + features: + additionalProperties: + additionalProperties: false + properties: + enabled: + type: boolean + required: + - enabled + type: object + type: object + limits: + additionalProperties: false + properties: + go_max_procs: + type: number + type: object + logging: + additionalProperties: false + properties: + files: + additionalProperties: false + properties: + interval: + type: string + keepfiles: + type: number + rotateeverybytes: + type: number + type: object + level: + type: string + metrics: + additionalProperties: false + properties: + period: + type: string + type: object + to_files: + type: boolean + type: object + monitoring: + additionalProperties: false + properties: + _runtime_experimental: + type: string + apm: {} + enabled: + type: boolean + logs: + type: boolean + metrics: + type: boolean + namespace: + type: string + traces: + type: boolean + use_output: + type: string + required: + - enabled + - metrics + - logs + - traces + - apm + type: object + protection: + additionalProperties: false + properties: + enabled: + type: boolean + signing_key: + type: string + uninstall_token_hash: + type: string + required: + - enabled + - uninstall_token_hash + - signing_key + type: object + required: + - monitoring + - download + - features + type: object + connectors: + additionalProperties: {} + type: object + exporters: + additionalProperties: {} + type: object + extensions: + additionalProperties: {} + type: object + fleet: + anyOf: + - additionalProperties: false + properties: + hosts: + items: + type: string + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + secrets: + additionalProperties: true + properties: + ssl: + additionalProperties: true + properties: + key: + additionalProperties: true + properties: + id: + type: string + type: object + required: + - key + type: object + type: object + ssl: + additionalProperties: false + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + renegotiation: + type: string + verification_mode: + type: string + type: object + required: + - hosts + type: object + - additionalProperties: false + properties: + kibana: + additionalProperties: false + properties: + hosts: + items: + type: string + type: array + path: + type: string + protocol: + type: string + required: + - hosts + - protocol + type: object + required: + - kibana + type: object + id: + type: string + inputs: + items: + additionalProperties: true + properties: + data_stream: + additionalProperties: true + properties: + namespace: + type: string + required: + - namespace + type: object + id: + type: string + meta: + additionalProperties: true + properties: + package: + additionalProperties: true + properties: + name: + type: string + version: + type: string + required: + - name + - version + type: object + type: object + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + properties: + add_fields: + additionalProperties: true + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + type: object + required: + - add_fields + type: object + type: array + revision: + type: number + streams: + items: + additionalProperties: true + properties: + data_stream: + additionalProperties: true + properties: + dataset: + type: string + type: + type: string + required: + - dataset + type: object + id: + type: string + required: + - id + - data_stream + type: object + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + type: object + type: array + namespaces: + items: + type: string + type: array + output_permissions: + additionalProperties: + additionalProperties: {} + type: object + type: object + outputs: + additionalProperties: + additionalProperties: true + properties: + ca_sha256: + nullable: true + type: string + hosts: + items: + type: string + type: array + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + proxy_url: + type: string + type: + type: string + required: + - type + type: object + type: object + processors: + additionalProperties: {} + type: object + receivers: + additionalProperties: {} + type: object + revision: + type: number + secret_references: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + service: + additionalProperties: false + properties: + extensions: + items: + type: string + type: array + pipelines: + additionalProperties: + additionalProperties: false + properties: + exporters: + items: + type: string + type: array + processors: + items: + type: string + type: array + receivers: + items: + type: string + type: array + type: object + x-oas-optional: true + type: object + type: object + signed: + additionalProperties: false + properties: + data: + type: string + signature: + type: string + required: + - data + - signature + type: object + required: + - id + - outputs + - inputs + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get a full agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/{agentPolicyId}/outputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_policies/{agentPolicyId}/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policy by policy id.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: get-fleet-agent-policies-agentpolicyid-outputs + parameters: + - in: path + name: agentPolicyId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + properties: + integrations: + items: + additionalProperties: false + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + type: object + type: array + output: + additionalProperties: false + properties: + id: + type: string + name: + type: string + required: + - id + - name + type: object + required: + - output + type: object + monitoring: + additionalProperties: false + properties: + output: + additionalProperties: false + properties: + id: + type: string + name: + type: string + required: + - id + - name + type: object + required: + - output + type: object + required: + - monitoring + - data + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get outputs for an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all. + operationId: post-fleet-agent-policies-delete + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + agentPolicyId: + type: string + force: + description: bypass validation checks that can prevent agent policy deletion + type: boolean + required: + - agentPolicyId + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + id: + type: string + name: + type: string + required: + - id + - name + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Delete an agent policy + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_policies/outputs: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agent_policies/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read. + operationId: post-fleet-agent-policies-outputs + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + ids: + description: list of package policy ids + items: + type: string + type: array + required: + - ids + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + agentPolicyId: + type: string + data: + additionalProperties: false + properties: + integrations: + items: + additionalProperties: false + properties: + id: + type: string + integrationPolicyName: + type: string + name: + type: string + pkgName: + type: string + type: object + type: array + output: + additionalProperties: false + properties: + id: + type: string + name: + type: string + required: + - id + - name + type: object + required: + - output + type: object + monitoring: + additionalProperties: false + properties: + output: + additionalProperties: false + properties: + id: + type: string + name: + type: string + required: + - id + - name + type: object + required: + - output + type: object + required: + - monitoring + - data + type: object + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get outputs for agent policies + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: get-fleet-agent-status + parameters: + - in: query + name: policyId + required: false + schema: + type: string + - in: query + name: policyIds + required: false + schema: + anyOf: + - items: + type: string + type: array + - type: string + - in: query + name: kuery + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + results: + additionalProperties: false + properties: + active: + type: number + all: + type: number + error: + type: number + events: + type: number + inactive: + type: number + offline: + type: number + online: + type: number + orphaned: + type: number + other: + type: number + unenrolled: + type: number + uninstalled: + type: number + updating: + type: number + required: + - events + - online + - error + - offline + - other + - updating + - inactive + - unenrolled + - all + - active + type: object + required: + - results + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get an agent status summary + tags: + - Elastic Agent status + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agent_status/data: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agent_status/data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agent-status-data + parameters: + - in: query + name: agentsIds + required: true + schema: + anyOf: + - items: + type: string + type: array + - type: string + - in: query + name: pkgName + required: false + schema: + type: string + - in: query + name: pkgVersion + required: false + schema: + type: string + - in: query + name: previewData + required: false + schema: + default: false + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + dataPreview: + items: {} + type: array + items: + items: + additionalProperties: + additionalProperties: false + properties: + data: + type: boolean + required: + - data + type: object + type: object + type: array + required: + - items + - dataPreview + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get incoming agent data + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agentless_policies: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agentless_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create an agentless policy + operationId: post-fleet-agentless-policies + parameters: + - description: The format of the response package policy. + in: query + name: format + required: false + schema: + default: simplified + enum: + - legacy + - simplified + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + nullable: true + type: array + x-omitempty: true + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + id: + description: Policy unique identifier. + type: string + inputs: + additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + x-omitempty: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + x-omitempty: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + properties: + data_stream: + type: string + features: + additionalProperties: false + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + type: object + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + x-omitempty: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + required: + - name + - package + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + description: The created agentless package policy. + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + properties: + privileges: + additionalProperties: true + properties: + cluster: + items: + type: string + type: array + type: object + type: object + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + properties: + compiled_input: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + policy_template: + type: string + streams: + items: + additionalProperties: false + properties: + compiled_stream: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + properties: + indices: + items: + type: string + type: array + type: object + type: object + type: + type: string + required: + - dataset + - type + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + release: + enum: + - ga + - beta + - experimental + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + type: object + type: array + type: + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + type: object + type: array + - additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + properties: + inputs: + additionalProperties: {} + type: object + type: object + package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + properties: + data_stream: + type: string + features: + additionalProperties: false + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + type: object + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + spaceIds: + items: + type: string + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + vars: + anyOf: + - additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + type: object + required: + - item + type: object + description: Indicates a successful response + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: Bad Request + "409": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: Conflict + summary: Create an agentless policy + tags: + - Fleet agentless policies + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.3.0 + /api/fleet/agentless_policies/{policyId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agentless_policies/{policyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agentless policy + operationId: delete-fleet-agentless-policies-policyid + parameters: + - description: The ID of the policy to delete. + in: path + name: policyId + required: true + schema: + type: string + - description: Force delete the policy even if the policy is managed. + in: query + name: force + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + description: Response for deleting an agentless package policy. + properties: + id: + description: The ID of the deleted agentless package policy. + type: string + required: + - id + type: object + description: Indicates a successful response + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: Bad Request + "409": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: Conflict + summary: Delete an agentless policy + tags: + - Fleet agentless policies + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.3.0 + /api/fleet/agents: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents + parameters: + - in: query + name: page + required: false + schema: + type: number + - in: query + name: perPage + required: false + schema: + default: 20 + type: number + - in: query + name: kuery + required: false + schema: + type: string + - in: query + name: showAgentless + required: false + schema: + default: true + type: boolean + - in: query + name: showInactive + required: false + schema: + default: false + type: boolean + - in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + - in: query + name: showUpgradeable + required: false + schema: + default: false + type: boolean + - in: query + name: getStatusSummary + required: false + schema: + default: false + type: boolean + - in: query + name: sortField + required: false + schema: + type: string + - in: query + name: sortOrder + required: false + schema: + enum: + - asc + - desc + type: string + - in: query + name: searchAfter + required: false + schema: + type: string + - in: query + name: openPit + required: false + schema: + type: boolean + - in: query + name: pitId + required: false + schema: + type: string + - in: query + name: pitKeepAlive + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + properties: + id: + type: string + version: + type: string + required: + - id + - version + type: object + audit_unenrolled_reason: + type: string + components: + items: + additionalProperties: false + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: {} + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - "" + type: string + required: + - id + - type + - status + - message + type: object + type: array + required: + - id + - type + - status + - message + type: object + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + type: object + type: array + default_api_key_id: + type: string + enrolled_at: + type: string + id: + type: string + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: {} + type: object + metrics: + additionalProperties: false + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + type: object + namespaces: + items: + type: string + type: array + outputs: + additionalProperties: + additionalProperties: false + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + type: object + type: array + type: + type: string + type: object + type: object + packages: + items: + type: string + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sort: + items: {} + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + nullable: true + type: array + upgrade_attempts: + items: + type: string + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + properties: + action_id: + type: string + metadata: + additionalProperties: false + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + type: object + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + type: object + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: {} + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + type: object + type: array + nextSearchAfter: + type: string + page: + type: number + perPage: + type: number + pit: + type: string + statusSummary: + additionalProperties: + type: number + type: object + total: + type: number + required: + - items + - total + - page + - perPage + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get agents + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + actionIds: + items: + type: string + type: array + required: + - actionIds + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + type: string + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get agents by action ids + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid + parameters: + - in: path + name: agentId + required: true + schema: + type: string + - in: query + name: withMetrics + required: false + schema: + default: false + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + properties: + id: + type: string + version: + type: string + required: + - id + - version + type: object + audit_unenrolled_reason: + type: string + components: + items: + additionalProperties: false + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: {} + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - "" + type: string + required: + - id + - type + - status + - message + type: object + type: array + required: + - id + - type + - status + - message + type: object + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + type: object + type: array + default_api_key_id: + type: string + enrolled_at: + type: string + id: + type: string + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: {} + type: object + metrics: + additionalProperties: false + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + type: object + namespaces: + items: + type: string + type: array + outputs: + additionalProperties: + additionalProperties: false + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + type: object + type: array + type: + type: string + type: object + type: object + packages: + items: + type: string + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sort: + items: {} + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + nullable: true + type: array + upgrade_attempts: + items: + type: string + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + properties: + action_id: + type: string + metadata: + additionalProperties: false + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + type: object + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + type: object + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: {} + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get an agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: put-fleet-agents-agentid + parameters: + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + tags: + items: + type: string + type: array + user_provided_metadata: + additionalProperties: {} + type: object + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + access_api_key: + type: string + access_api_key_id: + type: string + active: + type: boolean + agent: + additionalProperties: true + properties: + id: + type: string + version: + type: string + required: + - id + - version + type: object + audit_unenrolled_reason: + type: string + components: + items: + additionalProperties: false + properties: + id: + type: string + message: + type: string + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + type: string + units: + items: + additionalProperties: false + properties: + id: + type: string + message: + type: string + payload: + additionalProperties: {} + type: object + status: + enum: + - STARTING + - CONFIGURING + - HEALTHY + - DEGRADED + - FAILED + - STOPPING + - STOPPED + type: string + type: + enum: + - input + - output + - "" + type: string + required: + - id + - type + - status + - message + type: object + type: array + required: + - id + - type + - status + - message + type: object + type: array + default_api_key: + type: string + default_api_key_history: + items: + additionalProperties: false + deprecated: true + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + type: object + type: array + default_api_key_id: + type: string + enrolled_at: + type: string + id: + type: string + last_checkin: + type: string + last_checkin_message: + type: string + last_checkin_status: + enum: + - error + - online + - degraded + - updating + - starting + type: string + last_known_status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + local_metadata: + additionalProperties: {} + type: object + metrics: + additionalProperties: false + properties: + cpu_avg: + type: number + memory_size_byte_avg: + type: number + type: object + namespaces: + items: + type: string + type: array + outputs: + additionalProperties: + additionalProperties: false + properties: + api_key_id: + type: string + to_retire_api_key_ids: + items: + additionalProperties: false + properties: + id: + type: string + retired_at: + type: string + required: + - id + - retired_at + type: object + type: array + type: + type: string + type: object + type: object + packages: + items: + type: string + type: array + policy_id: + type: string + policy_revision: + nullable: true + type: number + sort: + items: {} + type: array + status: + enum: + - offline + - error + - online + - inactive + - enrolling + - unenrolling + - unenrolled + - updating + - degraded + - uninstalled + - orphaned + type: string + tags: + items: + type: string + type: array + type: + enum: + - PERMANENT + - EPHEMERAL + - TEMPORARY + type: string + unenrolled_at: + type: string + unenrollment_started_at: + type: string + unhealthy_reason: + items: + enum: + - input + - output + - other + type: string + nullable: true + type: array + upgrade_attempts: + items: + type: string + nullable: true + type: array + upgrade_details: + additionalProperties: false + nullable: true + properties: + action_id: + type: string + metadata: + additionalProperties: false + properties: + download_percent: + type: number + download_rate: + type: number + error_msg: + type: string + failed_state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + retry_error_msg: + type: string + retry_until: + type: string + scheduled_at: + type: string + type: object + state: + enum: + - UPG_REQUESTED + - UPG_SCHEDULED + - UPG_DOWNLOADING + - UPG_EXTRACTING + - UPG_REPLACING + - UPG_RESTARTING + - UPG_FAILED + - UPG_WATCHING + - UPG_ROLLBACK + type: string + target_version: + type: string + required: + - target_version + - action_id + - state + type: object + upgrade_started_at: + nullable: true + type: string + upgraded_at: + nullable: true + type: string + user_provided_metadata: + additionalProperties: {} + type: object + required: + - id + - packages + - type + - active + - enrolled_at + - local_metadata + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Update an agent by ID + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agents/{agentId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an agent by ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-agentid + parameters: + - in: path + name: agentId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + action: + enum: + - deleted + type: string + required: + - action + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Delete an agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/actions: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/actions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-actions + parameters: + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + action: + anyOf: + - additionalProperties: false + properties: + ack_data: {} + data: {} + type: + enum: + - UNENROLL + - UPGRADE + - POLICY_REASSIGN + type: string + required: + - type + - data + - ack_data + type: object + - additionalProperties: false + properties: + data: + additionalProperties: false + properties: + log_level: + enum: + - debug + - info + - warning + - error + nullable: true + type: string + x-omitempty: true + required: + - log_level + type: object + type: + enum: + - SETTINGS + type: string + required: + - type + - data + type: object + required: + - action + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + ack_data: {} + agents: + items: + type: string + type: array + created_at: + type: string + data: {} + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Create an agent action + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/migrate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Migrate a single agent to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-migrate + parameters: + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + enrollment_token: + type: string + settings: + additionalProperties: false + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + replace_token: + type: string + staging: + type: string + tags: + items: + type: string + type: array + type: object + uri: + format: uri + type: string + required: + - uri + - enrollment_token + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Migrate a single agent + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/reassign: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-reassign + parameters: + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + policy_id: + type: string + required: + - policy_id + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: {} + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Reassign an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/request_diagnostics: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-agentid-request-diagnostics + parameters: + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + nullable: true + properties: + additional_metrics: + items: + enum: + - CPU + type: string + type: array + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Request agent diagnostics + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/unenroll: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-unenroll + parameters: + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + nullable: true + properties: + force: + type: boolean + revoke: + type: boolean + type: object + responses: {} + summary: Unenroll an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/{agentId}/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-agentid-upgrade + parameters: + - in: path + name: agentId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + force: + type: boolean + skipRateLimitCheck: + type: boolean + source_uri: + type: string + version: + type: string + required: + - version + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: {} + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Upgrade an agent + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/{agentId}/uploads: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/{agentId}/uploads
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-agentid-uploads + parameters: + - in: path + name: agentId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + actionId: + type: string + createTime: + type: string + error: + type: string + filePath: + type: string + id: + type: string + name: + type: string + status: + enum: + - READY + - AWAITING_UPLOAD + - DELETED + - EXPIRED + - IN_PROGRESS + - FAILED + type: string + required: + - id + - name + - filePath + - createTime + - status + - actionId + type: object + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get agent uploads + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/action_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/action_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-action-status + parameters: + - in: query + name: page + required: false + schema: + default: 0 + type: number + - in: query + name: perPage + required: false + schema: + default: 20 + type: number + - in: query + name: date + required: false + schema: + type: string + - in: query + name: latest + required: false + schema: + type: number + - in: query + name: errorSize + required: false + schema: + default: 5 + type: number + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + actionId: + type: string + cancellationTime: + type: string + completionTime: + type: string + creationTime: + description: creation time of action + type: string + expiration: + type: string + hasRolloutPeriod: + type: boolean + is_automatic: + type: boolean + latestErrors: + items: + additionalProperties: false + description: latest errors that happened when the agents executed the action + properties: + agentId: + type: string + error: + type: string + hostname: + type: string + timestamp: + type: string + required: + - agentId + - error + - timestamp + type: object + type: array + nbAgentsAck: + description: number of agents that acknowledged the action + type: number + nbAgentsActionCreated: + description: number of agents included in action from kibana + type: number + nbAgentsActioned: + description: number of agents actioned + type: number + nbAgentsFailed: + description: number of agents that failed to execute the action + type: number + newPolicyId: + description: new policy id (POLICY_REASSIGN action) + type: string + policyId: + description: policy id (POLICY_CHANGE action) + type: string + revision: + description: new policy revision (POLICY_CHANGE action) + type: number + startTime: + description: start time of action (scheduled actions) + type: string + status: + enum: + - COMPLETE + - EXPIRED + - CANCELLED + - FAILED + - IN_PROGRESS + - ROLLOUT_PASSED + type: string + type: + enum: + - UPGRADE + - UNENROLL + - SETTINGS + - POLICY_REASSIGN + - CANCEL + - FORCE_UNENROLL + - REQUEST_DIAGNOSTICS + - UPDATE_TAGS + - POLICY_CHANGE + - INPUT_ACTION + - MIGRATE + - PRIVILEGE_LEVEL_CHANGE + type: string + version: + description: agent version number (UPGRADE action) + type: string + required: + - actionId + - nbAgentsActionCreated + - nbAgentsAck + - nbAgentsFailed + - type + - nbAgentsActioned + - status + - creationTime + type: object + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get an agent action status + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/actions/{actionId}/cancel: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/actions/{actionId}/cancel
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-actions-actionid-cancel + parameters: + - in: path + name: actionId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + ack_data: {} + agents: + items: + type: string + type: array + created_at: + type: string + data: {} + expiration: + type: string + id: + type: string + minimum_execution_duration: + type: number + namespaces: + items: + type: string + type: array + rollout_duration_seconds: + type: number + sent_at: + type: string + source_uri: + type: string + start_time: + type: string + total: + type: number + type: + type: string + required: + - id + - type + - data + - created_at + - ack_data + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Cancel an agent action + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/available_versions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/available_versions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-available-versions + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + type: string + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get available agent versions + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_migrate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_migrate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk migrate agents to another cluster.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-migrate + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + agents: + anyOf: + - items: + type: string + type: array + - type: string + batchSize: + type: number + enrollment_token: + type: string + settings: + additionalProperties: false + properties: + ca_sha256: + type: string + certificate_authorities: + type: string + elastic_agent_cert: + type: string + elastic_agent_cert_key: + type: string + elastic_agent_cert_key_passphrase: + type: string + headers: + additionalProperties: + type: string + type: object + insecure: + type: boolean + proxy_disabled: + type: boolean + proxy_headers: + additionalProperties: + type: string + type: object + proxy_url: + type: string + staging: + type: string + tags: + items: + type: string + type: array + type: object + uri: + format: uri + type: string + required: + - agents + - uri + - enrollment_token + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Migrate multiple agents + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_reassign: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_reassign
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-reassign + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + agents: + anyOf: + - items: + type: string + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + policy_id: + type: string + required: + - policy_id + - agents + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Bulk reassign agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_request_diagnostics: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_request_diagnostics
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-read. + operationId: post-fleet-agents-bulk-request-diagnostics + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + additional_metrics: + items: + enum: + - CPU + type: string + type: array + agents: + anyOf: + - items: + type: string + type: array + - type: string + batchSize: + type: number + required: + - agents + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Bulk request diagnostics from agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_unenroll: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_unenroll
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-unenroll + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + agents: + anyOf: + - items: + description: KQL query string, leave empty to action all agents + type: string + type: array + - description: list of agent IDs + type: string + batchSize: + type: number + force: + description: Unenrolls hosted agents too + type: boolean + includeInactive: + description: When passing agents by KQL query, unenrolls inactive agents too + type: boolean + revoke: + description: Revokes API keys of agents + type: boolean + required: + - agents + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Bulk unenroll agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_update_agent_tags: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_update_agent_tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-update-agent-tags + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + agents: + anyOf: + - items: + type: string + type: array + - type: string + batchSize: + type: number + includeInactive: + default: false + type: boolean + tagsToAdd: + items: + type: string + type: array + tagsToRemove: + items: + type: string + type: array + required: + - agents + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Bulk update agent tags + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/bulk_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/bulk_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-agents-bulk-upgrade + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + agents: + anyOf: + - items: + type: string + type: array + - type: string + batchSize: + type: number + force: + type: boolean + includeInactive: + default: false + type: boolean + rollout_duration_seconds: + minimum: 600 + type: number + skipRateLimitCheck: + type: boolean + source_uri: + type: string + start_time: + type: string + version: + type: string + required: + - agents + - version + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + actionId: + type: string + required: + - actionId + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Bulk upgrade agents + tags: + - Elastic Agent actions + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/files/{fileId}: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/agents/files/{fileId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-agents-files-fileid + parameters: + - in: path + name: fileId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + deleted: + type: boolean + id: + type: string + required: + - id + - deleted + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Delete an uploaded file + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/files/{fileId}/{fileName}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/files/{fileId}/{fileName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a file uploaded by an agent.

[Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-files-fileid-filename + parameters: + - in: path + name: fileId + required: true + schema: + type: string + - in: path + name: fileName + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get an uploaded file + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/setup: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: get-fleet-agents-setup + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing. + properties: + is_action_secrets_storage_enabled: + type: boolean + is_secrets_storage_enabled: + type: boolean + is_space_awareness_enabled: + type: boolean + isReady: + type: boolean + missing_optional_features: + items: + enum: + - encrypted_saved_object_encryption_key_required + type: string + type: array + missing_requirements: + items: + enum: + - security_required + - tls_required + - api_keys + - fleet_admin_user + - fleet_server + type: string + type: array + package_verification_key_id: + type: string + required: + - isReady + - missing_requirements + - missing_optional_features + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get agent setup info + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/agents/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-agents-setup + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + additionalProperties: false + properties: + message: + type: string + name: + type: string + required: + - name + - message + type: object + type: array + required: + - isInitialized + - nonFatalErrors + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Initiate agent setup + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/agents/tags: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/agents/tags
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-read. + operationId: get-fleet-agents-tags + parameters: + - in: query + name: kuery + required: false + schema: + type: string + - in: query + name: showInactive + required: false + schema: + default: false + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + type: string + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get agent tags + tags: + - Elastic Agents + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/check-permissions: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/check-permissions
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: get-fleet-check-permissions + parameters: + - in: query + name: fleetServerSetup + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + error: + enum: + - MISSING_SECURITY + - MISSING_PRIVILEGES + - MISSING_FLEET_SERVER_SETUP_PRIVILEGES + type: string + success: + type: boolean + required: + - success + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Check permissions + tags: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/cloud_connectors: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors + parameters: + - description: The page number for pagination. + in: query + name: page + required: false + schema: + type: string + - description: The number of items per page. + in: query + name: perPage + required: false + schema: + type: string + - description: KQL query to filter cloud connectors. + in: query + name: kuery + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: {} + type: object + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + type: object + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get cloud connectors + tags: + - Fleet cloud connectors + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/cloud_connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: post-fleet-cloud-connectors + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + cloudProvider: + description: 'The cloud provider type: aws, azure, or gcp.' + enum: + - aws + - azure + - gcp + type: string + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + type: object + required: + - type + - value + type: object + type: object + required: + - name + - cloudProvider + - vars + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: {} + type: object + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Create cloud connector + tags: + - Fleet cloud connectors + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/fleet/cloud_connectors/{cloudConnectorId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-read OR integrations-read. + operationId: get-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: The unique identifier of the cloud connector. + in: path + name: cloudConnectorId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: {} + type: object + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get cloud connector + tags: + - Fleet cloud connectors + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: put-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: The unique identifier of the cloud connector to update. + in: path + name: cloudConnectorId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + name: + description: The name of the cloud connector. + maxLength: 255 + minLength: 1 + type: string + vars: + additionalProperties: + anyOf: + - maxLength: 1000 + type: string + - type: number + - type: boolean + - additionalProperties: false + properties: + frozen: + type: boolean + type: + maxLength: 50 + type: string + value: + anyOf: + - maxLength: 1000 + type: string + - additionalProperties: false + properties: + id: + maxLength: 255 + type: string + isSecretRef: + type: boolean + required: + - isSecretRef + - id + type: object + required: + - type + - value + type: object + type: object + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + cloudProvider: + type: string + created_at: + type: string + id: + type: string + name: + type: string + namespace: + type: string + packagePolicyCount: + type: number + updated_at: + type: string + vars: + additionalProperties: {} + type: object + required: + - id + - name + - cloudProvider + - vars + - packagePolicyCount + - created_at + - updated_at + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Update cloud connector + tags: + - Fleet cloud connectors + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/cloud_connectors/{cloudConnectorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-all OR integrations-all. + operationId: delete-fleet-cloud-connectors-cloudconnectorid + parameters: + - description: The unique identifier of the cloud connector to delete. + in: path + name: cloudConnectorId + required: true + schema: + type: string + - description: If true, forces deletion even if the cloud connector is in use. + in: query + name: force + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Delete cloud connector (supports force deletion) + tags: + - Fleet cloud connectors + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/fleet/data_streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: get-fleet-data-streams + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + data_streams: + items: + additionalProperties: false + properties: + dashboards: + items: + additionalProperties: false + properties: + id: + type: string + title: + type: string + required: + - id + - title + type: object + type: array + dataset: + type: string + index: + type: string + last_activity_ms: + type: number + namespace: + type: string + package: + type: string + package_version: + type: string + serviceDetails: + additionalProperties: false + nullable: true + properties: + environment: + type: string + serviceName: + type: string + required: + - environment + - serviceName + type: object + size_in_bytes: + type: number + size_in_bytes_formatted: + anyOf: + - type: number + - type: string + type: + type: string + required: + - index + - dataset + - namespace + - type + - package + - package_version + - last_activity_ms + - size_in_bytes + - size_in_bytes_formatted + - dashboards + - serviceDetails + type: object + type: array + required: + - data_streams + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get data streams + tags: + - Data streams + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/enrollment_api_keys: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys + parameters: + - in: query + name: page + required: false + schema: + default: 1 + type: number + - in: query + name: perPage + required: false + schema: + default: 20 + type: number + - in: query + name: kuery + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/enrollment_api_key' + type: array + list: + deprecated: true + items: + additionalProperties: false + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + type: object + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + - list + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get enrollment API keys + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/enrollment_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-enrollment-api-keys + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + expiration: + type: string + name: + type: string + policy_id: + type: string + required: + - policy_id + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + action: + enum: + - created + type: string + item: + additionalProperties: false + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + type: object + required: + - item + - action + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Create an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/enrollment_api_keys/{keyId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup. + operationId: get-fleet-enrollment-api-keys-keyid + parameters: + - in: path + name: keyId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/enrollment_api_keys/{keyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: delete-fleet-enrollment-api-keys-keyid + parameters: + - in: path + name: keyId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + action: + enum: + - deleted + type: string + required: + - action + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Revoke an enrollment API key + tags: + - Fleet enrollment API keys + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/bulk_assets: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/bulk_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: post-fleet-epm-bulk-assets + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + assetIds: + items: + additionalProperties: false + properties: + id: + type: string + type: + type: string + required: + - id + - type + type: object + type: array + required: + - assetIds + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + appLink: + type: string + attributes: + additionalProperties: false + properties: + description: + type: string + service: + type: string + title: + type: string + type: object + id: + type: string + type: + type: string + updatedAt: + type: string + required: + - id + - type + - attributes + type: object + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Bulk get assets + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/categories: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/categories
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-categories + parameters: + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: include_policy_templates + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + count: + type: number + id: + type: string + parent_id: + type: string + parent_title: + type: string + title: + type: string + required: + - id + - title + - count + type: object + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get package categories + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/custom_integrations: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/custom_integrations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-custom-integrations + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + datasets: + items: + additionalProperties: false + properties: + name: + type: string + type: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + required: + - name + - type + type: object + type: array + force: + type: boolean + integrationName: + type: string + required: + - integrationName + - datasets + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + _meta: + additionalProperties: false + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + type: object + items: + items: + anyOf: + - additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + type: object + - additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + type: string + version: + type: string + required: + - id + - type + type: object + type: array + required: + - items + - _meta + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Create a custom integration + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/custom_integrations/{pkgName}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/custom_integrations/{pkgName}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-all AND integrations-all. + operationId: put-fleet-epm-custom-integrations-pkgname + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + categories: + items: + type: string + type: array + readMeData: + type: string + required: + - readMeData + type: object + responses: + "200": + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Update a custom integration + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/data_streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/data_streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-data-streams + parameters: + - in: query + name: type + required: false + schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + - in: query + name: datasetQuery + required: false + schema: + type: string + - in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string + - in: query + name: uncategorisedOnly + required: false + schema: + default: false + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + name: + type: string + required: + - name + type: object + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get data streams + tags: + - Data streams + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages + parameters: + - in: query + name: category + required: false + schema: + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: excludeInstallStatus + required: false + schema: + type: boolean + - in: query + name: withPackagePoliciesCount + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/package_list_item' + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages + parameters: + - in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/gzip: + schema: + format: binary + type: string + responses: + "200": + content: + application/gzip: + schema: + additionalProperties: false + properties: + _meta: + additionalProperties: false + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + type: object + items: + items: + anyOf: + - additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + type: object + - additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + type: string + version: + type: string + required: + - id + - type + type: object + type: array + required: + - items + - _meta + type: object + description: 'OK: A successful request.' + "400": + content: + application/gzip: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Install a package by upload + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk + parameters: + - in: query + name: prerelease + required: false + schema: + type: boolean + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + anyOf: + - type: string + - additionalProperties: false + properties: + name: + type: string + prerelease: + type: boolean + version: + type: string + required: + - name + - version + type: object + minItems: 1 + type: array + required: + - packages + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + anyOf: + - additionalProperties: false + properties: + name: + type: string + result: + additionalProperties: false + properties: + assets: + items: + anyOf: + - additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + type: object + - additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + type: string + version: + type: string + required: + - id + - type + type: object + type: array + error: {} + installSource: + type: string + installType: + type: string + status: + enum: + - installed + - already_installed + type: string + required: + - error + - installType + type: object + version: + type: string + required: + - name + - version + - result + type: object + - additionalProperties: false + properties: + error: + anyOf: + - type: string + - {} + name: + type: string + statusCode: + type: number + required: + - name + - statusCode + - error + type: object + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Bulk install packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-rollback + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + packages: + items: + additionalProperties: false + properties: + name: + description: Package name to rollback + type: string + required: + - name + type: object + minItems: 1 + type: array + required: + - packages + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Bulk rollback packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_rollback/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_rollback/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-rollback-taskid + parameters: + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + error: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + results: + items: + additionalProperties: false + properties: + error: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + name: + type: string + success: + type: boolean + required: + - name + - success + type: object + type: array + status: + type: string + required: + - status + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get Bulk rollback packages details + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_uninstall: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-uninstall + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + properties: + name: + type: string + version: + type: string + required: + - name + - version + type: object + minItems: 1 + type: array + required: + - packages + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Bulk uninstall packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_uninstall/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_uninstall/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-uninstall-taskid + parameters: + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + error: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + results: + items: + additionalProperties: false + properties: + error: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + name: + type: string + success: + type: boolean + required: + - name + - success + type: object + type: array + status: + type: string + required: + - status + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get Bulk uninstall packages details + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-bulk-upgrade + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + force: + default: false + type: boolean + packages: + items: + additionalProperties: false + properties: + name: + type: string + version: + type: string + required: + - name + type: object + minItems: 1 + type: array + prerelease: + type: boolean + upgrade_package_policies: + default: false + type: boolean + required: + - packages + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + taskId: + type: string + required: + - taskId + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Bulk upgrade packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/_bulk_upgrade/{taskId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/_bulk_upgrade/{taskId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: get-fleet-epm-packages-bulk-upgrade-taskid + parameters: + - description: Task ID of the bulk operation + in: path + name: taskId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + error: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + results: + items: + additionalProperties: false + properties: + error: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + name: + type: string + success: + type: boolean + required: + - name + - success + type: object + type: array + status: + type: string + required: + - status + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get Bulk upgrade packages details + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: get-fleet-epm-packages-pkgname-pkgversion + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: false + schema: + type: string + - in: query + name: ignoreUnverified + required: false + schema: + type: boolean + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: full + required: false + schema: + type: boolean + - in: query + name: withMetadata + required: false + schema: + default: false + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/package_info' + metadata: + additionalProperties: false + properties: + has_policies: + type: boolean + required: + - has_policies + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: false + schema: + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: ignoreMappingUpdateErrors + required: false + schema: + default: false + type: boolean + - in: query + name: skipDataStreamRollover + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + additionalProperties: false + nullable: true + properties: + force: + default: false + type: boolean + ignore_constraints: + default: false + type: boolean + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + _meta: + additionalProperties: false + properties: + install_source: + type: string + name: + type: string + required: + - install_source + - name + type: object + items: + items: + anyOf: + - additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + type: object + - additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + type: string + version: + type: string + required: + - id + - type + type: object + type: array + required: + - items + - _meta + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Install a package from the registry + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: put-fleet-epm-packages-pkgname-pkgversion + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: false + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + keepPoliciesUpToDate: + type: boolean + required: + - keepPoliciesUpToDate + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: true + properties: + agent: + additionalProperties: false + properties: + privileges: + additionalProperties: false + properties: + root: + type: boolean + type: object + type: object + asset_tags: + items: + additionalProperties: false + properties: + asset_ids: + items: + type: string + type: array + asset_types: + items: + type: string + type: array + text: + type: string + required: + - text + type: object + type: array + assets: + additionalProperties: {} + type: object + categories: + items: + type: string + type: array + conditions: + additionalProperties: true + properties: + elastic: + additionalProperties: true + properties: + capabilities: + items: + type: string + type: array + subscription: + type: string + type: object + kibana: + additionalProperties: true + properties: + version: + type: string + type: object + type: object + data_streams: + items: + additionalProperties: {} + type: object + type: array + description: + type: string + discovery: + additionalProperties: true + properties: + datasets: + items: + additionalProperties: true + properties: + name: + type: string + required: + - name + type: object + type: array + fields: + items: + additionalProperties: true + properties: + name: + type: string + required: + - name + type: object + type: array + type: object + download: + type: string + elasticsearch: + additionalProperties: {} + type: object + format_version: + type: string + icons: + items: + additionalProperties: true + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + type: object + type: array + installationInfo: + additionalProperties: true + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + type: object + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + properties: + data_stream: + type: string + features: + additionalProperties: true + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + type: string + version: + type: string + required: + - id + - type + type: object + type: array + installed_kibana: + items: + additionalProperties: true + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + type: object + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + properties: + error: + type: string + name: + type: string + started_at: + type: string + type: object + latest_install_failed_attempts: + items: + additionalProperties: true + properties: + created_at: + type: string + error: + additionalProperties: true + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + type: object + target_version: + type: string + required: + - created_at + - target_version + - error + type: object + type: array + name: + type: string + namespaces: + items: + type: string + type: array + previous_version: + nullable: true + type: string + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + type: object + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + type: object + path: + type: string + policy_templates: + items: + additionalProperties: {} + type: object + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + additionalProperties: false + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + type: object + type: array + signature_path: + type: string + source: + additionalProperties: true + properties: + license: + type: string + required: + - license + type: object + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + vars: + items: + additionalProperties: {} + type: object + type: array + version: + type: string + required: + - name + - version + - title + - assets + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Update package settings + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: false + schema: + type: string + - in: query + name: force + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + anyOf: + - additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + type: object + - additionalProperties: false + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + type: string + version: + type: string + required: + - id + - type + type: object + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Delete a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: path + name: filePath + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: {} + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get a package file + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/datastream_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-datastream-assets + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: packagePolicyId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Delete assets for an input package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-kibana-assets + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + nullable: true + properties: + force: + type: boolean + space_ids: + description: When provided install assets in the specified spaces instead of the current space. + items: + type: string + minItems: 1 + type: array + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Install Kibana assets for a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: delete-fleet-epm-packages-pkgname-pkgversion-kibana-assets + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Delete Kibana assets for a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/rule_assets
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-pkgversion-rule-assets + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + nullable: true + properties: + force: + type: boolean + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + success: + type: boolean + required: + - success + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Install Kibana alert rule for a package + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + transforms: + items: + additionalProperties: false + properties: + transformId: + type: string + required: + - transformId + type: object + type: array + required: + - transforms + type: object + responses: + "200": + content: + application/json: + schema: + items: + additionalProperties: false + properties: + error: + nullable: true + success: + type: boolean + transformId: + type: string + required: + - transformId + - success + - error + type: object + type: array + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Authorize transforms + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/{pkgName}/rollback: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/epm/packages/{pkgName}/rollback
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all. + operationId: post-fleet-epm-packages-pkgname-rollback + parameters: + - description: Package name to roll back + in: path + name: pkgName + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + success: + type: boolean + version: + type: string + required: + - version + - success + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Rollback a package to previous version + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.1.0 + /api/fleet/epm/packages/{pkgName}/stats: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/{pkgName}/stats
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-pkgname-stats + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + response: + additionalProperties: false + properties: + agent_policy_count: + type: number + package_policy_count: + type: number + required: + - agent_policy_count + - package_policy_count + type: object + required: + - response + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get package stats + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/installed: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/installed
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-installed + parameters: + - in: query + name: dataStreamType + required: false + schema: + enum: + - logs + - metrics + - traces + - synthetics + - profiling + type: string + - in: query + name: showOnlyActiveDataStreams + required: false + schema: + type: boolean + - in: query + name: nameQuery + required: false + schema: + type: string + - in: query + name: searchAfter + required: false + schema: + items: + anyOf: + - type: string + - type: number + type: array + - in: query + name: perPage + required: false + schema: + default: 15 + type: number + - in: query + name: sortOrder + required: false + schema: + default: asc + enum: + - asc + - desc + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + dataStreams: + items: + additionalProperties: false + properties: + name: + type: string + title: + type: string + required: + - name + - title + type: object + type: array + description: + type: string + icons: + items: + additionalProperties: false + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + type: object + type: array + name: + type: string + status: + type: string + title: + type: string + version: + type: string + required: + - name + - version + - status + - dataStreams + type: object + type: array + searchAfter: + items: + anyOf: + - type: string + - type: number + - type: boolean + - enum: [] + nullable: true + - {} + type: array + total: + type: number + required: + - items + - total + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get installed packages + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/packages/limited: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/packages/limited
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-packages-limited + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + type: string + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get a limited package list + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs + parameters: + - in: path + name: pkgName + required: true + schema: + type: string + - in: path + name: pkgVersion + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + default: json + enum: + - json + - yml + - yaml + type: string + - in: query + name: prerelease + required: false + schema: + type: boolean + - in: query + name: ignoreUnverified + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + anyOf: + - type: string + - additionalProperties: false + properties: + inputs: + items: + additionalProperties: false + properties: + id: + type: string + streams: + items: + additionalProperties: true + properties: + data_stream: + additionalProperties: true + properties: + dataset: + type: string + type: + type: string + required: + - dataset + type: object + id: + type: string + required: + - id + - data_stream + type: object + type: array + type: + type: string + required: + - id + - type + type: object + type: array + required: + - inputs + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get an inputs template + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/epm/verification_key_id: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/epm/verification_key_id
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all. + operationId: get-fleet-epm-verification-key-id + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + id: + nullable: true + type: string + required: + - id + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get a package signature verification key ID + tags: + - Elastic Package Manager (EPM) + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/fleet_server_hosts: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all OR fleet-settings-read. + operationId: get-fleet-fleet-server-hosts + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/server_host' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get Fleet Server hosts + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/fleet_server_hosts
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-fleet-server-hosts + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + host_urls: + items: + type: string + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + agent_key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + es_key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + ssl: + additionalProperties: false + nullable: true + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + type: array + es_key: + type: string + key: + type: string + type: object + x-omitempty: true + required: + - name + - host_urls + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/server_host' + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Create a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/fleet_server_hosts/{itemId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-fleet-server-hosts-itemid + parameters: + - in: path + name: itemId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/server_host' + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-fleet-server-hosts-itemid + parameters: + - in: path + name: itemId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + host_urls: + items: + type: string + minItems: 1 + type: array + is_default: + type: boolean + is_internal: + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + agent_key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + es_key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + ssl: + additionalProperties: false + nullable: true + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + type: array + es_key: + type: string + key: + type: string + type: object + x-omitempty: true + required: + - proxy_id + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/server_host' + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Update a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/fleet_server_hosts/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-fleet-server-hosts-itemid + parameters: + - in: path + name: itemId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Delete a Fleet Server host + tags: + - Fleet Server hosts + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/health_check: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/health_check
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-health-check + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + host_id: + type: string + name: + type: string + status: + type: string + required: + - status + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + "404": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: Not found. + summary: Check Fleet Server health + tags: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/kubernetes: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes + parameters: + - in: query + name: download + required: false + schema: + type: boolean + - in: query + name: fleetServer + required: false + schema: + type: string + - in: query + name: enrolToken + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + type: string + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get a full K8s agent manifest + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/kubernetes/download: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/kubernetes/download
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-setup. + operationId: get-fleet-kubernetes-download + parameters: + - in: query + name: download + required: false + schema: + type: boolean + - in: query + name: fleetServer + required: false + schema: + type: string + - in: query + name: enrolToken + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + type: string + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + "404": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: Not found. + summary: Download an agent manifest + tags: + - Elastic Agent policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/logstash_api_keys: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/logstash_api_keys
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-logstash-api-keys + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + api_key: + type: string + required: + - api_key + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Generate a Logstash API key + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/message_signing_service/rotate_key_pair: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/message_signing_service/rotate_key_pair
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all. + operationId: post-fleet-message-signing-service-rotate-key-pair + parameters: + - in: query + name: acknowledge + required: false + schema: + default: false + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + "500": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: An internal server error. + summary: Rotate a Fleet message signing key pair + tags: + - Message Signing Service + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/outputs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/output_union' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get outputs + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/outputs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-outputs + parameters: [] + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/new_output_union' + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/output_union' + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Create output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/outputs/{outputId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get output by ID.

[Required authorization] Route required privileges: fleet-settings-read OR fleet-agent-policies-read. + operationId: get-fleet-outputs-outputid + parameters: + - in: path + name: outputId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/output_union' + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update output by ID.

[Required authorization] Route required privileges: fleet-settings-all OR fleet-agent-policies-all. + operationId: put-fleet-outputs-outputid + parameters: + - in: path + name: outputId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/update_output_union' + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/output_union' + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Update output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/outputs/{outputId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete output by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-outputs-outputid + parameters: + - in: path + name: outputId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + "404": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: Not found. + summary: Delete output + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/outputs/{outputId}/health: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/outputs/{outputId}/health
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-outputs-outputid-health + parameters: + - in: path + name: outputId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + message: + description: long message if unhealthy + type: string + state: + description: state of output, HEALTHY or DEGRADED + type: string + timestamp: + description: timestamp of reported state + type: string + required: + - state + - message + - timestamp + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get the latest output health + tags: + - Fleet outputs + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: get-fleet-package-policies + parameters: + - in: query + name: page + required: false + schema: + type: number + - in: query + name: perPage + required: false + schema: + type: number + - in: query + name: sortField + required: false + schema: + type: string + - in: query + name: sortOrder + required: false + schema: + enum: + - desc + - asc + type: string + - in: query + name: showUpgradeable + required: false + schema: + type: boolean + - in: query + name: kuery + required: false + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + - in: query + name: withAgentCount + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + $ref: '#/components/schemas/package_policy' + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get package policies + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: post-fleet-package-policies + parameters: + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/package_policy_request' + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/package_policy' + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + "409": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A conflict occurred. + summary: Create a package policy + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/_bulk_get: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: post-fleet-package-policies-bulk-get + parameters: + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + ids: + description: list of package policy ids + items: + type: string + type: array + ignoreMissing: + type: boolean + required: + - ids + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + properties: + privileges: + additionalProperties: true + properties: + cluster: + items: + type: string + type: array + type: object + type: object + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + properties: + compiled_input: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + policy_template: + type: string + streams: + items: + additionalProperties: false + properties: + compiled_stream: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + properties: + indices: + items: + type: string + type: array + type: object + type: object + type: + type: string + required: + - dataset + - type + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + release: + enum: + - ga + - beta + - experimental + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + type: object + type: array + type: + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + type: object + type: array + - additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + properties: + inputs: + additionalProperties: {} + type: object + type: object + package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + properties: + data_stream: + type: string + features: + additionalProperties: false + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + type: object + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + spaceIds: + items: + type: string + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + vars: + anyOf: + - additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + type: object + type: array + required: + - items + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + "404": + content: + application/json: + schema: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + description: Not found. + summary: Bulk get package policies + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/{packagePolicyId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a package policy by ID. + operationId: get-fleet-package-policies-packagepolicyid + parameters: + - in: path + name: packagePolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/package_policy' + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + "404": + content: + application/json: + schema: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + description: Not found. + summary: Get a package policy + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a package policy by ID. + operationId: put-fleet-package-policies-packagepolicyid + parameters: + - in: path + name: packagePolicyId + required: true + schema: + type: string + - in: query + name: format + required: false + schema: + enum: + - simplified + - legacy + type: string + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/package_policy_request' + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + $ref: '#/components/schemas/package_policy' + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + "403": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: Forbidden. + summary: Update a package policy + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/package_policies/{packagePolicyId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: delete-fleet-package-policies-packagepolicyid + parameters: + - in: path + name: packagePolicyId + required: true + schema: + type: string + - in: query + name: force + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Delete a package policy + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/delete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-delete + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + force: + type: boolean + packagePolicyIds: + items: + type: string + type: array + required: + - packagePolicyIds + type: object + responses: + "200": + content: + application/json: + schema: + items: + additionalProperties: false + properties: + body: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + id: + type: string + name: + type: string + output_id: + nullable: true + type: string + package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + properties: + data_stream: + type: string + features: + additionalProperties: false + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + type: object + policy_id: + deprecated: true + description: Use `policy_ids` instead + nullable: true + type: string + policy_ids: + items: + type: string + type: array + statusCode: + type: number + success: + type: boolean + required: + - id + - success + - policy_ids + - package + type: object + type: array + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Bulk delete package policies + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/upgrade: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/upgrade
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upgrade a package policy to a newer package version.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all. + operationId: post-fleet-package-policies-upgrade + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + packagePolicyIds: + items: + type: string + type: array + required: + - packagePolicyIds + type: object + responses: + "200": + content: + application/json: + schema: + items: + additionalProperties: false + properties: + body: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + id: + type: string + name: + type: string + statusCode: + type: number + success: + type: boolean + required: + - id + - success + type: object + type: array + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Upgrade a package policy + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/package_policies/upgrade/dryrun: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/package_policies/upgrade/dryrun
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agent-policies-read AND integrations-read. + operationId: post-fleet-package-policies-upgrade-dryrun + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + packagePolicyIds: + items: + type: string + type: array + packageVersion: + type: string + required: + - packagePolicyIds + type: object + responses: + "200": + content: + application/json: + schema: + items: + additionalProperties: false + properties: + agent_diff: + items: + items: + additionalProperties: true + properties: + data_stream: + additionalProperties: true + properties: + namespace: + type: string + required: + - namespace + type: object + id: + type: string + meta: + additionalProperties: true + properties: + package: + additionalProperties: true + properties: + name: + type: string + version: + type: string + required: + - name + - version + type: object + required: + - package + type: object + name: + type: string + package_policy_id: + type: string + processors: + items: + additionalProperties: true + properties: + add_fields: + additionalProperties: true + properties: + fields: + additionalProperties: + anyOf: + - type: string + - type: number + type: object + target: + type: string + required: + - target + - fields + type: object + required: + - add_fields + type: object + type: array + revision: + type: number + streams: + items: + additionalProperties: true + properties: + data_stream: + additionalProperties: true + properties: + dataset: + type: string + type: + type: string + required: + - dataset + type: object + id: + type: string + required: + - data_stream + type: object + type: array + type: + type: string + use_output: + type: string + required: + - id + - name + - revision + - type + - data_stream + - use_output + - package_policy_id + type: object + type: array + type: array + body: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + diff: + items: + anyOf: + - additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + nullable: true + type: array + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + properties: + privileges: + additionalProperties: true + properties: + cluster: + items: + type: string + type: array + type: object + type: object + enabled: + type: boolean + id: + type: string + inputs: + anyOf: + - items: + additionalProperties: false + properties: + compiled_input: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + policy_template: + type: string + streams: + items: + additionalProperties: false + properties: + compiled_stream: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + properties: + indices: + items: + type: string + type: array + type: object + type: object + type: + type: string + required: + - dataset + - type + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + release: + enum: + - ga + - beta + - experimental + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + type: object + type: array + type: + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + type: object + type: array + - additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + properties: + inputs: + additionalProperties: {} + type: object + type: object + package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + properties: + data_stream: + type: string + features: + additionalProperties: false + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + type: object + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + spaceIds: + items: + type: string + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + vars: + anyOf: + - additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - revision + - updated_at + - updated_by + - created_at + - created_by + type: object + - additionalProperties: true + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + nullable: true + type: array + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + properties: + privileges: + additionalProperties: true + properties: + cluster: + items: + type: string + type: array + type: object + type: object + enabled: + type: boolean + errors: + items: + additionalProperties: false + properties: + key: + type: string + message: + type: string + required: + - message + type: object + type: array + force: + type: boolean + id: + type: string + inputs: + items: + additionalProperties: false + properties: + compiled_input: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + policy_template: + type: string + streams: + items: + additionalProperties: false + properties: + compiled_stream: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + properties: + indices: + items: + type: string + type: array + type: object + type: object + type: + type: string + required: + - dataset + - type + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + release: + enum: + - ga + - beta + - experimental + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + type: object + type: array + type: + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + type: object + type: array + is_managed: + type: boolean + missingVars: + items: + type: string + type: array + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + properties: + inputs: + additionalProperties: {} + type: object + type: object + package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + properties: + data_stream: + type: string + features: + additionalProperties: false + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + type: object + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + type: array + revision: + type: number + secret_references: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + updated_at: + type: string + updated_by: + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + type: object + type: array + hasErrors: + type: boolean + name: + type: string + statusCode: + type: number + required: + - hasErrors + type: object + type: array + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Dry run a package policy upgrade + tags: + - Fleet package policies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/proxies: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + type: object + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get proxies + tags: + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/proxies
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-all. + operationId: post-fleet-proxies + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + certificate: + nullable: true + type: string + x-omitempty: true + certificate_authorities: + nullable: true + type: string + x-omitempty: true + certificate_key: + nullable: true + type: string + x-omitempty: true + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + x-omitempty: true + url: + type: string + required: + - url + - name + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Create a proxy + tags: + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/proxies/{itemId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-proxies-itemid + parameters: + - in: path + name: itemId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get a proxy + tags: + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-proxies-itemid + parameters: + - in: path + name: itemId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + certificate: + nullable: true + type: string + x-omitempty: true + certificate_authorities: + nullable: true + type: string + x-omitempty: true + certificate_key: + nullable: true + type: string + x-omitempty: true + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + x-omitempty: true + url: + type: string + required: + - certificate_authorities + - certificate + - certificate_key + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + certificate: + nullable: true + type: string + certificate_authorities: + nullable: true + type: string + certificate_key: + nullable: true + type: string + id: + type: string + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_headers: + additionalProperties: + anyOf: + - type: string + - type: boolean + - type: number + nullable: true + type: object + url: + type: string + required: + - id + - url + - name + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Update a proxy + tags: + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/fleet/proxies/{itemId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a proxy by ID

[Required authorization] Route required privileges: fleet-settings-all. + operationId: delete-fleet-proxies-itemid + parameters: + - in: path + name: itemId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Delete a proxy + tags: + - Fleet proxies + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/remote_synced_integrations/{outputId}/remote_status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/remote_synced_integrations/{outputId}/remote_status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-read AND integrations-read. + operationId: get-fleet-remote-synced-integrations-outputid-remote-status + parameters: + - in: path + name: outputId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + custom_assets: + additionalProperties: + additionalProperties: false + properties: + error: + type: string + is_deleted: + type: boolean + name: + type: string + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + type: + type: string + warning: + additionalProperties: false + properties: + message: + type: string + title: + type: string + required: + - title + type: object + required: + - type + - name + - package_name + - package_version + - sync_status + type: object + type: object + error: + type: string + integrations: + items: + additionalProperties: false + properties: + error: + type: string + id: + type: string + install_status: + additionalProperties: false + properties: + main: + type: string + remote: + type: string + required: + - main + type: object + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + updated_at: + type: string + warning: + additionalProperties: false + properties: + message: + type: string + title: + type: string + required: + - title + type: object + required: + - sync_status + - install_status + type: object + type: array + warning: + additionalProperties: false + properties: + message: + type: string + title: + type: string + required: + - title + type: object + required: + - integrations + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get remote synced integrations status by outputId + tags: + - Fleet remote synced integrations + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 9.1.0 + /api/fleet/remote_synced_integrations/status: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/remote_synced_integrations/status
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-read AND integrations-read. + operationId: get-fleet-remote-synced-integrations-status + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + custom_assets: + additionalProperties: + additionalProperties: false + properties: + error: + type: string + is_deleted: + type: boolean + name: + type: string + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + type: + type: string + warning: + additionalProperties: false + properties: + message: + type: string + title: + type: string + required: + - title + type: object + required: + - type + - name + - package_name + - package_version + - sync_status + type: object + type: object + error: + type: string + integrations: + items: + additionalProperties: false + properties: + error: + type: string + id: + type: string + install_status: + additionalProperties: false + properties: + main: + type: string + remote: + type: string + required: + - main + type: object + package_name: + type: string + package_version: + type: string + sync_status: + enum: + - completed + - synchronizing + - failed + - warning + type: string + updated_at: + type: string + warning: + additionalProperties: false + properties: + message: + type: string + title: + type: string + required: + - title + type: object + required: + - sync_status + - install_status + type: object + type: array + warning: + additionalProperties: false + properties: + message: + type: string + title: + type: string + required: + - title + type: object + required: + - integrations + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get remote synced integrations status + tags: + - Fleet remote synced integrations + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 9.1.0 + /api/fleet/service_tokens: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/service_tokens
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-all. + operationId: post-fleet-service-tokens + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + nullable: true + properties: + remote: + default: false + type: boolean + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Create a service token + tags: + - Fleet service tokens + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/settings: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-read. + operationId: get-fleet-settings + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + type: object + has_seen_add_data_notice: + type: boolean + id: + type: string + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string + required: + - id + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + "404": + content: + application/json: + schema: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + description: Not found. + summary: Get settings + tags: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-settings + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + additional_yaml_config: + deprecated: true + type: string + delete_unenrolled_agents: + additionalProperties: false + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + type: object + has_seen_add_data_notice: + deprecated: true + type: boolean + kibana_ca_sha256: + deprecated: true + type: string + kibana_urls: + deprecated: true + items: + format: uri + type: string + type: array + prerelease_integrations_enabled: + type: boolean + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + action_secret_storage_requirements_met: + type: boolean + delete_unenrolled_agents: + additionalProperties: false + properties: + enabled: + type: boolean + is_preconfigured: + type: boolean + required: + - enabled + - is_preconfigured + type: object + has_seen_add_data_notice: + type: boolean + id: + type: string + output_secret_storage_requirements_met: + type: boolean + preconfigured_fields: + items: + enum: + - fleet_server_hosts + type: string + type: array + prerelease_integrations_enabled: + type: boolean + secret_storage_requirements_met: + type: boolean + use_space_awareness_migration_started_at: + nullable: true + type: string + use_space_awareness_migration_status: + enum: + - pending + - success + - error + type: string + version: + type: string + required: + - id + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + "404": + content: + application/json: + schema: + additionalProperties: false + properties: + message: + type: string + required: + - message + type: object + description: Not found. + summary: Update settings + tags: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/setup: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/fleet/setup
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup. + operationId: post-fleet-setup + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup. + properties: + isInitialized: + type: boolean + nonFatalErrors: + items: + additionalProperties: false + properties: + message: + type: string + name: + type: string + required: + - name + - message + type: object + type: array + required: + - isInitialized + - nonFatalErrors + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + "500": + content: + application/json: + schema: + additionalProperties: false + description: Internal Server Error + properties: + message: + type: string + required: + - message + type: object + description: An internal server error occurred. + summary: Initiate Fleet setup + tags: + - Fleet internals + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/space_settings: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/space_settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: get-fleet-space-settings + parameters: [] + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + allowed_namespace_prefixes: + items: + type: string + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes + type: object + required: + - item + type: object + description: 'OK: A successful request.' + summary: Get space settings + tags: [] + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 9.1.0 + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/fleet/space_settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: fleet-settings-all. + operationId: put-fleet-space-settings + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + allowed_namespace_prefixes: + items: + type: string + type: array + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + allowed_namespace_prefixes: + items: + type: string + type: array + managed_by: + type: string + required: + - allowed_namespace_prefixes + type: object + required: + - item + type: object + description: 'OK: A successful request.' + summary: Create space settings + tags: [] + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 9.1.0 + /api/fleet/uninstall_tokens: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/uninstall_tokens
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + List the metadata for the latest uninstall tokens per agent policy.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens + parameters: + - description: Partial match filtering for policy IDs + in: query + name: policyId + required: false + schema: + maxLength: 50 + type: string + - in: query + name: search + required: false + schema: + maxLength: 50 + type: string + - description: The number of items to return + in: query + name: perPage + required: false + schema: + minimum: 5 + type: number + - in: query + name: page + required: false + schema: + minimum: 1 + type: number + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + items: + items: + additionalProperties: false + properties: + created_at: + type: string + id: + type: string + namespaces: + items: + type: string + type: array + policy_id: + type: string + policy_name: + nullable: true + type: string + required: + - id + - policy_id + - created_at + type: object + type: array + page: + type: number + perPage: + type: number + total: + type: number + required: + - items + - total + - page + - perPage + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get metadata for latest uninstall tokens + tags: + - Fleet uninstall tokens + x-metaTags: + - content: Kibana + name: product_name + /api/fleet/uninstall_tokens/{uninstallTokenId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/fleet/uninstall_tokens/{uninstallTokenId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get one decrypted uninstall token by its ID.

[Required authorization] Route required privileges: fleet-agents-all. + operationId: get-fleet-uninstall-tokens-uninstalltokenid + parameters: + - in: path + name: uninstallTokenId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + item: + additionalProperties: false + properties: + created_at: + type: string + id: + type: string + namespaces: + items: + type: string + type: array + policy_id: + type: string + policy_name: + nullable: true + type: string + token: + type: string + required: + - id + - policy_id + - created_at + - token + type: object + required: + - item + type: object + description: 'OK: A successful request.' + "400": + content: + application/json: + schema: + additionalProperties: false + description: Generic Error + properties: + attributes: {} + error: + type: string + errorType: + type: string + message: + type: string + statusCode: + type: number + required: + - message + - attributes + type: object + description: A bad request. + summary: Get a decrypted uninstall token + tags: + - Fleet uninstall tokens + x-metaTags: + - content: Kibana + name: product_name + /api/lists: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list using the list ID. + operationId: ReadList + parameters: + - in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list details + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing list using the list `id`. + operationId: PatchList + requestBody: + content: + application/json: + schema: + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + type: object + description: Value list's properties + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new value list. + operationId: CreateList + requestBody: + content: + application/json: + schema: + properties: + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + deserializer: + $ref: '#/components/schemas/Security_Lists_API_ListDeserializer' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + serializer: + $ref: '#/components/schemas/Security_Lists_API_ListSerializer' + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + type: object + description: Value list's properties + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "409": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List already exists response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list using the list `id`. The original list is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateList + requestBody: + content: + application/json: + schema: + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + - name + - description + type: object + description: Value list's properties + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list using the list ID. + > info + > When you delete a list, all of its list items are also deleted. + operationId: DeleteList + parameters: + - in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Determines whether exception items referencing this value list should be deleted. + in: query + name: deleteReferences + required: false + schema: + default: false + type: boolean + - description: Determines whether to delete value list without performing any additional checks of where this list may be utilized. + in: query + name: ignoreReferences + required: false + schema: + default: false + type: boolean + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a paginated subset of value lists. By default, the first page is returned, with 20 results per page. + operationId: FindLists + parameters: + - description: The page number to return. + in: query + name: page + required: false + schema: + type: integer + - description: The number of value lists to return per page. + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + format: nonempty + minLength: 1 + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: Returns the lists that come after the last lists returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all lists are sorted and returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value lists + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/index: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Verify that `.lists` and `.items` data streams exist. + operationId: ReadListIndex + responses: + "200": + content: + application/json: + schema: + properties: + list_index: + type: boolean + list_item_index: + type: boolean + required: + - list_index + - list_item_index + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream(s) not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get status of value list data streams + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create `.lists` and `.items` data streams in the relevant space. + operationId: CreateListIndex + responses: + "200": + content: + application/json: + schema: + properties: + acknowledged: + type: boolean + required: + - acknowledged + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "409": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream exists response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create list data streams + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/index
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete the `.lists` and `.items` data streams. + operationId: DeleteListIndex + responses: + "200": + content: + application/json: + schema: + properties: + acknowledged: + type: boolean + required: + - acknowledged + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List data stream not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete value list data streams + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a value list item. + operationId: ReadListItem + parameters: + - description: Value list item identifier. Required if `list_id` and `value` are not specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: Value list item list's `id` identfier. Required if `id` is not specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. + in: query + name: value + required: false + schema: + type: string + responses: + "200": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get a value list item + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing value list item using the item `id`. + operationId: PatchListItem + requestBody: + content: + application/json: + schema: + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - "true" + - "false" + - wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + type: object + description: Value list item's properties + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Patch a value list item + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a value list item and associate it with the specified value list. + + All value list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address. + > info + > Before creating a list item, you must create a list. + operationId: CreateListItem + requestBody: + content: + application/json: + schema: + properties: + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + refresh: + description: Determines when changes made by the request are made visible to search. + enum: + - "true" + - "false" + - wait_for + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - list_id + - value + type: object + description: Value list item's properties + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "409": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item already exists response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Create a value list item + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted. + > info + > You cannot modify the `id` value. + operationId: UpdateListItem + requestBody: + content: + application/json: + schema: + properties: + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - value + type: object + description: Value list item's properties + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Update a value list item + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/lists/items
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a value list item using its `id`, or its `list_id` and `value` fields. + operationId: DeleteListItem + parameters: + - description: Value list item's identifier. Required if `list_id` and `value` are not specified. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + - description: Value list's identifier. Required if `id` is not specified. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The value used to evaluate exceptions. Required if `id` is not specified. + in: query + name: value + required: false + schema: + type: string + - description: Determines when changes made by the request are made visible to search. + in: query + name: refresh + required: false + schema: + default: "false" + enum: + - "true" + - "false" + - wait_for + type: string + responses: + "200": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_ListItem' + - items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List item not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Delete a value list item + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export list item values from the specified value list. + operationId: ExportListItems + parameters: + - description: Value list's `id` to export. + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + responses: + "200": + content: + application/ndjson: + schema: + description: A `.txt` file containing list items from the specified list + format: binary + type: string + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List not found response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Export value list items + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/items/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get all value list items in the specified list. + operationId: FindListItems + parameters: + - in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: The page number to return. + in: query + name: page + required: false + schema: + type: integer + - description: The number of list items to return per page. + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results. + in: query + name: sort_field + required: false + schema: + format: nonempty + minLength: 1 + type: string + - description: Determines the sort order, which can be `desc` or `asc` + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + - description: | + Filters the returned results according to the value of the specified field, + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' + responses: + "200": + content: + application/json: + schema: + properties: + cursor: + $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' + data: + items: + $ref: '#/components/schemas/Security_Lists_API_ListItem' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list items + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/items/_import: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/lists/items/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes. + + You can import items to a new or existing list. + operationId: ImportListItems + parameters: + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListId' + - description: | + Type of the importing list. + + Required when importing a new list whose list `id` is not specified. + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Lists_API_ListType' + - description: | + Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups: + + - `(?.+)` - Single value item types, such as ip, long, date, keyword, and text. + - `(?.+)-(?.+)|(?.+)` - Range value item types, such as `date_range`, `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`. + in: query + name: serializer + required: false + schema: + type: string + - description: | + Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions: + + - `{{{value}}}` - Single value item types, such as `ip`, `long`, `date`, `keyword`, and `text`. + - `{{{gte}}}-{{{lte}}}` - Range value item types, such as `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`. + - `{{{gte}}},{{{lte}}}` - Date range values. + in: query + name: deserializer + required: false + schema: + type: string + - description: Determines when changes made by the request are made visible to search. + in: query + name: refresh + required: false + schema: + enum: + - "true" + - "false" + - wait_for + type: string + requestBody: + content: + multipart/form-data: + schema: + properties: + file: + description: A `.txt` or `.csv` file containing newline separated list items. + format: binary + type: string + type: object + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_List' + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "409": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: List with specified list_id does not exist response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Import value list items + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/lists/privileges: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/lists/privileges
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: ReadListPrivileges + responses: + "200": + content: + application/json: + schema: + properties: + is_authenticated: + type: boolean + listItems: + $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' + lists: + $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' + required: + - lists + - listItems + - is_authenticated + type: object + description: Successful response + "400": + content: + application/json: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Invalid input data response + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Unsuccessful authentication response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' + description: Not enough privileges response + "500": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' + description: Internal server error response + summary: Get value list privileges + tags: + - Security Lists API + x-metaTags: + - content: Kibana + name: product_name + /api/logstash/pipeline/{id}: + get: + description: | + Get information for a centrally-managed Logstash pipeline. + To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: get-logstash-pipeline + parameters: + - description: An identifier for the pipeline. + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call + summary: Get a Logstash pipeline + tags: + - logstash + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + put: + description: | + Create a centrally-managed Logstash pipeline or update a pipeline. + To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: put-logstash-pipeline + parameters: + - description: | + An identifier for the pipeline. Pipeline ID must begin with a letter or underscore and can contain only letters, underscores, dashes, hyphens, and numbers. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + properties: + description: + description: A description of the pipeline. + type: string + pipeline: + description: A definition for the pipeline. + type: string + settings: + description: | + Supported settings, represented as object keys, include the following: + + - `pipeline.workers` + - `pipeline.batch.size` + - `pipeline.batch.delay` + - `pipeline.ecs_compatibility` + - `pipeline.ordered` + - `queue.type` + - `queue.max_bytes` + - `queue.checkpoint.writes` + type: object + required: + - pipeline + type: object + responses: + "204": + description: Indicates a successful call + summary: Create or update a Logstash pipeline + tags: + - logstash + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + delete: + description: | + Delete a centrally-managed Logstash pipeline. + If your Elasticsearch cluster is protected with basic authentication, you must have either the `logstash_admin` built-in role or a customized Logstash writer role. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: delete-logstash-pipeline + parameters: + - description: An identifier for the pipeline. + in: path + name: id + required: true + schema: + type: string + responses: + "204": + description: Indicates a successful call + summary: Delete a Logstash pipeline + tags: + - logstash + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/logstash/pipelines: + get: + description: | + Get a list of all centrally-managed Logstash pipelines. + + To use this API, you must have either the `logstash_admin` built-in role or a customized Logstash reader role. + > info + > Limit the number of pipelines to 10,000 or fewer. As the number of pipelines nears and surpasses 10,000, you may see performance issues on Kibana. + + The `username` property appears in the response when security is enabled and depends on when the pipeline was created or last updated. + externalDocs: + description: Secure your connection + url: https://www.elastic.co/docs/reference/logstash/secure-connection + operationId: get-logstash-pipelines + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call + summary: Get all Logstash pipelines + tags: + - logstash + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/maintenance_window/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-find + parameters: + - description: The title of the maintenance window. + in: query + name: title + required: false + schema: + type: string + - description: The user who created the maintenance window. + in: query + name: created_by + required: false + schema: + type: string + - description: The status of the maintenance window. One of "running", "upcoming", "finished" or "archived". + in: query + name: status + required: false + schema: + items: + enum: + - running + - finished + - upcoming + - archived + type: string + type: array + - description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + maximum: 100 + minimum: 1 + type: number + - description: The number of maintenance windows to return per page. + in: query + name: per_page + required: false + schema: + default: 10 + maximum: 100 + minimum: 1 + type: number + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + maintenanceWindows: + items: + additionalProperties: false + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + properties: + custom: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + type: object + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + type: object + required: + - custom + type: object + scope: + additionalProperties: false + properties: + alerting: + additionalProperties: false + properties: + query: + additionalProperties: false + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + type: object + required: + - query + type: object + required: + - alerting + type: object + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + type: object + type: array + page: + type: number + per_page: + type: number + total: + type: number + required: + - page + - per_page + - total + - maintenanceWindows + type: object + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + summary: Search for a maintenance window. + tags: + - maintenance-window + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 9.2.0 + /api/maintenance_window/{id}/_archive: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_archive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-archive + parameters: + - description: The identifier for the maintenance window to be archived. + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + properties: + custom: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + type: object + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + type: object + required: + - custom + type: object + scope: + additionalProperties: false + properties: + alerting: + additionalProperties: false + properties: + query: + additionalProperties: false + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + type: object + required: + - query + type: object + required: + - alerting + type: object + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + type: object + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a maintenance window with the given ID does not exist. + summary: Archive a maintenance window. + tags: + - maintenance-window + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 9.1.0 + /api/maintenance_window/{id}/_unarchive: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window/{id}/_unarchive
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window-id-unarchive + parameters: + - description: The identifier for the maintenance window to be unarchived. + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + properties: + custom: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + type: object + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + type: object + required: + - custom + type: object + scope: + additionalProperties: false + properties: + alerting: + additionalProperties: false + properties: + query: + additionalProperties: false + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + type: object + required: + - query + type: object + required: + - alerting + type: object + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + type: object + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a maintenance window with the given ID does not exist. + summary: Unarchive a maintenance window. + tags: + - maintenance-window + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 9.1.0 + /api/ml/saved_objects/sync: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/ml/saved_objects/sync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Synchronizes Kibana saved objects for machine learning jobs and trained models in the default space. You must have `all` privileges for the **Machine Learning** feature in the **Analytics** section of the Kibana feature privileges. This API runs automatically when you start Kibana and periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync saved objects in the default space + tags: + - ml + x-metaTags: + - content: Kibana + name: product_name + /api/note: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get all notes for a given document. + operationId: GetNotes + parameters: + - in: query + name: documentIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' + - in: query + name: savedObjectIds + schema: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' + - in: query + name: page + schema: + nullable: true + type: string + - in: query + name: perPage + schema: + nullable: true + type: string + - in: query + name: search + schema: + nullable: true + type: string + - in: query + name: sortField + schema: + nullable: true + type: string + - in: query + name: sortOrder + schema: + nullable: true + type: string + - in: query + name: filter + schema: + nullable: true + type: string + - in: query + name: createdByFilter + schema: + nullable: true + type: string + - in: query + name: associatedFilter + schema: + $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' + description: Indicates the requested notes were returned. + summary: Get notes + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add a note to a Timeline or update an existing note. + operationId: PersistNoteRoute + requestBody: + content: + application/json: + schema: + properties: + note: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + description: The note to add or update. + noteId: + description: The `savedObjectId` of the note + nullable: true + type: string + x-omitempty: true + version: + description: The version of the note + nullable: true + type: string + x-omitempty: true + required: + - note + type: object + description: The note to add or update, along with additional metadata. + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_ResponseNote' + description: Indicates the note was successfully created. + summary: Add or update a note + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/note
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a note from a Timeline using the note ID. + operationId: DeleteNote + requestBody: + content: + application/json: + schema: + oneOf: + - nullable: true + properties: + noteId: + type: string + required: + - noteId + type: object + - nullable: true + properties: + noteIds: + items: + type: string + nullable: true + type: array + required: + - noteIds + type: object + description: The ID of the note to delete. + required: true + responses: + "200": + description: Indicates the note was successfully deleted. + summary: Delete a note + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/observability_ai_assistant/chat/complete: + post: + description: "**Spaces method and path for this operation:**\n\n
post /s/{space_id}/api/observability_ai_assistant/chat/complete
\n\nRefer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information.\n\nCreate a new chat completion by using the Observability AI Assistant. \n\nThe API returns the model's response based on the current conversation context. \n\nIt also handles any tool requests within the conversation, which may trigger multiple calls to the underlying large language model (LLM). \n\nThis functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.\n" + operationId: observability-ai-assistant-chat-complete + requestBody: + content: + application/json: + schema: + properties: + actions: + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Function' + type: array + connectorId: + description: A unique identifier for the connector. + type: string + conversationId: + description: A unique identifier for the conversation if you are continuing an existing conversation. + type: string + disableFunctions: + description: Flag indicating whether all function calls should be disabled for the conversation. If true, no calls to functions will be made. + type: boolean + instructions: + description: An array of instruction objects, which can be either simple strings or detailed objects. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Instruction' + type: array + messages: + description: An array of message objects containing the conversation history. + items: + $ref: '#/components/schemas/Observability_AI_Assistant_API_Message' + type: array + persist: + description: Indicates whether the conversation should be saved to storage. If true, the conversation will be saved and will be available in Kibana. + type: boolean + title: + description: A title for the conversation. + type: string + required: + - messages + - connectorId + - persist + type: object + responses: + "200": + content: + application/json: + schema: + type: object + description: Successful response + summary: Generate a chat completion + tags: + - observability_ai_assistant + x-codeSamples: + - lang: cURL + source: | + curl --request POST 'localhost:5601/api/observability_ai_assistant/chat/complete' -u : -H 'kbn-xsrf: true' -H "Content-Type: application/json" --data ' + { + "connectorId": "", + "disableFunctions": false, + "messages": [ + { + "@timestamp": "2025-06-25T23:45:00.000Z", + "message": { + "role": "user", + "content": "Is my Elasticsearch cluster healthy right now?" + } + } + ], + "persist": false, + "actions": [ + { + "name": "get_cluster_health", + "description": "Fetch the current Elasticsearch cluster-health status and key metrics.", + "parameters": { + "type": "object", + "properties": { + "includeShardStats": { + "type": "boolean", + "default": false + } + } + } + } + ], + "instructions": ["When the user asks about Elasticsearch cluster health, use the get_cluster_health tool to retrieve cluster health, then summarize the response in plain English."] + }' + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/osquery/live_queries: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all live queries. + operationId: OsqueryFindLiveQueries + parameters: + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryResponse' + description: OK + summary: Get live queries + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/live_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and run a live query. + operationId: OsqueryCreateLiveQuery + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryResponse' + description: OK + summary: Create a live query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/live_queries/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a live query using the query ID. + operationId: OsqueryGetLiveQueryDetails + parameters: + - in: path + name: id + required: true + schema: + description: The ID of the live query result you want to retrieve. + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryDetailsResponse' + description: OK + summary: Get live query details + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/live_queries/{id}/results/{actionId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/live_queries/{id}/results/{actionId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the results of a live query using the query action ID. + operationId: OsqueryGetLiveQueryResults + parameters: + - in: path + name: id + required: true + schema: + description: The ID of the live query result you want to retrieve. + type: string + - in: path + name: actionId + required: true + schema: + description: The ID of the query action that generated the live query results. + type: string + - in: query + name: kuery + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsResponse' + description: OK + summary: Get live query results + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/packs: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all query packs. + operationId: OsqueryFindPacks + parameters: + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindPacksResponse' + description: OK + summary: Get packs + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/packs
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a query pack. + operationId: OsqueryCreatePacks + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreatePacksResponse' + description: OK + summary: Create a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/packs/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a query pack using the pack ID. + operationId: OsqueryGetPacksDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindPackResponse' + description: OK + summary: Get pack details + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a query pack using the pack ID. + > info + > You cannot update a prebuilt pack. + operationId: OsqueryUpdatePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksResponse' + description: OK + summary: Update a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/packs/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a query pack using the pack ID. + operationId: OsqueryDeletePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + responses: + "200": + content: + application/json: + schema: + properties: {} + type: object + description: OK + summary: Delete a pack + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/saved_queries: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved queries. + operationId: OsqueryFindSavedQueries + parameters: + - in: query + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' + - in: query + name: sort + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' + - in: query + name: sortOrder + required: false + schema: + $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryResponse' + description: OK + summary: Get saved queries + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/osquery/saved_queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create and run a saved query. + operationId: OsqueryCreateSavedQuery + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryResponse' + description: OK + summary: Create a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/osquery/saved_queries/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of a saved query using the query ID. + operationId: OsqueryGetSavedQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryDetailResponse' + description: OK + summary: Get saved query details + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a saved query using the query ID. + > info + > You cannot update a prebuilt saved query. + operationId: OsqueryUpdateSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryResponse' + description: OK + summary: Update a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/osquery/saved_queries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a saved query using the query ID. + operationId: OsqueryDeleteSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse' + description: OK + summary: Delete a saved query + tags: + - Security Osquery API + x-metaTags: + - content: Kibana + name: product_name + /api/pinned_event: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/pinned_event
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Pin/unpin an event to/from an existing Timeline. + operationId: PersistPinnedEventRoute + requestBody: + content: + application/json: + schema: + properties: + eventId: + description: The `_id` of the associated event for this pinned event. + type: string + pinnedEventId: + description: The `savedObjectId` of the pinned event you want to unpin. + nullable: true + type: string + x-omitempty: true + timelineId: + description: The `savedObjectId` of the timeline that you want this pinned event unpinned from. + type: string + required: + - eventId + - timelineId + type: object + description: The pinned event to add or unpin, along with additional metadata. + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse' + description: Indicates the event was successfully pinned to or unpinned from the Timeline. + summary: Pin/unpin an event + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/risk_score/engine/dangerously_delete_data: + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/risk_score/engine/dangerously_delete_data
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Cleaning up the the Risk Engine by removing the indices, mapping and transforms + operationId: CleanUpRiskEngine + responses: + "200": + content: + application/json: + schema: + properties: + cleanup_successful: + type: boolean + type: object + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse' + description: Unexpected error + summary: Cleanup the Risk Engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/risk_score/engine/saved_object/configure: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/risk_score/engine/saved_object/configure
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Configuring the Risk Engine Saved Object + operationId: ConfigureRiskEngineSavedObject + requestBody: + content: + application/json: + schema: + properties: + enable_reset_to_zero: + type: boolean + exclude_alert_statuses: + items: + type: string + type: array + exclude_alert_tags: + items: + type: string + type: array + filters: + items: + properties: + entity_types: + items: + enum: + - host + - user + - service + type: string + type: array + filter: + description: KQL filter string + type: string + required: + - entity_types + - filter + type: object + type: array + range: + properties: + end: + type: string + start: + type: string + type: object + type: object + required: true + responses: + "200": + content: + application/json: + schema: + properties: + risk_engine_saved_object_configured: + type: boolean + type: object + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse' + description: Unexpected error + summary: Configure the Risk Engine Saved Object + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/risk_score/engine/schedule_now: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/risk_score/engine/schedule_now
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality. + operationId: ScheduleRiskEngineNow + requestBody: + content: + application/json: {} + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse' + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse' + description: Task manager is unavailable + default: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse' + description: Unexpected error + summary: Run the risk scoring engine + tags: + - Security Entity Analytics API + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_create: + post: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_create
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: bulkCreateSavedObjects + parameters: + - description: When true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json: + schema: + items: + type: object + type: array + required: true + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Create saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_delete: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: When you delete a saved object, it cannot be recovered. + operationId: bulkDeleteSavedObjects + parameters: + - description: | + When true, force delete objects that exist in multiple namespaces. Note that the option applies to the whole request. Use the delete object API to specify per-object deletion behavior. TIP: Use this if you attempted to delete objects and received an HTTP 400 error with the following message: "Unable to delete saved object that exists in multiple namespaces, use the force option to delete it anyway". WARNING: When you bulk delete objects that exist in multiple namespaces, the API also deletes legacy url aliases that reference the object. These requests are batched to minimise the impact but they can place a heavy load on Kibana. Make sure you limit the number of objects that exist in multiple namespaces in a single bulk delete operation. + in: query + name: force + schema: + type: boolean + requestBody: + content: + application/json: + schema: + items: + type: object + type: array + required: true + responses: + "200": + content: + application/json: + schema: + type: object + description: | + Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Delete saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_get: + post: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_get
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: bulkGetSavedObjects + parameters: [] + requestBody: + content: + application/json: + schema: + items: + type: object + type: array + required: true + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Get saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_resolve: + post: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_resolve
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve multiple Kibana saved objects by identifier using any legacy URL aliases if they exist. Under certain circumstances when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved by the bulk resolve API using either its new ID or its old ID. + operationId: bulkResolveSavedObjects + parameters: [] + requestBody: + content: + application/json: + schema: + items: + type: object + type: array + required: true + responses: + "200": + content: + application/json: + schema: + type: object + description: "Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. \n" + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Resolve saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_bulk_update: + post: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_bulk_update
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the attributes for multiple Kibana saved objects. + operationId: bulkUpdateSavedObjects + parameters: [] + requestBody: + content: + application/json: + schema: + items: + type: object + type: array + required: true + responses: + "200": + content: + application/json: + schema: + type: object + description: "Indicates a successful call. NOTE: This HTTP response code indicates that the bulk operation succeeded. Errors pertaining to individual objects will be returned in the response body. \n" + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Update saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve sets of saved objects that you want to import into Kibana. You must include `type` or `objects` in the request body. The output of exporting saved objects must be treated as opaque. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + + NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported. + operationId: post-saved-objects-export + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + excludeExportDetails: + default: false + description: Do not add export details entry at the end of the stream. + type: boolean + hasReference: + anyOf: + - additionalProperties: false + properties: + id: + type: string + type: + type: string + required: + - type + - id + type: object + - items: + additionalProperties: false + properties: + id: + type: string + type: + type: string + required: + - type + - id + type: object + type: array + includeReferencesDeep: + default: false + description: Includes all of the referenced objects in the exported objects. + type: boolean + objects: + description: 'A list of objects to export. NOTE: this optional parameter cannot be combined with the `types` option' + items: + additionalProperties: false + properties: + id: + type: string + type: + type: string + required: + - type + - id + type: object + maxItems: 10000 + type: array + search: + description: Search for documents to export using the Elasticsearch Simple Query String syntax. + type: string + type: + anyOf: + - type: string + - items: + type: string + type: array + description: The saved object types to include in the export. Use `*` to export all the types. Valid options depend on enabled plugins, but may include `visualization`, `dashboard`, `search`, `index-pattern`, `tag`, `config`, `config-global`, `lens`, `map`, `event-annotation-group`, `query`, `url`, `action`, `alert`, `alerting_rule_template`, `apm-indices`, `cases-user-actions`, `cases`, `cases-comments`, `infrastructure-monitoring-log-view`, `ml-trained-model`, `osquery-saved-query`, `osquery-pack`, `osquery-pack-asset`. + type: object + responses: + "200": + content: + application/x-ndjson: + schema: {} + description: Indicates a successfull call. + "400": + content: + application/json: + schema: + additionalProperties: false + description: Indicates an unsuccessful response. + properties: + error: + type: string + message: + type: string + statusCode: + enum: + - 400 + type: integer + required: + - error + - message + - statusCode + type: object + description: Bad request. + summary: Export saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_find: + get: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/saved_objects/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a paginated set of Kibana saved objects. + operationId: findSavedObjects + parameters: + - description: | + An aggregation structure, serialized as a string. The field format is similar to filter, meaning that to use a saved object type attribute in the aggregation, the `savedObjectType.attributes.title: "myTitle"` format must be used. For root fields, the syntax is `savedObjectType.rootField`. NOTE: As objects change in Kibana, the results on each page of the response also change. Use the find API for traditional paginated results, but avoid using it to export large amounts of data. + in: query + name: aggs + schema: + type: string + - description: The default operator to use for the `simple_query_string`. + in: query + name: default_search_operator + schema: + type: string + - description: The fields to return in the attributes key of the response. + in: query + name: fields + schema: + oneOf: + - type: string + - type: array + - description: | + The filter is a KQL string with the caveat that if you filter with an attribute from your saved object type, it should look like that: `savedObjectType.attributes.title: "myTitle"`. However, if you use a root attribute of a saved object such as `updated_at`, you will have to define your filter like that: `savedObjectType.updated_at > 2018-12-22`. + in: query + name: filter + schema: + type: string + - description: Filters to objects that do not have a relationship with the type and identifier combination. + in: query + name: has_no_reference + schema: + type: object + - description: The operator to use for the `has_no_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. + in: query + name: has_no_reference_operator + schema: + type: string + - description: Filters to objects that have a relationship with the type and ID combination. + in: query + name: has_reference + schema: + type: object + - description: The operator to use for the `has_reference` parameter. Either `OR` or `AND`. Defaults to `OR`. + in: query + name: has_reference_operator + schema: + type: string + - description: The page of objects to return. + in: query + name: page + schema: + type: integer + - description: The number of objects to return per page. + in: query + name: per_page + schema: + type: integer + - description: An Elasticsearch `simple_query_string` query that filters the objects in the response. + in: query + name: search + schema: + type: string + - description: The fields to perform the `simple_query_string` parsed query against. + in: query + name: search_fields + schema: + oneOf: + - type: string + - type: array + - description: | + Sorts the response. Includes "root" and "type" fields. "root" fields exist for all saved objects, such as "updated_at". "type" fields are specific to an object type, such as fields returned in the attributes key of the response. When a single type is defined in the type parameter, the "root" and "type" fields are allowed, and validity checks are made in that order. When multiple types are defined in the type parameter, only "root" fields are allowed. + in: query + name: sort_field + schema: + type: string + - description: The saved object types to include. + in: query + name: type + required: true + schema: + oneOf: + - type: string + - type: array + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Search for saved objects + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create sets of Kibana saved objects from a file created by the export API. Saved objects can only be imported into the same version, a newer minor on the same major, or the next major. Tampering with exported data risks introducing unspecified errors and data loss. + + Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana. + operationId: post-saved-objects-import + parameters: + - description: 'Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.' + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: 'Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.' + in: query + name: createNewCopies + required: false + schema: + default: false + type: boolean + - description: 'Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.' + in: query + name: compatibilityMode + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data: + schema: + additionalProperties: false + properties: + file: + description: 'A file exported using the export API. Changing the contents of the exported file in any way before importing it can cause errors, crashes or data loss. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.' + type: object + required: + - file + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + errors: + description: |- + Indicates the import was unsuccessful and specifies the objects that failed to import. + + NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error. + items: + additionalProperties: true + properties: {} + type: object + type: array + success: + description: Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: number + successResults: + description: |- + Indicates the objects that are successfully imported, with any metadata if applicable. + + NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute. + items: + additionalProperties: true + properties: {} + type: object + type: array + required: + - success + - successCount + - errors + - successResults + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + additionalProperties: false + description: Indicates an unsuccessful response. + properties: + error: + type: string + message: + type: string + statusCode: + enum: + - 400 + type: integer + required: + - error + - message + - statusCode + type: object + description: Bad request. + summary: Import saved objects + tags: + - saved objects + x-codeSamples: + - label: Import with createNewCopies + lang: cURL + source: | + curl \ + -X POST api/saved_objects/_import?createNewCopies=true + -H "kbn-xsrf: true" + --form file=@file.ndjson + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/_resolve_import_errors: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/_resolve_import_errors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + To resolve errors from the Import objects API, you can: + + * Retry certain saved objects + * Overwrite specific saved objects + * Change references to different saved objects + operationId: resolveImportErrors + parameters: + - description: | + Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. When enabled during the initial import, also enable when resolving import errors. This option cannot be used with the `createNewCopies` option. + in: query + name: compatibilityMode + required: false + schema: + type: boolean + - description: | + Creates copies of the saved objects, regenerates each object ID, and resets the origin. When enabled during the initial import, also enable when resolving import errors. + in: query + name: createNewCopies + required: false + schema: + type: boolean + requestBody: + content: + multipart/form-data: + schema: + properties: + file: + description: The same file given to the import API. + format: binary + type: string + retries: + description: The retry operations, which can specify how to resolve different types of errors. + items: + properties: + destinationId: + description: Specifies the destination ID that the imported object should have, if different from the current ID. + type: string + id: + description: The saved object ID. + type: string + ignoreMissingReferences: + description: When set to `true`, ignores missing reference errors. When set to `false`, does nothing. + type: boolean + overwrite: + description: When set to `true`, the source object overwrites the conflicting destination object. When set to `false`, does nothing. + type: boolean + replaceReferences: + description: A list of `type`, `from`, and `to` used to change the object references. + items: + properties: + from: + type: string + to: + type: string + type: + type: string + type: object + type: array + type: + description: The saved object type. + type: string + required: + - type + - id + type: object + type: array + required: + - retries + type: object + required: true + responses: + "200": + content: + application/json: + schema: + properties: + errors: + description: | + Specifies the objects that failed to resolve. + + NOTE: One object can result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and a `conflict` error. + items: + type: object + type: array + success: + description: | + Indicates a successful import. When set to `false`, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties. + type: boolean + successCount: + description: | + Indicates the number of successfully resolved records. + type: number + successResults: + description: | + Indicates the objects that are successfully imported, with any metadata if applicable. + + NOTE: Objects are only created when all resolvable errors are addressed, including conflict and missing references. + items: + type: object + type: array + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Resolve import errors + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/{type}: + post: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/{type}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Kibana saved object with a randomly generated identifier. + operationId: createSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: If true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json: + schema: + properties: + attributes: + $ref: '#/components/schemas/Saved_objects_attributes' + initialNamespaces: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + references: + $ref: '#/components/schemas/Saved_objects_references' + required: + - attributes + type: object + required: true + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call. + "409": + content: + application/json: + schema: + type: object + description: Indicates a conflict error. + summary: Create a saved object + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/{type}/{id}: + get: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single Kibana saved object by identifier. + operationId: getSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Get a saved object + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + post: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Kibana saved object and specify its identifier instead of using a randomly generated ID. + operationId: createSavedObjectId + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: If true, overwrites the document with the same identifier. + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json: + schema: + properties: + attributes: + $ref: '#/components/schemas/Saved_objects_attributes' + initialNamespaces: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + references: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + required: + - attributes + type: object + required: true + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call. + "409": + content: + application/json: + schema: + type: object + description: Indicates a conflict error. + summary: Create a saved object + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + put: + deprecated: true + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/saved_objects/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update the attributes for Kibana saved objects. + operationId: updateSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + requestBody: + content: + application/json: + schema: + type: object + required: true + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call. + "404": + content: + application/json: + schema: + type: object + description: Indicates the object was not found. + "409": + content: + application/json: + schema: + type: object + description: Indicates a conflict error. + summary: Update a saved object + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/saved_objects/resolve/{type}/{id}: + get: + deprecated: true + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/saved_objects/resolve/{type}/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a single Kibana saved object by identifier using any legacy URL alias if it exists. Under certain circumstances, when Kibana is upgraded, saved object migrations may necessitate regenerating some object IDs to enable new features. When an object's ID is regenerated, a legacy URL alias is created for that object, preserving its old ID. In such a scenario, that object can be retrieved using either its new ID or its old ID. + operationId: resolveSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Resolve a saved object + tags: + - saved objects + x-metaTags: + - content: Kibana + name: product_name + /api/security/role: + get: + operationId: get-security-role + parameters: + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. + in: query + name: replaceDeprecatedPrivileges + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: {} + description: Indicates a successful call. + summary: Get all roles + tags: + - roles + x-metaTags: + - content: Kibana + name: product_name + /api/security/role/_query: + post: + operationId: post-security-role-query + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + filters: + additionalProperties: false + properties: + showReservedRoles: + type: boolean + type: object + from: + type: number + query: + type: string + size: + type: number + sort: + additionalProperties: false + properties: + direction: + enum: + - asc + - desc + type: string + field: + type: string + required: + - field + - direction + type: object + type: object + responses: + "200": + description: Indicates a successful call. + summary: Query roles + tags: [] + x-metaTags: + - content: Kibana + name: product_name + /api/security/role/{name}: + get: + operationId: get-security-role-name + parameters: + - description: The role name. + in: path + name: name + required: true + schema: + minLength: 1 + type: string + - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges. + in: query + name: replaceDeprecatedPrivileges + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: {} + description: Indicates a successful call. + summary: Get a role + tags: + - roles + x-metaTags: + - content: Kibana + name: product_name + put: + description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm. + operationId: put-security-role-name + parameters: + - description: The role name. + in: path + name: name + required: true + schema: + maxLength: 1024 + minLength: 1 + type: string + - description: When true, a role is not overwritten if it already exists. + in: query + name: createOnly + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + description: + description: A description for the role. + maxLength: 2048 + type: string + elasticsearch: + additionalProperties: false + properties: + cluster: + items: + description: Cluster privileges that define the cluster level actions that users can perform. + type: string + type: array + indices: + items: + additionalProperties: false + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. + type: boolean + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + type: array + type: object + names: + items: + description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). + type: string + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that the role members have for the data streams and indices. + type: string + minItems: 1 + type: array + query: + description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. + type: string + required: + - names + - privileges + type: object + type: array + remote_cluster: + items: + additionalProperties: false + properties: + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + minItems: 1 + type: array + privileges: + items: + description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. + type: string + minItems: 1 + type: array + required: + - privileges + - clusters + type: object + type: array + remote_indices: + items: + additionalProperties: false + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. + type: boolean + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + minItems: 1 + type: array + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + type: array + type: object + names: + items: + description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). + type: string + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that role members have for the specified indices. + type: string + minItems: 1 + type: array + query: + description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' + type: string + required: + - clusters + - names + - privileges + type: object + type: array + run_as: + items: + description: A user name that the role member can impersonate. + type: string + type: array + type: object + kibana: + items: + additionalProperties: false + properties: + base: + nullable: true + oneOf: + - items: + description: A base privilege that grants applies to all spaces. + type: string + type: array + - items: + description: A base privilege that applies to specific spaces. + type: string + type: array + x-omitempty: true + feature: + additionalProperties: + items: + description: The privileges that the role member has for the feature. + type: string + type: array + type: object + spaces: + items: + description: A space that the privilege applies to. + type: string + type: array + required: + - base + type: object + type: array + metadata: + additionalProperties: {} + type: object + required: + - elasticsearch + type: object + responses: + "204": + description: Indicates a successful call. + summary: Create or update a role + tags: + - roles + x-metaTags: + - content: Kibana + name: product_name + delete: + operationId: delete-security-role-name + parameters: + - in: path + name: name + required: true + schema: + minLength: 1 + type: string + responses: + "204": + description: Indicates a successful call. + summary: Delete a role + tags: + - roles + x-metaTags: + - content: Kibana + name: product_name + /api/security/roles: + post: + operationId: post-security-roles + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + roles: + properties: + description: + description: A description for the role. + maxLength: 2048 + type: string + elasticsearch: + additionalProperties: false + properties: + cluster: + items: + description: Cluster privileges that define the cluster level actions that users can perform. + type: string + type: array + indices: + items: + additionalProperties: false + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too. + type: boolean + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + type: array + type: object + names: + items: + description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*). + type: string + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that the role members have for the data streams and indices. + type: string + minItems: 1 + type: array + query: + description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. + type: string + required: + - names + - privileges + type: object + type: array + remote_cluster: + items: + additionalProperties: false + properties: + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + minItems: 1 + type: array + privileges: + items: + description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges. + type: string + minItems: 1 + type: array + required: + - privileges + - clusters + type: object + type: array + remote_indices: + items: + additionalProperties: false + properties: + allow_restricted_indices: + description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too. + type: boolean + clusters: + items: + description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions. + type: string + minItems: 1 + type: array + field_security: + additionalProperties: + items: + description: The document fields that the role members have read access to. + type: string + type: array + type: object + names: + items: + description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*). + type: string + minItems: 1 + type: array + privileges: + items: + description: The index level privileges that role members have for the specified indices. + type: string + minItems: 1 + type: array + query: + description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ' + type: string + required: + - clusters + - names + - privileges + type: object + type: array + run_as: + items: + description: A user name that the role member can impersonate. + type: string + type: array + type: object + kibana: + items: + additionalProperties: false + properties: + base: + nullable: true + oneOf: + - items: + description: A base privilege that grants applies to all spaces. + type: string + type: array + - items: + description: A base privilege that applies to specific spaces. + type: string + type: array + x-omitempty: true + feature: + additionalProperties: + items: + description: The privileges that the role member has for the feature. + type: string + type: array + type: object + spaces: + items: + description: A space that the privilege applies to. + type: string + type: array + required: + - base + type: object + type: array + metadata: + additionalProperties: {} + type: object + required: + - elasticsearch + type: object + required: + - roles + type: object + responses: + "200": + description: Indicates a successful call. + summary: Create or update roles + tags: + - roles + x-metaTags: + - content: Kibana + name: product_name + /api/security/session/_invalidate: + post: + description: | + Invalidate user sessions that match a query. To use this API, you must be a superuser. + operationId: post-security-session-invalidate + parameters: [] + requestBody: + content: + application/json: + schema: + properties: + match: + description: | + The method Kibana uses to determine which sessions to invalidate. If it is `all`, all existing sessions will be invalidated. If it is `query`, only the sessions that match the query will be invalidated. + enum: + - all + - query + type: string + query: + description: | + The query that Kibana uses to match the sessions to invalidate when the `match` parameter is set to `query`. + properties: + provider: + description: The authentication providers that will have their user sessions invalidated. + properties: + name: + description: The authentication provider name. + type: string + type: + description: | + The authentication provide type. For example: `basic`, `token`, `saml`, `oidc`, `kerberos`, or `pki`. + type: string + required: + - type + type: object + username: + description: The username that will have its sessions invalidated. + type: string + required: + - provider + type: object + required: + - match + type: object + responses: + "200": + content: + application/json: + schema: + properties: + total: + description: The number of sessions that were successfully invalidated. + type: integer + type: object + description: Indicates a successful call + "403": + description: Indicates that the user may not be authorized to invalidate sessions for other users. + summary: Invalidate user sessions + tags: + - user session + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/anonymization_fields/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction + requestBody: + content: + application/json: + schema: + properties: + create: + description: Array of anonymization fields to create. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps' + type: array + delete: + description: Object containing the query to filter anonymization fields and/or an array of anonymization field IDs to delete. + properties: + ids: + description: Array of IDs to apply the action to. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + type: string + type: object + update: + description: Array of anonymization fields to update. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps' + type: array + type: object + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse' + description: Indicates a successful call. + "400": + content: + application/json: + schema: + properties: + error: + description: Error type or name. + type: string + message: + description: Detailed error message. + type: string + statusCode: + description: Status code of the response. + type: number + type: object + description: Generic Error + summary: Apply a bulk action to anonymization fields + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/anonymization_fields/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/anonymization_fields/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all anonymization fields. + operationId: FindAnonymizationFields + parameters: + - description: Fields to return + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField' + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: If true, additionally fetch all anonymization fields, otherwise fetch only the provided page + in: query + name: all_data + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + properties: + aggregations: + properties: + field_status: + properties: + buckets: + properties: + allowed: + properties: + doc_count: + default: 0 + type: integer + type: object + anonymized: + properties: + doc_count: + default: 0 + type: integer + type: object + denied: + properties: + doc_count: + default: 0 + type: integer + type: object + type: object + type: object + type: object + all: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + data: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + type: object + description: Successful response + "400": + content: + application/json: + schema: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + type: object + description: Generic Error + summary: Get anonymization fields + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/chat/complete: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/chat/complete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a model response for the given chat conversation. + operationId: ChatComplete + parameters: + - description: If true, the response will not include content references. + in: query + name: content_references_disabled + required: false + schema: + default: false + type: boolean + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true + responses: + "200": + content: + application/octet-stream: + schema: + format: binary + type: string + description: Indicates a successful model response call. + "400": + content: + application/json: + schema: + properties: + error: + description: Error type. + type: string + message: + description: Human-readable error message. + type: string + statusCode: + description: HTTP status code. + type: number + type: object + description: Generic Error + summary: Create a model response + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/current_user/conversations: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Security AI Assistant conversation. This endpoint allows the user to initiate a conversation with the Security AI Assistant by providing the required parameters. + operationId: CreateConversation + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was created successfully. + "400": + content: + application/json: + schema: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + type: object + description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. + summary: Create a conversation + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + This endpoint allows users to permanently delete all conversations. + operationId: DeleteAllConversations + requestBody: + content: + application/json: + schema: + properties: + excludedIds: + description: Optional list of conversation IDs to delete. + items: + type: string + type: array + type: object + required: false + responses: + "200": + content: + application/json: + schema: + properties: + failures: + items: + type: string + type: array + success: + type: boolean + totalDeleted: + type: number + type: object + description: Indicates a successful call. The conversations were deleted successfully. + "400": + content: + application/json: + schema: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + type: object + description: Generic Error. This response indicates an issue with the request. + summary: Delete conversations + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/current_user/conversations/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all conversations for the current user. This endpoint allows users to search, filter, sort, and paginate through their conversations. + operationId: FindConversations + parameters: + - description: A list of fields to include in the response. If omitted, all fields are returned. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: A search query to filter the conversations. Can match against titles, messages, or other conversation attributes. + in: query + name: filter + required: false + schema: + type: string + - description: The field by which to sort the results. Valid fields are `created_at`, `title`, and `updated_at`. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField' + - description: The order in which to sort the results. Can be either `asc` for ascending or `desc` for descending. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: The page number of the results to retrieve. Default is 1. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: The number of conversations to return per page. Default is 20. + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + - description: Whether to return conversations that the current user owns. If true, only conversations owned by the user are returned. + in: query + name: is_owner + required: false + schema: + default: false + type: boolean + responses: + "200": + content: + application/json: + schema: + properties: + data: + description: A list of conversations. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + type: array + page: + description: The current page of the results. + type: integer + perPage: + description: The number of results returned per page. + type: integer + total: + description: The total number of conversations matching the filter criteria. + type: integer + required: + - page + - perPage + - total + - data + type: object + description: Successful response, returns a paginated list of conversations matching the specified criteria. + "400": + content: + application/json: + schema: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + type: object + description: Generic Error. The request could not be processed due to an invalid query parameter or other issue. + summary: Get conversations + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/current_user/conversations/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing conversation using the conversation ID. This allows users to fetch the specific conversation data by its unique ID. + operationId: ReadConversation + parameters: + - description: The conversation's `id` value, a unique identifier for the conversation. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation details are returned. + "400": + content: + application/json: + schema: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + type: object + description: Generic Error. The request could not be processed due to an error. + summary: Get a conversation + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing conversation using the conversation ID. This endpoint allows users to modify the details of an existing conversation. + operationId: UpdateConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was updated successfully. + "400": + content: + application/json: + schema: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + type: object + description: Generic Error. This response indicates an issue with the request, such as missing required parameters or incorrect data. + summary: Update a conversation + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/current_user/conversations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete an existing conversation using the conversation ID. This endpoint allows users to permanently delete a conversation. + operationId: DeleteConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse' + description: Indicates a successful call. The conversation was deleted successfully. + "400": + content: + application/json: + schema: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + type: object + description: Generic Error. This response indicates an issue with the request. + summary: Delete a conversation + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/{resource}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read a single KB + operationId: ReadKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + in: path + name: resource + schema: + type: string + responses: + "200": + content: + application/json: + schema: + properties: + defend_insights_exists: + description: Indicates if Defend Insights documentation exists in the KnowledgeBase. + type: boolean + elser_exists: + description: Indicates if the ELSER model exists for the KnowledgeBase. + type: boolean + is_setup_available: + description: Indicates if the setup process is available for the KnowledgeBase. + type: boolean + is_setup_in_progress: + description: Indicates if the setup process is currently in progress. + type: boolean + product_documentation_status: + description: The status of the product documentation in the KnowledgeBase. + type: string + security_labs_exists: + description: Indicates if Security Labs documentation exists in the KnowledgeBase. + type: boolean + user_data_exists: + description: Indicates if user data exists in the KnowledgeBase. + type: boolean + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + properties: + error: + description: A short description of the error. + type: string + message: + description: A detailed error message. + type: string + statusCode: + description: The HTTP status code of the error. + type: number + type: object + description: Generic Error + summary: Read a KnowledgeBase + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/{resource}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a KnowledgeBase + operationId: CreateKnowledgeBase + parameters: + - description: The KnowledgeBase `resource` value. + in: path + name: resource + schema: + type: string + - description: ELSER modelId to use when setting up the Knowledge Base. If not provided, a default model will be used. + in: query + name: modelId + required: false + schema: + type: string + - description: Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base. Defaults to `false`. + in: query + name: ignoreSecurityLabs + required: false + schema: + default: false + type: boolean + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResponse' + description: Indicates a successful call. + "400": + content: + application/json: + schema: + properties: + error: + description: A short description of the error. + type: string + message: + description: A detailed error message. + type: string + statusCode: + description: The HTTP status code of the error. + type: number + type: object + description: Generic Error + summary: Create a KnowledgeBase + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a Knowledge Base Entry + operationId: CreateKnowledgeBaseEntry + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning Knowledge Base Entries + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: A generic error occurred, such as invalid input or missing required fields. + summary: Create a Knowledge Base Entry + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + The bulk action is applied to all Knowledge Base Entries that match the filter or to the list of Knowledge Base Entries by their IDs. + operationId: PerformKnowledgeBaseEntryBulkAction + requestBody: + content: + application/json: + schema: + properties: + create: + description: List of Knowledge Base Entries to create. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps' + type: array + delete: + properties: + ids: + description: Array of Knowledge Base Entry IDs. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter Knowledge Base Entries. + type: string + type: object + update: + description: List of Knowledge Base Entries to update. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps' + type: array + type: object + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse' + description: Successful bulk operation request + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: Generic Error + summary: Applies a bulk action to multiple Knowledge Base Entries + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Finds Knowledge Base Entries that match the given query. + operationId: FindKnowledgeBaseEntries + parameters: + - description: A list of fields to include in the response. If not provided, all fields will be included. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query to filter Knowledge Base Entries by specific criteria. + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort the Knowledge Base Entries by. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField' + - description: Sort order for the results, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number for paginated results. Defaults to 1. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Number of Knowledge Base Entries to return per page. Defaults to 20. + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + "200": + content: + application/json: + schema: + properties: + data: + description: The list of Knowledge Base Entries for the current page. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + type: array + page: + description: The current page number. + type: integer + perPage: + description: The number of Knowledge Base Entries returned per page. + type: integer + total: + description: The total number of Knowledge Base Entries available. + type: integer + required: + - page + - perPage + - total + - data + type: object + description: Successful response containing the paginated Knowledge Base Entries. + "400": + content: + application/json: + schema: + properties: + error: + description: A short description of the error. + type: string + message: + description: A detailed message explaining the error. + type: string + statusCode: + description: The HTTP status code of the error. + type: number + type: object + description: Generic Error indicating an issue with the request. + summary: Finds Knowledge Base Entries that match the given query. + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/knowledge_base/entries/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a Knowledge Base Entry by its unique `id`. + operationId: ReadKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to retrieve. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the requested Knowledge Base Entry. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: A generic error occurred, such as an invalid `id` or the entry not being found. + summary: Read a Knowledge Base Entry + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing Knowledge Base Entry by its unique `id`. + operationId: UpdateKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to update. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + description: Successful request returning the updated Knowledge Base Entry. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: A generic error occurred, such as invalid input or the entry not being found. + summary: Update a Knowledge Base Entry + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/security_ai_assistant/knowledge_base/entries/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a Knowledge Base Entry by its unique `id`. + operationId: DeleteKnowledgeBaseEntry + parameters: + - description: The unique identifier (`id`) of the Knowledge Base Entry to delete. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_DeleteResponseFields' + description: Successful request returning the `id` of the deleted Knowledge Base Entry. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema' + description: A generic error occurred, such as an invalid `id` or the entry not being found. + summary: Deletes a single Knowledge Base Entry using the `id` field + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/security_ai_assistant/prompts/_bulk_action
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs. This action allows for bulk create, update, or delete operations. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json: + schema: + properties: + create: + description: List of prompts to be created. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps' + type: array + delete: + description: Criteria for deleting prompts in bulk. + properties: + ids: + description: Array of IDs to apply the action to. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter the bulk action. + type: string + type: object + update: + description: List of prompts to be updated. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps' + type: array + type: object + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse' + description: Indicates a successful call with the results of the bulk action. + "400": + content: + application/json: + schema: + properties: + error: + description: A short error message. + type: string + message: + description: A detailed error message. + type: string + statusCode: + description: The HTTP status code for the error. + type: number + type: object + description: Indicates a generic error due to a bad request. + summary: Apply a bulk action to prompts + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/security_ai_assistant/prompts/_find: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/security_ai_assistant/prompts/_find
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all prompts based on optional filters, sorting, and pagination. + operationId: FindPrompts + parameters: + - description: List of specific fields to include in each returned prompt. + in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query string to filter prompts by matching fields. + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort prompts by. + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField' + - description: Sort order, either asc or desc. + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number for pagination. + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Number of prompts per page. + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + "200": + content: + application/json: + schema: + properties: + data: + description: The list of prompts returned based on the search query, sorting, and pagination. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + page: + description: Current page number. + type: integer + perPage: + description: Number of prompts per page. + type: integer + total: + description: Total number of prompts matching the query. + type: integer + required: + - page + - perPage + - total + - data + type: object + description: Successful response containing a list of prompts. + "400": + content: + application/json: + schema: + properties: + error: + description: Short error message. + type: string + message: + description: Detailed description of the error. + type: string + statusCode: + description: HTTP status code for the error. + type: number + type: object + description: Bad request due to invalid parameters or malformed query. + summary: Get prompts + tags: + - Security AI Assistant API + x-metaTags: + - content: Kibana + name: product_name + /api/short_url: + post: + description: | + Kibana URLs may be long and cumbersome, short URLs are much easier to remember and share. + Short URLs are created by specifying the locator ID and locator parameters. When a short URL is resolved, the locator ID and locator parameters are used to redirect user to the right Kibana page. + operationId: post-url + requestBody: + content: + application/json: + schema: + properties: + humanReadableSlug: + description: | + When the `slug` parameter is omitted, the API will generate a random human-readable slug if `humanReadableSlug` is set to true. + type: boolean + locatorId: + description: The identifier for the locator. + type: string + params: + description: | + An object which contains all necessary parameters for the given locator to resolve to a Kibana location. + > warn + > When you create a short URL, locator params are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. + type: object + slug: + description: | + A custom short URL slug. The slug is the part of the short URL that identifies it. You can provide a custom slug which consists of latin alphabet letters, numbers, and `-._` characters. The slug must be at least 3 characters long, but no longer than 255 characters. + type: string + required: + - locatorId + - params + type: object + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + description: Indicates a successful call. + summary: Create a short URL + tags: + - short url + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/short_url/_slug/{slug}: + get: + description: | + Resolve a Kibana short URL by its slug. + operationId: resolve-url + parameters: + - description: The slug of the short URL. + in: path + name: slug + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + description: Indicates a successful call. + summary: Resolve a short URL + tags: + - short url + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/short_url/{id}: + get: + description: | + Get a single Kibana short URL. + operationId: get-url + parameters: + - $ref: '#/components/parameters/Short_URL_APIs_idParam' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Short_URL_APIs_urlResponse' + description: Indicates a successful call. + summary: Get a short URL + tags: + - short url + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + delete: + description: | + Delete a Kibana short URL. + operationId: delete-url + parameters: + - $ref: '#/components/parameters/Short_URL_APIs_idParam' + responses: + "200": + description: Indicates a successful call. + summary: Delete a short URL + tags: + - short url + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/spaces/_copy_saved_objects: + post: + description: 'It also allows you to automatically copy related objects, so when you copy a dashboard, this can automatically copy over the associated visualizations, data views, and saved Discover sessions, as required. You can request to overwrite any objects that already exist in the target space if they share an identifier or you can use the resolve copy saved objects conflicts API to do this on a per-object basis.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' + operationId: post-spaces-copy-saved-objects + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + compatibilityMode: + default: false + description: Apply various adjustments to the saved objects that are being copied to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with copied saved objects. This option cannot be used with the `createNewCopies` option. + type: boolean + createNewCopies: + default: true + description: Create new copies of saved objects, regenerate each object identifier, and reset the origin. When used, potential conflict errors are avoided. This option cannot be used with the `overwrite` and `compatibilityMode` options. + type: boolean + includeReferences: + default: false + description: When set to true, all saved objects related to the specified saved objects will also be copied into the target spaces. + type: boolean + objects: + items: + additionalProperties: false + properties: + id: + description: The identifier of the saved object to copy. + type: string + type: + description: The type of the saved object to copy. + type: string + required: + - type + - id + type: object + type: array + overwrite: + default: false + description: When set to true, all conflicts are automatically overridden. When a saved object with a matching type and identifier exists in the target space, that version is replaced with the version from the source space. This option cannot be used with the `createNewCopies` option. + type: boolean + spaces: + items: + description: The identifiers of the spaces where you want to copy the specified objects. + type: string + type: array + required: + - spaces + - objects + type: object + responses: + "200": + content: + application/json: {} + description: 'OK: A successful request.' + summary: Copy saved objects between spaces + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_disable_legacy_url_aliases: + post: + operationId: post-spaces-disable-legacy-url-aliases + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + aliases: + items: + additionalProperties: false + properties: + sourceId: + description: The alias source object identifier. This is the legacy object identifier. + type: string + targetSpace: + description: The space where the alias target object exists. + type: string + targetType: + description: 'The type of alias target object. ' + type: string + required: + - targetSpace + - targetType + - sourceId + type: object + type: array + required: + - aliases + type: object + responses: {} + summary: Disable legacy URL aliases + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_get_shareable_references: + post: + description: Collect references and space contexts for saved objects. + operationId: post-spaces-get-shareable-references + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + objects: + items: + additionalProperties: false + properties: + id: + type: string + type: + type: string + required: + - type + - id + type: object + type: array + required: + - objects + type: object + responses: {} + summary: Get shareable references + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_resolve_copy_saved_objects_errors: + post: + description: 'Overwrite saved objects that are returned as errors from the copy saved objects to space API.

[Required authorization] Route required privileges: copySavedObjectsToSpaces.' + operationId: post-spaces-resolve-copy-saved-objects-errors + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + compatibilityMode: + default: false + type: boolean + createNewCopies: + default: true + type: boolean + includeReferences: + default: false + type: boolean + objects: + items: + additionalProperties: false + properties: + id: + type: string + type: + type: string + required: + - type + - id + type: object + type: array + retries: + additionalProperties: + items: + additionalProperties: false + properties: + createNewCopy: + description: Creates new copies of the saved objects, regenerates each object ID, and resets the origin. + type: boolean + destinationId: + description: Specifies the destination identifier that the copied object should have, if different from the current identifier. + type: string + id: + description: The saved object identifier. + type: string + ignoreMissingReferences: + description: When set to true, any missing references errors are ignored. + type: boolean + overwrite: + default: false + description: When set to true, the saved object from the source space overwrites the conflicting object in the destination space. + type: boolean + type: + description: The saved object type. + type: string + required: + - type + - id + type: object + type: array + type: object + required: + - retries + - objects + type: object + responses: + "200": + content: + application/json: {} + description: 'OK: A successful request.' + summary: Resolve conflicts copying saved objects + tags: [] + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/_update_objects_spaces: + post: + description: Update one or more saved objects to add or remove them from some spaces. + operationId: post-spaces-update-objects-spaces + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + objects: + items: + additionalProperties: false + properties: + id: + description: The identifier of the saved object to update. + type: string + type: + description: The type of the saved object to update. + type: string + required: + - type + - id + type: object + type: array + spacesToAdd: + items: + description: The identifiers of the spaces the saved objects should be added to or removed from. + type: string + type: array + spacesToRemove: + items: + description: The identifiers of the spaces the saved objects should be added to or removed from. + type: string + type: array + required: + - objects + - spacesToAdd + - spacesToRemove + type: object + responses: + "200": + content: + application/json: {} + description: 'OK: A successful request.' + summary: Update saved objects in spaces + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/space: + get: + operationId: get-spaces-space + parameters: + - description: Specifies which authorization checks are applied to the API call. The default value is `any`. + in: query + name: purpose + required: false + schema: + enum: + - any + - copySavedObjectsIntoSpace + - shareSavedObjectsIntoSpace + type: string + - description: When enabled, the API returns any spaces that the user is authorized to access in any capacity and each space will contain the purposes for which the user is authorized. This can be useful to determine which spaces a user can read but not take a specific action in. If the security plugin is not enabled, this parameter has no effect, since no authorization checks take place. This parameter cannot be used in with the `purpose` parameter. + in: query + name: include_authorized_purposes + required: true + schema: + nullable: true + oneOf: + - enum: + - false + type: boolean + x-oas-optional: true + - type: boolean + x-oas-optional: true + responses: + "200": + content: + application/json: {} + description: Indicates a successful call. + summary: Get all spaces + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + post: + operationId: post-spaces-space + parameters: [] + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name + type: object + responses: + "200": + description: Indicates a successful call. + summary: Create a space + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/spaces/space/{id}: + get: + operationId: get-spaces-space-id + parameters: + - description: The space identifier. + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: {} + description: Indicates a successful call. + summary: Get a space + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + put: + operationId: put-spaces-space-id + parameters: + - description: The space identifier. You are unable to change the ID with the update operation. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + _reserved: + type: boolean + color: + description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name. + type: string + description: + description: A description for the space. + type: string + disabledFeatures: + default: [] + items: + description: The list of features that are turned off in the space. + type: string + type: array + id: + description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation. + type: string + imageUrl: + description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images. + type: string + initials: + description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name. + maxLength: 2 + type: string + name: + description: 'The display name for the space. ' + minLength: 1 + type: string + solution: + enum: + - security + - oblt + - es + - classic + type: string + required: + - id + - name + type: object + responses: + "200": + description: Indicates a successful call. + summary: Update a space + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + delete: + description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone. + operationId: delete-spaces-space-id + parameters: + - description: The space identifier. + in: path + name: id + required: true + schema: + type: string + responses: + "204": + description: Indicates a successful call. + "404": + description: Indicates that the request failed. + summary: Delete a space + tags: + - spaces + x-metaTags: + - content: Kibana + name: product_name + /api/status: + get: + operationId: get-status + parameters: + - description: Set to "true" to get the response in v7 format. + in: query + name: v7format + required: false + schema: + type: boolean + - description: Set to "true" to get the response in v8 format. + in: query + name: v8format + required: false + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + "503": + content: + application/json: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse' + description: Kibana's operational status. A minimal response is sent for unauthorized users. + description: Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable. + summary: Get Kibana's current status + tags: + - system + x-metaTags: + - content: Kibana + name: product_name + /api/streams: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches list of all streams

[Required authorization] Route required privileges: read_stream. + operationId: get-streams + parameters: [] + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Get stream list + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/_disable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_disable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Disables wired streams and deletes all existing stream definitions. The data of wired streams is deleted, but the data of classic streams is preserved.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-disable + parameters: [] + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Disable streams + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/_enable: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_enable
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Enables wired streams

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-enable + parameters: [] + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Enable streams + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/_resync: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/_resync
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Resyncs all streams, making sure that Elasticsearch assets are up to date

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-resync + parameters: [] + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Resync streams + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches a stream definition and associated dashboards

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Get a stream + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Creates or updates a stream definition. Classic streams can not be created through this API, only updated

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - anyOf: + - allOf: + - properties: {} + type: object + - properties: + stream: + allOf: + - additionalProperties: true + properties: + name: + not: {} + type: object + - additionalProperties: false + properties: + description: + type: string + name: + type: string + required: + - name + - description + type: object + required: + - stream + type: object + - properties: + dashboards: + items: + type: string + type: array + queries: + items: + allOf: + - properties: + id: + minLength: 1 + type: string + title: + minLength: 1 + type: string + required: + - id + - title + type: object + - properties: + feature: + additionalProperties: false + properties: + filter: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + name: + minLength: 1 + type: string + required: + - name + - filter + type: object + kql: + additionalProperties: false + properties: + query: + type: string + required: + - query + type: object + required: + - kql + type: object + type: array + rules: + items: + type: string + type: array + required: + - dashboards + - rules + - queries + type: object + - properties: + stream: + allOf: + - additionalProperties: true + properties: + name: + not: {} + type: object + - allOf: + - properties: {} + type: object + - properties: + description: + type: string + name: + type: string + required: + - name + - description + type: object + - properties: + ingest: + additionalProperties: false + properties: + lifecycle: + anyOf: + - additionalProperties: false + properties: + dsl: + additionalProperties: false + properties: + data_retention: + minLength: 1 + type: string + type: object + required: + - dsl + type: object + - additionalProperties: false + properties: + ilm: + additionalProperties: false + properties: + policy: + minLength: 1 + type: string + required: + - policy + type: object + required: + - ilm + type: object + - additionalProperties: false + properties: + inherit: + additionalProperties: false + properties: {} + type: object + required: + - inherit + type: object + processing: + additionalProperties: false + properties: + steps: + items: + anyOf: + - anyOf: + - additionalProperties: false + properties: + action: + enum: + - grok + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + pattern_definitions: + additionalProperties: + type: string + type: object + patterns: + items: + minLength: 1 + type: string + minItems: 1 + type: array + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - patterns + type: object + - additionalProperties: false + properties: + action: + enum: + - dissect + type: string + append_separator: + minLength: 1 + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + pattern: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - pattern + type: object + - additionalProperties: false + properties: + action: + enum: + - date + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + formats: + items: + minLength: 1 + type: string + type: array + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + locale: + minLength: 1 + type: string + output_format: + minLength: 1 + type: string + timezone: + minLength: 1 + type: string + to: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - formats + type: object + - additionalProperties: false + properties: + action: + enum: + - drop_document + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + type: object + - additionalProperties: false + properties: + action: + enum: + - rename + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + override: + type: boolean + to: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - to + type: object + - additionalProperties: false + properties: + action: + enum: + - set + type: string + copy_from: + minLength: 1 + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + override: + type: boolean + to: + minLength: 1 + type: string + value: {} + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - to + type: object + - additionalProperties: false + properties: + action: + enum: + - append + type: string + allow_duplicates: + type: boolean + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + to: + minLength: 1 + type: string + value: + items: {} + minItems: 1 + type: array + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - to + - value + type: object + - additionalProperties: false + properties: + action: + enum: + - remove_by_prefix + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + required: + - action + - from + type: object + - additionalProperties: false + properties: + action: + enum: + - remove + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + type: object + - additionalProperties: false + properties: + action: + enum: + - convert + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + type: + enum: + - integer + - long + - double + - boolean + - string + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - type + type: object + - additionalProperties: false + properties: + action: + enum: + - manual_ingest_pipeline + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + on_failure: + items: + additionalProperties: {} + type: object + type: array + processors: + items: + additionalProperties: false + properties: + append: {} + attachment: {} + bytes: {} + circle: {} + community_id: {} + convert: {} + csv: {} + date: {} + date_index_name: {} + dissect: {} + dot_expander: {} + drop: {} + enrich: {} + fail: {} + fingerprint: {} + foreach: {} + geo_grid: {} + geoip: {} + grok: {} + gsub: {} + html_strip: {} + inference: {} + ip_location: {} + join: {} + json: {} + kv: {} + lowercase: {} + network_direction: {} + pipeline: {} + redact: {} + registered_domain: {} + remove: {} + rename: {} + reroute: {} + script: {} + set: {} + set_security_user: {} + sort: {} + split: {} + terminate: {} + trim: {} + uppercase: {} + uri_parts: {} + urldecode: {} + user_agent: {} + required: + - append + - attachment + - bytes + - circle + - community_id + - convert + - csv + - date + - date_index_name + - dissect + - dot_expander + - drop + - enrich + - fail + - fingerprint + - foreach + - ip_location + - geo_grid + - geoip + - grok + - gsub + - html_strip + - inference + - join + - json + - kv + - lowercase + - network_direction + - pipeline + - redact + - registered_domain + - remove + - rename + - reroute + - script + - set + - set_security_user + - sort + - split + - terminate + - trim + - uppercase + - urldecode + - uri_parts + - user_agent + type: object + type: array + tag: + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - processors + type: object + - additionalProperties: false + properties: + customIdentifier: + type: string + where: + allOf: + - anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + - properties: + steps: + items: {} + type: array + required: + - steps + type: object + required: + - where + type: object + type: array + required: + - steps + type: object + settings: + additionalProperties: false + properties: + index.number_of_replicas: + additionalProperties: false + properties: + value: + type: number + required: + - value + type: object + index.number_of_shards: + additionalProperties: false + properties: + value: + type: number + required: + - value + type: object + index.refresh_interval: + additionalProperties: false + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + type: object + type: object + required: + - lifecycle + - processing + - settings + type: object + required: + - ingest + type: object + - properties: + ingest: + additionalProperties: false + properties: + wired: + additionalProperties: false + properties: + fields: + additionalProperties: + allOf: + - additionalProperties: + anyOf: + - anyOf: + - type: string + - type: number + - type: boolean + - enum: + - "null" + nullable: true + - not: {} + - items: + anyOf: + - type: string + - type: number + - type: boolean + - enum: + - "null" + nullable: true + - not: {} + type: array + - items: {} + type: array + - {} + type: object + - anyOf: + - additionalProperties: false + properties: + format: + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + type: string + required: + - type + type: object + - additionalProperties: false + properties: + type: + enum: + - system + type: string + required: + - type + type: object + type: object + routing: + items: + additionalProperties: false + properties: + destination: + minLength: 1 + type: string + status: + enum: + - enabled + - disabled + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - destination + - where + type: object + type: array + required: + - fields + - routing + type: object + required: + - wired + type: object + required: + - ingest + type: object + required: + - stream + type: object + - properties: {} + type: object + - properties: + stream: + allOf: + - additionalProperties: true + properties: + name: + not: {} + type: object + - additionalProperties: false + properties: + description: + type: string + name: + type: string + required: + - name + - description + type: object + required: + - stream + type: object + - properties: + dashboards: + items: + type: string + type: array + queries: + items: + allOf: + - properties: + id: + minLength: 1 + type: string + title: + minLength: 1 + type: string + required: + - id + - title + type: object + - properties: + feature: + additionalProperties: false + properties: + filter: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + name: + minLength: 1 + type: string + required: + - name + - filter + type: object + kql: + additionalProperties: false + properties: + query: + type: string + required: + - query + type: object + required: + - kql + type: object + type: array + rules: + items: + type: string + type: array + required: + - dashboards + - rules + - queries + type: object + - properties: + stream: + allOf: + - additionalProperties: true + properties: + name: + not: {} + type: object + - additionalProperties: false + properties: + ingest: + additionalProperties: false + properties: + lifecycle: + anyOf: + - additionalProperties: false + properties: + dsl: + additionalProperties: false + properties: + data_retention: + minLength: 1 + type: string + type: object + required: + - dsl + type: object + - additionalProperties: false + properties: + ilm: + additionalProperties: false + properties: + policy: + minLength: 1 + type: string + required: + - policy + type: object + required: + - ilm + type: object + - additionalProperties: false + properties: + inherit: + additionalProperties: false + properties: {} + type: object + required: + - inherit + type: object + processing: + additionalProperties: false + properties: + steps: + items: + anyOf: + - anyOf: + - additionalProperties: false + properties: + action: + enum: + - grok + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + pattern_definitions: + additionalProperties: + type: string + type: object + patterns: + items: + minLength: 1 + type: string + minItems: 1 + type: array + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - patterns + type: object + - additionalProperties: false + properties: + action: + enum: + - dissect + type: string + append_separator: + minLength: 1 + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + pattern: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - pattern + type: object + - additionalProperties: false + properties: + action: + enum: + - date + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + formats: + items: + minLength: 1 + type: string + type: array + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + locale: + minLength: 1 + type: string + output_format: + minLength: 1 + type: string + timezone: + minLength: 1 + type: string + to: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - formats + type: object + - additionalProperties: false + properties: + action: + enum: + - drop_document + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + type: object + - additionalProperties: false + properties: + action: + enum: + - rename + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + override: + type: boolean + to: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - to + type: object + - additionalProperties: false + properties: + action: + enum: + - set + type: string + copy_from: + minLength: 1 + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + override: + type: boolean + to: + minLength: 1 + type: string + value: {} + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - to + type: object + - additionalProperties: false + properties: + action: + enum: + - append + type: string + allow_duplicates: + type: boolean + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + to: + minLength: 1 + type: string + value: + items: {} + minItems: 1 + type: array + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - to + - value + type: object + - additionalProperties: false + properties: + action: + enum: + - remove_by_prefix + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + required: + - action + - from + type: object + - additionalProperties: false + properties: + action: + enum: + - remove + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + type: object + - additionalProperties: false + properties: + action: + enum: + - convert + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + type: + enum: + - integer + - long + - double + - boolean + - string + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - type + type: object + - additionalProperties: false + properties: + action: + enum: + - manual_ingest_pipeline + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + on_failure: + items: + additionalProperties: {} + type: object + type: array + processors: + items: + additionalProperties: false + properties: + append: {} + attachment: {} + bytes: {} + circle: {} + community_id: {} + convert: {} + csv: {} + date: {} + date_index_name: {} + dissect: {} + dot_expander: {} + drop: {} + enrich: {} + fail: {} + fingerprint: {} + foreach: {} + geo_grid: {} + geoip: {} + grok: {} + gsub: {} + html_strip: {} + inference: {} + ip_location: {} + join: {} + json: {} + kv: {} + lowercase: {} + network_direction: {} + pipeline: {} + redact: {} + registered_domain: {} + remove: {} + rename: {} + reroute: {} + script: {} + set: {} + set_security_user: {} + sort: {} + split: {} + terminate: {} + trim: {} + uppercase: {} + uri_parts: {} + urldecode: {} + user_agent: {} + required: + - append + - attachment + - bytes + - circle + - community_id + - convert + - csv + - date + - date_index_name + - dissect + - dot_expander + - drop + - enrich + - fail + - fingerprint + - foreach + - ip_location + - geo_grid + - geoip + - grok + - gsub + - html_strip + - inference + - join + - json + - kv + - lowercase + - network_direction + - pipeline + - redact + - registered_domain + - remove + - rename + - reroute + - script + - set + - set_security_user + - sort + - split + - terminate + - trim + - uppercase + - urldecode + - uri_parts + - user_agent + type: object + type: array + tag: + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - processors + type: object + - additionalProperties: false + properties: + customIdentifier: + type: string + where: + allOf: + - anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + - properties: + steps: + items: {} + type: array + required: + - steps + type: object + required: + - where + type: object + type: array + required: + - steps + type: object + settings: + additionalProperties: false + properties: + index.number_of_replicas: + additionalProperties: false + properties: + value: + type: number + required: + - value + type: object + index.number_of_shards: + additionalProperties: false + properties: + value: + type: number + required: + - value + type: object + index.refresh_interval: + additionalProperties: false + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + type: object + type: object + required: + - lifecycle + - processing + - settings + type: object + required: + - ingest + type: object + required: + - stream + type: object + - properties: {} + type: object + - properties: {} + type: object + - allOf: + - properties: {} + type: object + - properties: + stream: + allOf: + - additionalProperties: true + properties: + name: + not: {} + type: object + - additionalProperties: false + properties: + description: + type: string + name: + type: string + required: + - name + - description + type: object + required: + - stream + type: object + - properties: + dashboards: + items: + type: string + type: array + queries: + items: + allOf: + - properties: + id: + minLength: 1 + type: string + title: + minLength: 1 + type: string + required: + - id + - title + type: object + - properties: + feature: + additionalProperties: false + properties: + filter: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + name: + minLength: 1 + type: string + required: + - name + - filter + type: object + kql: + additionalProperties: false + properties: + query: + type: string + required: + - query + type: object + required: + - kql + type: object + type: array + rules: + items: + type: string + type: array + required: + - dashboards + - rules + - queries + type: object + - properties: + stream: + allOf: + - additionalProperties: true + properties: + name: + not: {} + type: object + - allOf: + - properties: {} + type: object + - properties: + description: + type: string + name: + type: string + required: + - name + - description + type: object + - properties: + ingest: + additionalProperties: false + properties: + lifecycle: + anyOf: + - additionalProperties: false + properties: + dsl: + additionalProperties: false + properties: + data_retention: + minLength: 1 + type: string + type: object + required: + - dsl + type: object + - additionalProperties: false + properties: + ilm: + additionalProperties: false + properties: + policy: + minLength: 1 + type: string + required: + - policy + type: object + required: + - ilm + type: object + - additionalProperties: false + properties: + inherit: + additionalProperties: false + properties: {} + type: object + required: + - inherit + type: object + processing: + additionalProperties: false + properties: + steps: + items: + anyOf: + - anyOf: + - additionalProperties: false + properties: + action: + enum: + - grok + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + pattern_definitions: + additionalProperties: + type: string + type: object + patterns: + items: + minLength: 1 + type: string + minItems: 1 + type: array + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - patterns + type: object + - additionalProperties: false + properties: + action: + enum: + - dissect + type: string + append_separator: + minLength: 1 + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + pattern: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - pattern + type: object + - additionalProperties: false + properties: + action: + enum: + - date + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + formats: + items: + minLength: 1 + type: string + type: array + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + locale: + minLength: 1 + type: string + output_format: + minLength: 1 + type: string + timezone: + minLength: 1 + type: string + to: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - formats + type: object + - additionalProperties: false + properties: + action: + enum: + - drop_document + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + type: object + - additionalProperties: false + properties: + action: + enum: + - rename + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + override: + type: boolean + to: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - to + type: object + - additionalProperties: false + properties: + action: + enum: + - set + type: string + copy_from: + minLength: 1 + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + override: + type: boolean + to: + minLength: 1 + type: string + value: {} + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - to + type: object + - additionalProperties: false + properties: + action: + enum: + - append + type: string + allow_duplicates: + type: boolean + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + to: + minLength: 1 + type: string + value: + items: {} + minItems: 1 + type: array + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - to + - value + type: object + - additionalProperties: false + properties: + action: + enum: + - remove_by_prefix + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + required: + - action + - from + type: object + - additionalProperties: false + properties: + action: + enum: + - remove + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + type: object + - additionalProperties: false + properties: + action: + enum: + - convert + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + type: + enum: + - integer + - long + - double + - boolean + - string + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - type + type: object + - additionalProperties: false + properties: + action: + enum: + - manual_ingest_pipeline + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + on_failure: + items: + additionalProperties: {} + type: object + type: array + processors: + items: + additionalProperties: false + properties: + append: {} + attachment: {} + bytes: {} + circle: {} + community_id: {} + convert: {} + csv: {} + date: {} + date_index_name: {} + dissect: {} + dot_expander: {} + drop: {} + enrich: {} + fail: {} + fingerprint: {} + foreach: {} + geo_grid: {} + geoip: {} + grok: {} + gsub: {} + html_strip: {} + inference: {} + ip_location: {} + join: {} + json: {} + kv: {} + lowercase: {} + network_direction: {} + pipeline: {} + redact: {} + registered_domain: {} + remove: {} + rename: {} + reroute: {} + script: {} + set: {} + set_security_user: {} + sort: {} + split: {} + terminate: {} + trim: {} + uppercase: {} + uri_parts: {} + urldecode: {} + user_agent: {} + required: + - append + - attachment + - bytes + - circle + - community_id + - convert + - csv + - date + - date_index_name + - dissect + - dot_expander + - drop + - enrich + - fail + - fingerprint + - foreach + - ip_location + - geo_grid + - geoip + - grok + - gsub + - html_strip + - inference + - join + - json + - kv + - lowercase + - network_direction + - pipeline + - redact + - registered_domain + - remove + - rename + - reroute + - script + - set + - set_security_user + - sort + - split + - terminate + - trim + - uppercase + - urldecode + - uri_parts + - user_agent + type: object + type: array + tag: + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - processors + type: object + - additionalProperties: false + properties: + customIdentifier: + type: string + where: + allOf: + - anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + - properties: + steps: + items: {} + type: array + required: + - steps + type: object + required: + - where + type: object + type: array + required: + - steps + type: object + settings: + additionalProperties: false + properties: + index.number_of_replicas: + additionalProperties: false + properties: + value: + type: number + required: + - value + type: object + index.number_of_shards: + additionalProperties: false + properties: + value: + type: number + required: + - value + type: object + index.refresh_interval: + additionalProperties: false + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + type: object + type: object + required: + - lifecycle + - processing + - settings + type: object + required: + - ingest + type: object + - properties: + ingest: + additionalProperties: false + properties: + classic: + additionalProperties: false + properties: + field_overrides: + additionalProperties: + allOf: + - additionalProperties: + anyOf: + - anyOf: + - type: string + - type: number + - type: boolean + - enum: + - "null" + nullable: true + - not: {} + - items: + anyOf: + - type: string + - type: number + - type: boolean + - enum: + - "null" + nullable: true + - not: {} + type: array + - items: {} + type: array + - {} + type: object + - anyOf: + - additionalProperties: false + properties: + format: + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + type: string + required: + - type + type: object + - additionalProperties: false + properties: + type: + enum: + - system + type: string + required: + - type + type: object + type: object + type: object + required: + - classic + type: object + required: + - ingest + type: object + required: + - stream + type: object + - properties: {} + type: object + - properties: + stream: + allOf: + - additionalProperties: true + properties: + name: + not: {} + type: object + - additionalProperties: false + properties: + description: + type: string + name: + type: string + required: + - name + - description + type: object + required: + - stream + type: object + - properties: + dashboards: + items: + type: string + type: array + queries: + items: + allOf: + - properties: + id: + minLength: 1 + type: string + title: + minLength: 1 + type: string + required: + - id + - title + type: object + - properties: + feature: + additionalProperties: false + properties: + filter: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + name: + minLength: 1 + type: string + required: + - name + - filter + type: object + kql: + additionalProperties: false + properties: + query: + type: string + required: + - query + type: object + required: + - kql + type: object + type: array + rules: + items: + type: string + type: array + required: + - dashboards + - rules + - queries + type: object + - properties: + stream: + allOf: + - additionalProperties: true + properties: + name: + not: {} + type: object + - additionalProperties: false + properties: + ingest: + additionalProperties: false + properties: + lifecycle: + anyOf: + - additionalProperties: false + properties: + dsl: + additionalProperties: false + properties: + data_retention: + minLength: 1 + type: string + type: object + required: + - dsl + type: object + - additionalProperties: false + properties: + ilm: + additionalProperties: false + properties: + policy: + minLength: 1 + type: string + required: + - policy + type: object + required: + - ilm + type: object + - additionalProperties: false + properties: + inherit: + additionalProperties: false + properties: {} + type: object + required: + - inherit + type: object + processing: + additionalProperties: false + properties: + steps: + items: + anyOf: + - anyOf: + - additionalProperties: false + properties: + action: + enum: + - grok + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + pattern_definitions: + additionalProperties: + type: string + type: object + patterns: + items: + minLength: 1 + type: string + minItems: 1 + type: array + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - patterns + type: object + - additionalProperties: false + properties: + action: + enum: + - dissect + type: string + append_separator: + minLength: 1 + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + pattern: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - pattern + type: object + - additionalProperties: false + properties: + action: + enum: + - date + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + formats: + items: + minLength: 1 + type: string + type: array + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + locale: + minLength: 1 + type: string + output_format: + minLength: 1 + type: string + timezone: + minLength: 1 + type: string + to: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - formats + type: object + - additionalProperties: false + properties: + action: + enum: + - drop_document + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + type: object + - additionalProperties: false + properties: + action: + enum: + - rename + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + override: + type: boolean + to: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - to + type: object + - additionalProperties: false + properties: + action: + enum: + - set + type: string + copy_from: + minLength: 1 + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + override: + type: boolean + to: + minLength: 1 + type: string + value: {} + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - to + type: object + - additionalProperties: false + properties: + action: + enum: + - append + type: string + allow_duplicates: + type: boolean + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + to: + minLength: 1 + type: string + value: + items: {} + minItems: 1 + type: array + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - to + - value + type: object + - additionalProperties: false + properties: + action: + enum: + - remove_by_prefix + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + required: + - action + - from + type: object + - additionalProperties: false + properties: + action: + enum: + - remove + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + type: object + - additionalProperties: false + properties: + action: + enum: + - convert + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + type: + enum: + - integer + - long + - double + - boolean + - string + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - type + type: object + - additionalProperties: false + properties: + action: + enum: + - manual_ingest_pipeline + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + on_failure: + items: + additionalProperties: {} + type: object + type: array + processors: + items: + additionalProperties: false + properties: + append: {} + attachment: {} + bytes: {} + circle: {} + community_id: {} + convert: {} + csv: {} + date: {} + date_index_name: {} + dissect: {} + dot_expander: {} + drop: {} + enrich: {} + fail: {} + fingerprint: {} + foreach: {} + geo_grid: {} + geoip: {} + grok: {} + gsub: {} + html_strip: {} + inference: {} + ip_location: {} + join: {} + json: {} + kv: {} + lowercase: {} + network_direction: {} + pipeline: {} + redact: {} + registered_domain: {} + remove: {} + rename: {} + reroute: {} + script: {} + set: {} + set_security_user: {} + sort: {} + split: {} + terminate: {} + trim: {} + uppercase: {} + uri_parts: {} + urldecode: {} + user_agent: {} + required: + - append + - attachment + - bytes + - circle + - community_id + - convert + - csv + - date + - date_index_name + - dissect + - dot_expander + - drop + - enrich + - fail + - fingerprint + - foreach + - ip_location + - geo_grid + - geoip + - grok + - gsub + - html_strip + - inference + - join + - json + - kv + - lowercase + - network_direction + - pipeline + - redact + - registered_domain + - remove + - rename + - reroute + - script + - set + - set_security_user + - sort + - split + - terminate + - trim + - uppercase + - urldecode + - uri_parts + - user_agent + type: object + type: array + tag: + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - processors + type: object + - additionalProperties: false + properties: + customIdentifier: + type: string + where: + allOf: + - anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + - properties: + steps: + items: {} + type: array + required: + - steps + type: object + required: + - where + type: object + type: array + required: + - steps + type: object + settings: + additionalProperties: false + properties: + index.number_of_replicas: + additionalProperties: false + properties: + value: + type: number + required: + - value + type: object + index.number_of_shards: + additionalProperties: false + properties: + value: + type: number + required: + - value + type: object + index.refresh_interval: + additionalProperties: false + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + type: object + type: object + required: + - lifecycle + - processing + - settings + type: object + required: + - ingest + type: object + required: + - stream + type: object + - properties: {} + type: object + - properties: {} + type: object + - allOf: + - properties: {} + type: object + - properties: + stream: + allOf: + - additionalProperties: true + properties: + name: + not: {} + type: object + - additionalProperties: false + properties: + description: + type: string + name: + type: string + required: + - name + - description + type: object + required: + - stream + type: object + - properties: + dashboards: + items: + type: string + type: array + queries: + items: + allOf: + - properties: + id: + minLength: 1 + type: string + title: + minLength: 1 + type: string + required: + - id + - title + type: object + - properties: + feature: + additionalProperties: false + properties: + filter: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + name: + minLength: 1 + type: string + required: + - name + - filter + type: object + kql: + additionalProperties: false + properties: + query: + type: string + required: + - query + type: object + required: + - kql + type: object + type: array + rules: + items: + type: string + type: array + required: + - dashboards + - rules + - queries + type: object + - properties: + stream: + allOf: + - additionalProperties: true + properties: + name: + not: {} + type: object + - additionalProperties: false + properties: + group: + additionalProperties: false + properties: + members: + items: + type: string + type: array + metadata: + additionalProperties: + type: string + type: object + tags: + items: + type: string + type: array + required: + - metadata + - tags + - members + type: object + required: + - group + type: object + required: + - stream + type: object + - properties: {} + type: object + responses: {} + summary: Create or update a stream + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Deletes a stream definition and the underlying data stream

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Delete a stream + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}/_fork: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/_fork
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Forks a wired stream and creates a child stream

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-fork + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + status: + enum: + - enabled + - disabled + type: string + stream: + additionalProperties: false + properties: + name: + type: string + required: + - name + type: object + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - stream + - where + type: object + responses: {} + summary: Fork a stream + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}/_group: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_group
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the group settings of a group stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-group + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Get group stream settings + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_group
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the group settings of a group stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-group + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + group: + additionalProperties: false + properties: + members: + items: + type: string + type: array + metadata: + additionalProperties: + type: string + type: object + tags: + items: + type: string + type: array + required: + - metadata + - tags + - members + type: object + required: + - group + type: object + responses: {} + summary: Upsert group stream settings + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}/_ingest: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/_ingest
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-ingest + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Get ingest stream settings + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/_ingest
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Upserts the ingest settings of an ingest stream definition

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-ingest + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + ingest: + anyOf: + - allOf: + - properties: + lifecycle: + anyOf: + - additionalProperties: false + properties: + dsl: + additionalProperties: false + properties: + data_retention: + minLength: 1 + type: string + type: object + required: + - dsl + type: object + - additionalProperties: false + properties: + ilm: + additionalProperties: false + properties: + policy: + minLength: 1 + type: string + required: + - policy + type: object + required: + - ilm + type: object + - additionalProperties: false + properties: + inherit: + additionalProperties: false + properties: {} + type: object + required: + - inherit + type: object + processing: + additionalProperties: false + properties: + steps: + items: + anyOf: + - anyOf: + - additionalProperties: false + properties: + action: + enum: + - grok + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + pattern_definitions: + additionalProperties: + type: string + type: object + patterns: + items: + minLength: 1 + type: string + minItems: 1 + type: array + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - patterns + type: object + - additionalProperties: false + properties: + action: + enum: + - dissect + type: string + append_separator: + minLength: 1 + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + pattern: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - pattern + type: object + - additionalProperties: false + properties: + action: + enum: + - date + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + formats: + items: + minLength: 1 + type: string + type: array + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + locale: + minLength: 1 + type: string + output_format: + minLength: 1 + type: string + timezone: + minLength: 1 + type: string + to: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - formats + type: object + - additionalProperties: false + properties: + action: + enum: + - drop_document + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + type: object + - additionalProperties: false + properties: + action: + enum: + - rename + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + override: + type: boolean + to: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - to + type: object + - additionalProperties: false + properties: + action: + enum: + - set + type: string + copy_from: + minLength: 1 + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + override: + type: boolean + to: + minLength: 1 + type: string + value: {} + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - to + type: object + - additionalProperties: false + properties: + action: + enum: + - append + type: string + allow_duplicates: + type: boolean + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + to: + minLength: 1 + type: string + value: + items: {} + minItems: 1 + type: array + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - to + - value + type: object + - additionalProperties: false + properties: + action: + enum: + - remove_by_prefix + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + required: + - action + - from + type: object + - additionalProperties: false + properties: + action: + enum: + - remove + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + type: object + - additionalProperties: false + properties: + action: + enum: + - convert + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + type: + enum: + - integer + - long + - double + - boolean + - string + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - type + type: object + - additionalProperties: false + properties: + action: + enum: + - manual_ingest_pipeline + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + on_failure: + items: + additionalProperties: {} + type: object + type: array + processors: + items: + additionalProperties: false + properties: + append: {} + attachment: {} + bytes: {} + circle: {} + community_id: {} + convert: {} + csv: {} + date: {} + date_index_name: {} + dissect: {} + dot_expander: {} + drop: {} + enrich: {} + fail: {} + fingerprint: {} + foreach: {} + geo_grid: {} + geoip: {} + grok: {} + gsub: {} + html_strip: {} + inference: {} + ip_location: {} + join: {} + json: {} + kv: {} + lowercase: {} + network_direction: {} + pipeline: {} + redact: {} + registered_domain: {} + remove: {} + rename: {} + reroute: {} + script: {} + set: {} + set_security_user: {} + sort: {} + split: {} + terminate: {} + trim: {} + uppercase: {} + uri_parts: {} + urldecode: {} + user_agent: {} + required: + - append + - attachment + - bytes + - circle + - community_id + - convert + - csv + - date + - date_index_name + - dissect + - dot_expander + - drop + - enrich + - fail + - fingerprint + - foreach + - ip_location + - geo_grid + - geoip + - grok + - gsub + - html_strip + - inference + - join + - json + - kv + - lowercase + - network_direction + - pipeline + - redact + - registered_domain + - remove + - rename + - reroute + - script + - set + - set_security_user + - sort + - split + - terminate + - trim + - uppercase + - urldecode + - uri_parts + - user_agent + type: object + type: array + tag: + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - processors + type: object + - additionalProperties: false + properties: + customIdentifier: + type: string + where: + allOf: + - anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + - properties: + steps: + items: {} + type: array + required: + - steps + type: object + required: + - where + type: object + type: array + required: + - steps + type: object + settings: + additionalProperties: false + properties: + index.number_of_replicas: + additionalProperties: false + properties: + value: + type: number + required: + - value + type: object + index.number_of_shards: + additionalProperties: false + properties: + value: + type: number + required: + - value + type: object + index.refresh_interval: + additionalProperties: false + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + type: object + type: object + required: + - lifecycle + - processing + - settings + type: object + - properties: + wired: + additionalProperties: false + properties: + fields: + additionalProperties: + allOf: + - additionalProperties: + anyOf: + - anyOf: + - type: string + - type: number + - type: boolean + - enum: + - "null" + nullable: true + x-omitempty: true + - not: {} + - items: + anyOf: + - type: string + - type: number + - type: boolean + - enum: + - "null" + nullable: true + x-omitempty: true + - not: {} + type: array + - items: {} + type: array + - {} + type: object + - anyOf: + - additionalProperties: false + properties: + format: + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + type: string + required: + - type + type: object + - additionalProperties: false + properties: + type: + enum: + - system + type: string + required: + - type + type: object + type: object + routing: + items: + additionalProperties: false + properties: + destination: + minLength: 1 + type: string + status: + enum: + - enabled + - disabled + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - destination + - where + type: object + type: array + required: + - fields + - routing + type: object + required: + - wired + type: object + - allOf: + - properties: + lifecycle: + anyOf: + - additionalProperties: false + properties: + dsl: + additionalProperties: false + properties: + data_retention: + minLength: 1 + type: string + type: object + required: + - dsl + type: object + - additionalProperties: false + properties: + ilm: + additionalProperties: false + properties: + policy: + minLength: 1 + type: string + required: + - policy + type: object + required: + - ilm + type: object + - additionalProperties: false + properties: + inherit: + additionalProperties: false + properties: {} + type: object + required: + - inherit + type: object + processing: + additionalProperties: false + properties: + steps: + items: + anyOf: + - anyOf: + - additionalProperties: false + properties: + action: + enum: + - grok + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + pattern_definitions: + additionalProperties: + type: string + type: object + patterns: + items: + minLength: 1 + type: string + minItems: 1 + type: array + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - patterns + type: object + - additionalProperties: false + properties: + action: + enum: + - dissect + type: string + append_separator: + minLength: 1 + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + pattern: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - pattern + type: object + - additionalProperties: false + properties: + action: + enum: + - date + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + formats: + items: + minLength: 1 + type: string + type: array + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + locale: + minLength: 1 + type: string + output_format: + minLength: 1 + type: string + timezone: + minLength: 1 + type: string + to: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - formats + type: object + - additionalProperties: false + properties: + action: + enum: + - drop_document + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + type: object + - additionalProperties: false + properties: + action: + enum: + - rename + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + override: + type: boolean + to: + minLength: 1 + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - to + type: object + - additionalProperties: false + properties: + action: + enum: + - set + type: string + copy_from: + minLength: 1 + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + override: + type: boolean + to: + minLength: 1 + type: string + value: {} + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - to + type: object + - additionalProperties: false + properties: + action: + enum: + - append + type: string + allow_duplicates: + type: boolean + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + to: + minLength: 1 + type: string + value: + items: {} + minItems: 1 + type: array + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - to + - value + type: object + - additionalProperties: false + properties: + action: + enum: + - remove_by_prefix + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + required: + - action + - from + type: object + - additionalProperties: false + properties: + action: + enum: + - remove + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + type: object + - additionalProperties: false + properties: + action: + enum: + - convert + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + from: + minLength: 1 + type: string + ignore_failure: + type: boolean + ignore_missing: + type: boolean + to: + minLength: 1 + type: string + type: + enum: + - integer + - long + - double + - boolean + - string + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - from + - type + type: object + - additionalProperties: false + properties: + action: + enum: + - manual_ingest_pipeline + type: string + customIdentifier: + minLength: 1 + type: string + description: + type: string + ignore_failure: + type: boolean + on_failure: + items: + additionalProperties: {} + type: object + type: array + processors: + items: + additionalProperties: false + properties: + append: {} + attachment: {} + bytes: {} + circle: {} + community_id: {} + convert: {} + csv: {} + date: {} + date_index_name: {} + dissect: {} + dot_expander: {} + drop: {} + enrich: {} + fail: {} + fingerprint: {} + foreach: {} + geo_grid: {} + geoip: {} + grok: {} + gsub: {} + html_strip: {} + inference: {} + ip_location: {} + join: {} + json: {} + kv: {} + lowercase: {} + network_direction: {} + pipeline: {} + redact: {} + registered_domain: {} + remove: {} + rename: {} + reroute: {} + script: {} + set: {} + set_security_user: {} + sort: {} + split: {} + terminate: {} + trim: {} + uppercase: {} + uri_parts: {} + urldecode: {} + user_agent: {} + required: + - append + - attachment + - bytes + - circle + - community_id + - convert + - csv + - date + - date_index_name + - dissect + - dot_expander + - drop + - enrich + - fail + - fingerprint + - foreach + - ip_location + - geo_grid + - geoip + - grok + - gsub + - html_strip + - inference + - join + - json + - kv + - lowercase + - network_direction + - pipeline + - redact + - registered_domain + - remove + - rename + - reroute + - script + - set + - set_security_user + - sort + - split + - terminate + - trim + - uppercase + - urldecode + - uri_parts + - user_agent + type: object + type: array + tag: + type: string + where: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + required: + - action + - processors + type: object + - additionalProperties: false + properties: + customIdentifier: + type: string + where: + allOf: + - anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + - properties: + steps: + items: {} + type: array + required: + - steps + type: object + required: + - where + type: object + type: array + required: + - steps + type: object + settings: + additionalProperties: false + properties: + index.number_of_replicas: + additionalProperties: false + properties: + value: + type: number + required: + - value + type: object + index.number_of_shards: + additionalProperties: false + properties: + value: + type: number + required: + - value + type: object + index.refresh_interval: + additionalProperties: false + properties: + value: + anyOf: + - type: string + - enum: + - -1 + type: number + required: + - value + type: object + type: object + required: + - lifecycle + - processing + - settings + type: object + - properties: + classic: + additionalProperties: false + properties: + field_overrides: + additionalProperties: + allOf: + - additionalProperties: + anyOf: + - anyOf: + - type: string + - type: number + - type: boolean + - enum: + - "null" + nullable: true + x-omitempty: true + - not: {} + - items: + anyOf: + - type: string + - type: number + - type: boolean + - enum: + - "null" + nullable: true + x-omitempty: true + - not: {} + type: array + - items: {} + type: array + - {} + type: object + - anyOf: + - additionalProperties: false + properties: + format: + minLength: 1 + type: string + type: + enum: + - keyword + - match_only_text + - long + - double + - date + - boolean + - ip + type: string + required: + - type + type: object + - additionalProperties: false + properties: + type: + enum: + - system + type: string + required: + - type + type: object + type: object + type: object + required: + - classic + type: object + required: + - ingest + type: object + responses: {} + summary: Update ingest stream settings + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}/content/export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/content/export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Exports the content associated to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-export + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + description: + type: string + include: + anyOf: + - additionalProperties: false + properties: + objects: + additionalProperties: false + properties: + all: + additionalProperties: false + properties: {} + type: object + required: + - all + type: object + required: + - objects + type: object + - additionalProperties: false + properties: + objects: + additionalProperties: false + properties: + mappings: + type: boolean + queries: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + routing: + items: + allOf: + - {} + - properties: + destination: + type: string + required: + - destination + type: object + type: array + required: + - mappings + - queries + - routing + type: object + required: + - objects + type: object + name: + type: string + version: + type: string + required: + - name + - description + - version + - include + type: object + responses: {} + summary: Export stream content + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/content/import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/content/import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links content objects to a stream.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-content-import + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + multipart/form-data: + schema: + additionalProperties: false + properties: + content: {} + include: + type: string + required: + - include + - content + type: object + responses: {} + summary: Import content into a stream + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + /api/streams/{name}/dashboards: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/dashboards
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all dashboards linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-dashboards + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Get stream dashboards + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}/dashboards/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/dashboards/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update dashboards linked to a stream. Can link new dashboards and delete existing ones.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-dashboards-bulk + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + operations: + items: + anyOf: + - additionalProperties: false + properties: + index: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + required: + - index + type: object + - additionalProperties: false + properties: + delete: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + required: + - delete + type: object + type: array + required: + - operations + type: object + responses: {} + summary: Bulk update dashboards + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}/dashboards/{dashboardId}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/dashboards/{dashboardId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links a dashboard to a stream. Noop if the dashboard is already linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-dashboards-dashboardid + parameters: + - in: path + name: name + required: true + schema: + type: string + - in: path + name: dashboardId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Link a dashboard to a stream + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}/dashboards/{dashboardId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unlinks a dashboard from a stream. Noop if the dashboard is not linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name-dashboards-dashboardid + parameters: + - in: path + name: name + required: true + schema: + type: string + - in: path + name: dashboardId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Unlink a dashboard from a stream + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}/queries: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/queries
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all queries linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-queries + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Get stream queries + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}/queries/_bulk: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/queries/_bulk
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Bulk update queries of a stream. Can add new queries and delete existing ones.

[Required authorization] Route required privileges: manage_stream. + operationId: post-streams-name-queries-bulk + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + operations: + items: + anyOf: + - additionalProperties: false + properties: + index: + allOf: + - properties: + id: + minLength: 1 + type: string + title: + minLength: 1 + type: string + required: + - id + - title + type: object + - properties: + feature: + additionalProperties: false + properties: + filter: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + name: + minLength: 1 + type: string + required: + - name + - filter + type: object + kql: + additionalProperties: false + properties: + query: + type: string + required: + - query + type: object + required: + - kql + type: object + required: + - index + type: object + - additionalProperties: false + properties: + delete: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + required: + - delete + type: object + type: array + required: + - operations + type: object + responses: {} + summary: Bulk update queries + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}/queries/{queryId}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/queries/{queryId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Adds a query to a stream. Noop if the query is already present on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-queries-queryid + parameters: + - in: path + name: name + required: true + schema: + type: string + - in: path + name: queryId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + feature: + additionalProperties: false + properties: + filter: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + name: + minLength: 1 + type: string + required: + - name + - filter + type: object + kql: + additionalProperties: false + properties: + query: + type: string + required: + - query + type: object + title: + minLength: 1 + type: string + required: + - title + - kql + type: object + responses: {} + summary: Upsert a query to a stream + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}/queries/{queryId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Remove a query from a stream. Noop if the query is not found on the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name-queries-queryid + parameters: + - in: path + name: name + required: true + schema: + type: string + - in: path + name: queryId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Remove a query from a stream + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}/rules: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Fetches all rules linked to a stream that are visible to the current user in the current space.

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-rules + parameters: + - in: path + name: name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Get stream rules + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}/rules/{ruleId}: + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/streams/{name}/rules/{ruleId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Links a rule to a stream. Noop if the rule is already linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: put-streams-name-rules-ruleid + parameters: + - in: path + name: name + required: true + schema: + type: string + - in: path + name: ruleId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Link a rule to a stream + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/streams/{name}/rules/{ruleId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Unlinks a rule from a stream. Noop if the rule is not linked to the stream.

[Required authorization] Route required privileges: manage_stream. + operationId: delete-streams-name-rules-ruleid + parameters: + - in: path + name: name + required: true + schema: + type: string + - in: path + name: ruleId + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Unlink a rule from a stream + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/streams/{name}/significant_events: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/streams/{name}/significant_events
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Read the significant events

[Required authorization] Route required privileges: read_stream. + operationId: get-streams-name-significant-events + parameters: + - in: path + name: name + required: true + schema: + type: string + - in: query + name: from + required: true + schema: + type: string + - in: query + name: to + required: true + schema: + type: string + - in: query + name: bucketSize + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + anyOf: + - additionalProperties: false + properties: {} + type: object + - enum: + - "null" + nullable: true + - not: {} + responses: {} + summary: Read the significant events + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.1.0 + /api/streams/{name}/significant_events/_generate: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_generate
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Generate significant events queries based on the stream data

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-generate + parameters: + - in: path + name: name + required: true + schema: + type: string + - in: query + name: connectorId + required: true + schema: + type: string + - in: query + name: currentDate + required: false + schema: + type: string + - in: query + name: from + required: true + schema: + type: string + - in: query + name: to + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + feature: + additionalProperties: false + properties: + description: + type: string + filter: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + name: + minLength: 1 + type: string + required: + - name + - filter + - description + type: object + type: object + responses: {} + summary: Generate significant events + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.2.0 + /api/streams/{name}/significant_events/_preview: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/streams/{name}/significant_events/_preview
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Preview significant event results based on a given query

[Required authorization] Route required privileges: read_stream. + operationId: post-streams-name-significant-events-preview + parameters: + - in: path + name: name + required: true + schema: + type: string + - in: query + name: from + required: true + schema: + type: string + - in: query + name: to + required: true + schema: + type: string + - in: query + name: bucketSize + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + query: + additionalProperties: false + properties: + feature: + additionalProperties: false + properties: + filter: + anyOf: + - anyOf: + - additionalProperties: false + properties: + contains: + anyOf: + - type: string + - type: number + - type: boolean + endsWith: + anyOf: + - type: string + - type: number + - type: boolean + eq: + anyOf: + - type: string + - type: number + - type: boolean + field: + minLength: 1 + type: string + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + neq: + anyOf: + - type: string + - type: number + - type: boolean + range: + additionalProperties: false + properties: + gt: + anyOf: + - type: string + - type: number + - type: boolean + gte: + anyOf: + - type: string + - type: number + - type: boolean + lt: + anyOf: + - type: string + - type: number + - type: boolean + lte: + anyOf: + - type: string + - type: number + - type: boolean + type: object + startsWith: + anyOf: + - type: string + - type: number + - type: boolean + required: + - field + type: object + - additionalProperties: false + properties: + exists: + type: boolean + field: + minLength: 1 + type: string + required: + - field + type: object + - additionalProperties: false + properties: + and: + items: {} + type: array + required: + - and + type: object + - additionalProperties: false + properties: + or: + items: {} + type: array + required: + - or + type: object + - additionalProperties: false + properties: + not: {} + required: + - not + type: object + - additionalProperties: false + properties: + never: + additionalProperties: false + properties: {} + type: object + required: + - never + type: object + - additionalProperties: false + properties: + always: + additionalProperties: false + properties: {} + type: object + required: + - always + type: object + name: + minLength: 1 + type: string + required: + - name + - filter + type: object + kql: + additionalProperties: false + properties: + query: + type: string + required: + - query + type: object + required: + - kql + type: object + required: + - query + type: object + responses: {} + summary: Preview significant events + tags: + - streams + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview; added in 9.1.0 + /api/synthetics/monitor/test/{monitorId}: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/monitor/test/{monitorId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Trigger an immediate test execution for the specified monitor. The response includes the generated `testRunId`. If the test encounters issues in one or more service locations, an `errors` array is also returned with details about the failures. + operationId: post-synthetics-monitor-test + parameters: + - description: The ID (config_id) of the monitor to test. + in: path + name: monitorId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + properties: + errors: + description: Array of errors encountered while triggering the test, one per service location. + items: + properties: + error: + properties: + failed_monitors: + description: Optional list of monitors that failed at the location. + items: + type: object + nullable: true + type: array + reason: + description: Human-readable explanation of the failure. + type: string + status: + description: HTTP status code returned by the agent. + type: integer + required: + - status + - reason + - failed_monitors + type: object + locationId: + description: Identifier of the service location where the error occurred. + type: string + required: + - locationId + - error + type: object + type: array + testRunId: + description: Unique identifier for the triggered test run. + type: string + required: + - testRunId + type: object + description: Test run triggered successfully. + "404": + description: Monitor not found. + summary: Trigger an on-demand test run for a monitor + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 9.2.0 + /api/synthetics/monitors: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/monitors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of monitors. + You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: get-synthetic-monitors + parameters: + - description: Additional filtering criteria. + in: query + name: filter + schema: + type: string + - description: The locations to filter by. + in: query + name: locations + schema: + oneOf: + - type: string + - type: array + - description: The monitor types to filter. + in: query + name: monitorTypes + schema: + oneOf: + - enum: + - browser + - http + - icmp + - tcp + type: string + - type: array + - description: The page number for paginated results. + in: query + name: page + schema: + type: integer + - description: The number of items to return per page. + in: query + name: per_page + schema: + type: integer + - description: The projects to filter by. + in: query + name: projects + schema: + oneOf: + - type: string + - type: array + - description: A free-text query string. + in: query + name: query + schema: + type: string + - description: The schedules to filter by. + in: query + name: schedules + schema: + oneOf: + - type: array + - type: string + - description: The field to sort the results by. + in: query + name: sortField + schema: + enum: + - name + - createdAt + - updatedAt + - status + type: string + - description: The sort order. + in: query + name: sortOrder + schema: + enum: + - asc + - desc + type: string + - description: The status to filter by. + in: query + name: status + schema: + oneOf: + - type: array + - type: string + - description: Tags to filter monitors. + in: query + name: tags + schema: + oneOf: + - type: string + - type: array + - description: | + Specifies whether to apply logical AND filtering for specific fields. Accepts either a string with values "tags" or "locations" or an array containing both. + in: query + name: useLogicalAndFor + schema: + items: + enum: + - tags + - locations + type: string + type: array + responses: + "200": + content: + application/json: + schema: + type: object + description: A successful response. + summary: Get monitors + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/monitors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new monitor with the specified attributes. A monitor can be one of the following types: HTTP, TCP, ICMP, or Browser. The required and default fields may vary based on the monitor type. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: post-synthetic-monitors + requestBody: + content: + application/json: + schema: + description: | + The request body should contain the attributes of the monitor you want to create. The required and default fields differ depending on the monitor type. + oneOf: + - $ref: '#/components/schemas/Synthetics_browserMonitorFields' + - $ref: '#/components/schemas/Synthetics_httpMonitorFields' + - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' + - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' + required: true + responses: + "200": + description: A successful response. + summary: Create a monitor + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitors/_bulk_delete: + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/monitors/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete multiple monitors by sending a list of config IDs. + operationId: delete-synthetic-monitors + requestBody: + content: + application/json: + schema: + properties: + ids: + description: An array of monitor IDs to delete. + items: + type: string + type: array + required: + - ids + type: object + required: true + responses: + "200": + content: + application/json: + schema: + items: + description: The API response includes information about the deleted monitors. + properties: + deleted: + description: | + If it is `true`, the monitor was successfully deleted If it is `false`, the monitor was not deleted. + type: boolean + ids: + description: The unique identifier of the deleted monitor. + type: string + type: object + type: array + description: A successful response. + summary: Delete monitors + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/monitors/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/monitors/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: get-synthetic-monitor + parameters: + - description: The ID of the monitor. + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + type: object + description: A successful response. + "404": + description: If the monitor is not found, the API returns a 404 error. + summary: Get a monitor + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/synthetics/monitors/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a monitor with the specified attributes. The required and default fields may vary based on the monitor type. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + You can also partially update a monitor. This will only update the fields that are specified in the request body. All other fields are left unchanged. The specified fields should conform to the monitor type. For example, you can't update the `inline_scipt` field of a HTTP monitor. + operationId: put-synthetic-monitor + parameters: + - description: The identifier for the monitor that you want to update. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + description: | + The request body should contain the attributes of the monitor you want to update. The required and default fields differ depending on the monitor type. + oneOf: + - $ref: '#/components/schemas/Synthetics_browserMonitorFields' + - $ref: '#/components/schemas/Synthetics_httpMonitorFields' + - $ref: '#/components/schemas/Synthetics_icmpMonitorFields' + - $ref: '#/components/schemas/Synthetics_tcpMonitorFields' + type: object + required: true + summary: Update a monitor + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/monitors/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a monitor from the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: delete-synthetic-monitor + parameters: + - description: The identifier for the monitor that you want to delete. + in: path + name: id + required: true + schema: + type: string + summary: Delete a monitor + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/params: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/params
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all parameters. You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: get-parameters + responses: + "200": + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Synthetics_getParameterResponse' + type: array + description: A successful response. + summary: Get parameters + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/params
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Add one or more parameters to the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: post-parameters + requestBody: + content: + application/json: + schema: + oneOf: + - items: + $ref: '#/components/schemas/Synthetics_parameterRequest' + type: array + - $ref: '#/components/schemas/Synthetics_parameterRequest' + description: The request body can contain either a single parameter object or an array of parameter objects. + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/create_param_response' + description: A successful response. + summary: Add parameters + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/params/_bulk_delete: + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/params/_bulk_delete
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete parameters from the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: delete-parameters + requestBody: + content: + application/json: + schema: + properties: + ids: + description: An array of parameter IDs to delete. + items: + type: string + type: array + type: object + required: true + responses: + "200": + content: + application/json: + schema: + items: + properties: + deleted: + description: | + Indicates whether the parameter was successfully deleted. It is `true` if it was deleted. It is `false` if it was not deleted. + type: boolean + id: + description: The unique identifier for the deleted parameter. + type: string + type: object + type: array + description: A successful response. + summary: Delete parameters + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/params/{id}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/params/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a parameter from the Synthetics app. + You must have `read` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: get-parameter + parameters: + - description: The unique identifier for the parameter. + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Synthetics_getParameterResponse' + description: A successful response. + summary: Get a parameter + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/synthetics/params/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a parameter in the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: put-parameter + parameters: + - description: The unique identifier for the parameter. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + properties: + description: + description: The updated description of the parameter. + type: string + key: + description: The key of the parameter. + type: string + tags: + description: An array of updated tags to categorize the parameter. + items: + type: string + type: array + value: + description: The updated value associated with the parameter. + type: string + type: object + description: The request body cannot be empty; at least one attribute is required. + required: true + responses: + "200": + content: + application/json: + schema: + type: object + description: A successful response. + summary: Update a parameter + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/params/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a parameter from the Synthetics app. + You must have `all` privileges for the Synthetics feature in the Observability section of the Kibana feature privileges. + operationId: delete-parameter + parameters: + - description: The ID for the parameter to delete. + in: path + name: id + required: true + schema: + type: string + summary: Delete a parameter + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/private_locations: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/private_locations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of private locations. + You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + operationId: get-private-locations + responses: + "200": + content: + application/json: + schema: + items: + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + type: array + description: A successful response. + summary: Get private locations + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/synthetics/private_locations
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + operationId: post-private-location + requestBody: + content: + application/json: + schema: + properties: + agentPolicyId: + description: The ID of the agent policy associated with the private location. + type: string + geo: + description: Geographic coordinates (WGS84) for the location. + properties: + lat: + description: The latitude of the location. + type: number + lon: + description: The longitude of the location. + type: number + required: + - lat + - lon + type: object + label: + description: A label for the private location. + type: string + spaces: + description: | + An array of space IDs where the private location is available. If it is not provided, the private location is available in all spaces. + items: + type: string + type: array + tags: + description: An array of tags to categorize the private location. + items: + type: string + type: array + required: + - agentPolicyId + - label + type: object + required: true + responses: + "200": + content: + application/json: + schema: + type: object + description: A successful response. + "400": + description: If the `agentPolicyId` is already used by an existing private location or if the `label` already exists, the API will return a 400 Bad Request response with a corresponding error message. + summary: Create a private location + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/synthetics/private_locations/{id}: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/synthetics/private_locations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + operationId: get-private-location + parameters: + - description: A private location identifier or label. + in: path + name: id + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + description: A successful response. + summary: Get a private location + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/synthetics/private_locations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing private location's label. + You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + When a private location's label is updated, all monitors using this location will also be updated to maintain data consistency. + operationId: put-private-location + parameters: + - description: The unique identifier of the private location to be updated. + in: path + name: id + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + properties: + label: + description: A new label for the private location. Must be at least 1 character long. + minLength: 1 + type: string + required: + - label + type: object + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Synthetics_getPrivateLocation' + description: A successful response. + "400": + description: If the `label` is shorter than 1 character the API will return a 400 Bad Request response with a corresponding error message. + "404": + description: If the private location with the specified ID does not exist, the API will return a 404 Not Found response. + summary: Update a private location + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/synthetics/private_locations/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `all` privileges for the Synthetics and Uptime feature in the Observability section of the Kibana feature privileges. + The API does not return a response body for deletion, but it will return an appropriate status code upon successful deletion. + A location cannot be deleted if it has associated monitors in use. You must delete all monitors associated with the location before deleting the location. + operationId: delete-private-location + parameters: + - description: The unique identifier of the private location to be deleted. + in: path + name: id + required: true + schema: + maxLength: 1024 + minLength: 1 + type: string + summary: Delete a private location + tags: + - synthetics + x-metaTags: + - content: Kibana + name: product_name + /api/task_manager/_health: + get: + description: | + Get the health status of the Kibana task manager. + operationId: task-manager-health + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Task_manager_health_APIs_health_response' + description: Indicates a successful call + summary: Get the task manager health + tags: + - task manager + x-metaTags: + - content: Kibana + name: product_name + /api/timeline: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of an existing saved Timeline or Timeline template. + operationId: GetTimeline + parameters: + - description: The `savedObjectId` of the template timeline to retrieve + in: query + name: template_timeline_id + schema: + type: string + - description: The `savedObjectId` of the Timeline to retrieve. + in: query + name: id + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + description: Indicates that the (template) Timeline was found and returned. + summary: Get Timeline or Timeline template details + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline. + operationId: PatchTimeline + requestBody: + content: + application/json: + schema: + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + description: The timeline object of the Timeline or Timeline template that you’re updating. + timelineId: + description: The `savedObjectId` of the Timeline or Timeline template that you’re updating. + nullable: true + type: string + x-omitempty: true + version: + description: The version of the Timeline or Timeline template that you’re updating. + nullable: true + type: string + x-omitempty: true + required: + - timelineId + - version + - timeline + type: object + description: The Timeline updates, along with the Timeline ID and version. + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' + description: Indicates that the Timeline was successfully updated. + "405": + content: + application/json: + schema: + properties: + body: + description: The error message + type: string + statusCode: + type: number + type: object + description: Indicates that the user does not have the required access to create a Timeline. + summary: Update a Timeline + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new Timeline or Timeline template. + operationId: CreateTimelines + requestBody: + content: + application/json: + schema: + properties: + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + x-omitempty: true + templateTimelineId: + description: A unique identifier for the Timeline template. + nullable: true + type: string + x-omitempty: true + templateTimelineVersion: + description: Timeline template version number. + nullable: true + type: number + x-omitempty: true + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineId: + description: A unique identifier for the Timeline. + nullable: true + type: string + x-omitempty: true + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + x-omitempty: true + version: + nullable: true + type: string + x-omitempty: true + required: + - timeline + type: object + description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided. + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' + description: Indicates the Timeline was successfully created. + "405": + content: + application/json: + schema: + properties: + body: + description: The error message + type: string + statusCode: + type: number + type: object + description: Indicates that there was an error in the Timeline creation. + summary: Create a Timeline or Timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/timeline
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete one or more Timelines or Timeline templates. + operationId: DeleteTimelines + requestBody: + content: + application/json: + schema: + properties: + savedObjectIds: + description: The list of IDs of the Timelines or Timeline templates to delete + items: + type: string + type: array + searchIds: + description: Saved search IDs that should be deleted alongside the timelines + items: + type: string + type: array + required: + - savedObjectIds + type: object + description: The IDs of the Timelines or Timeline templates to delete. + required: true + responses: + "200": + description: Indicates the Timeline was successfully deleted. + summary: Delete Timelines or Timeline templates + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_copy: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/_copy
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Copies and returns a timeline or timeline template. + operationId: CopyTimeline + requestBody: + content: + application/json: + schema: + properties: + timeline: + $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + timelineIdToCopy: + type: string + required: + - timeline + - timelineIdToCopy + type: object + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' + description: Indicates that the timeline has been successfully copied. + summary: Copies timeline or timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_draft: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned. + operationId: GetDraftTimelines + parameters: + - in: query + name: timelineType + required: true + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' + description: Indicates that the draft Timeline was successfully retrieved. + "403": + content: + application/json: + schema: + properties: + message: + type: string + status_code: + type: number + type: object + description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline. + "409": + content: + application/json: + schema: + properties: + message: + type: string + status_code: + type: number + type: object + description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`. + summary: Get draft Timeline or Timeline template details + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_draft
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a clean draft Timeline or Timeline template for the current user. + > info + > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json: + schema: + properties: + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + required: + - timelineType + type: object + description: The type of Timeline to create. Valid values are `default` and `template`. + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse' + description: Indicates that the draft Timeline was successfully created. In the event the user already has a draft Timeline, the existing draft Timeline is cleared and returned. + "403": + content: + application/json: + schema: + properties: + message: + type: string + status_code: + type: number + type: object + description: Indicates that the user does not have the required permissions to create a draft Timeline. + "409": + content: + application/json: + schema: + properties: + message: + type: string + status_code: + type: number + type: object + description: Indicates that there is already a draft Timeline with the given `timelineId`. + summary: Create a clean draft Timeline or Timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_export: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_export
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Export Timelines as an NDJSON file. + operationId: ExportTimelines + parameters: + - description: The name of the file to export + in: query + name: file_name + required: true + schema: + type: string + requestBody: + content: + application/json: + schema: + properties: + ids: + items: + type: string + nullable: true + type: array + x-omitempty: true + type: object + description: The IDs of the Timelines to export. + required: true + responses: + "200": + content: + application/ndjson: + schema: + description: NDJSON of the exported Timelines + type: string + description: Indicates the Timelines were successfully exported. + "400": + content: + application/ndjson: + schema: + properties: + body: + type: string + statusCode: + type: number + type: object + description: Indicates that the export size limit was exceeded. + summary: Export Timelines + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_favorite: + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/timeline/_favorite
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Favorite a Timeline or Timeline template for the current user. + operationId: PersistFavoriteRoute + requestBody: + content: + application/json: + schema: + properties: + templateTimelineId: + nullable: true + type: string + x-omitempty: true + templateTimelineVersion: + nullable: true + type: number + x-omitempty: true + timelineId: + nullable: true + type: string + x-omitempty: true + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + x-omitempty: true + required: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + type: object + description: The required fields used to favorite a (template) Timeline. + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse' + description: Indicates the favorite status was successfully updated. + "403": + content: + application/json: + schema: + properties: + body: + type: string + statusCode: + type: number + type: object + description: Indicates the user does not have the required permissions to persist the favorite status. + summary: Favorite a Timeline or Timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_import: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_import
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Import Timelines. + operationId: ImportTimelines + requestBody: + content: + application/json: + schema: + properties: + file: {} + isImmutable: + description: Whether the Timeline should be immutable + enum: + - "true" + - "false" + type: string + required: + - file + type: object + description: The Timelines to import as a readable stream. + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates the import of Timelines was successful. + "400": + content: + application/json: + schema: + properties: + body: + description: The error message + type: string + statusCode: + type: number + type: object + description: Indicates the import of Timelines was unsuccessful because of an invalid file extension. + "404": + content: + application/json: + schema: + properties: + body: + description: The error message + type: string + statusCode: + type: number + type: object + description: Indicates that we were unable to locate the saved object client necessary to handle the import. + "409": + content: + application/json: + schema: + properties: + body: + description: The error message + type: string + statusCode: + type: number + type: object + description: Indicates the import of Timelines was unsuccessful. + summary: Import Timelines + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/_prepackaged: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/timeline/_prepackaged
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Install or update prepackaged Timelines. + operationId: InstallPrepackedTimelines + requestBody: + content: + application/json: + schema: + properties: + prepackagedTimelines: + items: + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + nullable: true + x-omitempty: true + type: array + timelinesToInstall: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + x-omitempty: true + type: array + timelinesToUpdate: + items: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' + nullable: true + x-omitempty: true + type: array + required: + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + type: object + description: The Timelines to install or update. + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult' + description: Indicates the installation of prepackaged Timelines was successful. + "500": + content: + application/json: + schema: + properties: + body: + type: string + statusCode: + type: number + type: object + description: Indicates the installation of prepackaged Timelines was unsuccessful. + summary: Install prepackaged Timelines + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timeline/resolve: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timeline/resolve
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: ResolveTimeline + parameters: + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline' + description: The (template) Timeline has been found + "400": + description: The request is missing parameters + "404": + description: The (template) Timeline was not found + summary: Get an existing saved Timeline or Timeline template + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/timelines: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/timelines
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Get a list of all saved Timelines or Timeline templates. + operationId: GetTimelines + parameters: + - description: If true, only timelines that are marked as favorites by the user are returned. + in: query + name: only_user_favorite + schema: + enum: + - "true" + - "false" + nullable: true + type: string + - in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + - in: query + name: sort_field + schema: + $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' + - description: Whether to sort the results `ascending` or `descending` + in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - description: How many results should returned at once + in: query + name: page_size + schema: + nullable: true + type: string + - description: How many pages should be skipped + in: query + name: page_index + schema: + nullable: true + type: string + - description: Allows to search for timelines by their title + in: query + name: search + schema: + nullable: true + type: string + - in: query + name: status + schema: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + responses: + "200": + content: + application/json: + schema: + properties: + customTemplateTimelineCount: + description: The amount of custom Timeline templates in the results + type: number + defaultTimelineCount: + description: The amount of `default` type Timelines in the results + type: number + elasticTemplateTimelineCount: + description: The amount of Elastic's Timeline templates in the results + type: number + favoriteCount: + description: The amount of favorited Timelines + type: number + templateTimelineCount: + description: The amount of Timeline templates in the results + type: number + timeline: + items: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + type: array + totalCount: + description: The total amount of results + type: number + required: + - timeline + - totalCount + type: object + description: Indicates that the (template) Timelines were found and returned. + "400": + content: + application/json: + schema: + properties: + body: + description: The error message + type: string + statusCode: + type: number + type: object + description: Bad request. The user supplied invalid data. + summary: Get Timelines or Timeline templates + tags: + - Security Timeline API + x-metaTags: + - content: Kibana + name: product_name + /api/upgrade_assistant/status: + get: + description: Check the status of your cluster. + operationId: get-upgrade-status + responses: + "200": + content: + application/json: {} + description: Indicates a successful call. + summary: Get the upgrade readiness status + tags: + - upgrade + x-metaTags: + - content: Kibana + name: product_name + x-state: Technical Preview + /api/uptime/settings: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/uptime/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + You must have `read` privileges for the uptime feature in the Observability section of the Kibana feature privileges. + operationId: get-uptime-settings + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call + summary: Get uptime settings + tags: + - uptime + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/uptime/settings
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update uptime setting attributes like `heartbeatIndices`, `certExpirationThreshold`, `certAgeThreshold`, `defaultConnectors`, or `defaultEmail`. You must have `all` privileges for the uptime feature in the Observability section of the Kibana feature privileges. A partial update is supported, provided settings keys will be merged with existing settings. + operationId: put-uptime-settings + requestBody: + content: + application/json: + schema: + properties: + certAgeThreshold: + default: 730 + description: The number of days after a certificate is created to trigger an alert. + type: number + certExpirationThreshold: + default: 30 + description: The number of days before a certificate expires to trigger an alert. + type: number + defaultConnectors: + default: [] + description: A list of connector IDs to be used as default connectors for new alerts. + type: array + defaultEmail: + description: | + The default email configuration for new alerts. + properties: + bcc: + default: [] + items: + type: string + type: array + cc: + default: [] + items: + type: string + type: array + to: + default: [] + items: + type: string + type: array + type: object + heartbeatIndices: + default: heartbeat-* + description: "An index pattern string to be used within the Uptime app and alerts to query Heartbeat data. \n" + type: string + type: object + responses: + "200": + content: + application/json: + schema: + type: object + description: Indicates a successful call + summary: Update uptime settings + tags: + - uptime + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/actions/connector/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: get-actions-connector-id + parameters: + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + - $ref: '#/components/parameters/spaceId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/connector_response' + description: Indicates a successful call. + summary: Get connector information + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: post-actions-connector-id + parameters: + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + - $ref: '#/components/parameters/spaceId' + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/create_connector_config' + connector_type_id: + description: The type of connector. + type: string + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/create_connector_secrets' + required: + - name + - connector_type_id + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + type: object + description: Indicates a successful call. + summary: Create a connector + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + put: + description: |- + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: put-actions-connector-id + parameters: + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + - $ref: '#/components/parameters/spaceId' + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + config: + $ref: '#/components/schemas/update_connector_config' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/update_connector_secrets' + required: + - name + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + type: object + description: Indicates a successful call. + summary: Update a connector + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/actions/connector/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: When you delete a connector, it cannot be recovered. + operationId: delete-actions-connector-id + parameters: + - description: An identifier for the connector. + in: path + name: id + required: true + schema: + type: string + - $ref: '#/components/parameters/spaceId' + responses: + "204": + description: Indicates a successful call. + summary: Delete a connector + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/actions/connectors: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/actions/connectors
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: get-actions-connectors + parameters: + - $ref: '#/components/parameters/spaceId' + responses: + "200": + content: + application/json: + schema: + items: + $ref: '#/components/schemas/connector_response' + type: array + description: Indicates a successful call. + summary: Get all connectors + tags: + - connectors + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/data_views: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: getAllDataViewsDefault + parameters: + - $ref: '#/components/parameters/spaceId' + responses: + "200": + content: + application/json: + schema: + properties: + data_view: + items: + $ref: '#/components/schemas/get_data_views_response_item' + type: array + type: object + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get all data views + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/data_views/data_view: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: createDataViewDefaultw + parameters: + - $ref: '#/components/parameters/spaceId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create a data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/data_views/data_view/{viewId}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: getDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + - $ref: '#/components/parameters/spaceId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + operationId: updateDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + - $ref: '#/components/parameters/spaceId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/data_views/data_view/{viewId}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_view_id' + - $ref: '#/components/parameters/spaceId' + responses: + "204": + description: Indicates a successful call. + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view + tags: + - data views + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/detection_engine/rules: + get: + description: | + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Retrieve a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `GET /api/detection_engine/rules?id=` + * `rule_id` - `GET /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: ReadRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + - $ref: '#/components/parameters/spaceId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: | + Indicates a successful call. + > info + > These fields are under development and their usage or schema may change: execution_summary. + summary: Retrieve a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request GET https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana + name: product_name + patch: + description: | + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update specific fields of an existing detection rule using the `rule_id` or `id` field. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: PatchRule + parameters: + - $ref: '#/components/parameters/spaceId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' + description: | + > info + > You cannot modify the `id` or `rule_id` values. + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Patch a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Create a new detection rule. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + + You can create the following types of rules: + + * **Custom query**: Searches the defined indices and creates an alert when a document matches the rule's KQL query. + * **Event correlation**: Searches the defined indices and creates an alert when results match an [Event Query Language (EQL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/eql.html) query. + * **Threshold**: Searches the defined indices and creates an alert when the number of times the specified field's value meets the threshold during a single execution. When there are multiple values that meet the threshold, an alert is generated for each value. + For example, if the threshold `field` is `source.ip` and its `value` is `10`, an alert is generated for every source IP address that appears in at least 10 of the rule's search results. If you're interested, see [Terms Aggregation](https://www.elastic.co/guide/en/elasticsearch/reference/current/search-aggregations-bucket-terms-aggregation.html) for more information. + * **Indicator match**: Creates an alert when fields match values defined in the specified [Elasticsearch index](https://www.elastic.co/guide/en/elasticsearch/reference/current/indices-create-index.html). For example, you can create an index for IP addresses and use this index to create an alert whenever an event's `destination.ip` equals a value in the index. The index's field mappings should be [ECS-compliant](https://www.elastic.co/guide/en/ecs/current/ecs-reference.html). + * **New terms**: Generates an alert for each new term detected in source documents within a specified time range. + * **ES|QL**: Uses [Elasticsearch Query Language (ES|QL)](https://www.elastic.co/guide/en/elasticsearch/reference/current/esql.html) to find events and aggregate search results. + * **Machine learning rules**: Creates an alert when a machine learning job discovers an anomaly above the defined threshold. + > info + > To create machine learning rules, you must have the [appropriate license](https://www.elastic.co/subscriptions) or use a [cloud deployment](https://cloud.elastic.co/registration). Additionally, for the machine learning rule to function correctly, the associated machine learning job must be running. + + To retrieve machine learning job IDs, which are required to create machine learning jobs, call the [Elasticsearch Get jobs API](https://www.elastic.co/guide/en/elasticsearch/reference/current/ml-get-job.html). Machine learning jobs that contain `siem` in the `groups` field can be used to create rules: + + ```json + ... + "job_id": "linux_anomalous_network_activity_ecs", + "job_type": "anomaly_detector", + "job_version": "7.7.0", + "groups": [ + "auditbeat", + "process", + "siem" + ], + ... + ``` + + Additionally, you can set up notifications for when rules create alerts. The notifications use the [Alerting and Actions framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html). Each action type requires a connector. Connectors store the information required to send notifications via external systems. The following connector types are supported for rule notifications: + + * Slack + * Email + * PagerDuty + * Webhook + * Microsoft Teams + * IBM Resilient + * Jira + * ServiceNow ITSM + > info + > For more information on PagerDuty fields, see [Send a v2 Event](https://developer.pagerduty.com/docs/events-api-v2/trigger-events/). + + To retrieve connector IDs, which are required to configure rule notifications, call the [Find objects API](https://www.elastic.co/guide/en/kibana/current/saved-objects-api-find.html) with `"type": "action"` in the request payload. + + For detailed information on Kibana actions and alerting, and additional API calls, see: + + * [Alerting API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-alerting) + * [Alerting and Actions framework](https://www.elastic.co/guide/en/kibana/current/alerting-getting-started.html) + * [Connectors API](https://www.elastic.co/docs/api/doc/kibana/group/endpoint-connectors) + operationId: CreateRule + parameters: + - $ref: '#/components/parameters/spaceId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Create a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + **Spaces method and path for this operation:** + +
put /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted. + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + > warn + > When used with [API key](https://www.elastic.co/docs/deploy-manage/api-keys) authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running. + + > If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change. + operationId: UpdateRule + parameters: + - $ref: '#/components/parameters/spaceId' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' + description: | + > info + > All unspecified fields are deleted. You cannot modify the `id` or `rule_id` values. + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Update a detection rule + tags: + - Security Detections API + x-metaTags: + - content: Kibana + name: product_name + delete: + description: | + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/detection_engine/rules
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + Delete a detection rule using the `rule_id` or `id` field. + + The URL query must include one of the following: + + * `id` - `DELETE /api/detection_engine/rules?id=` + * `rule_id`- `DELETE /api/detection_engine/rules?rule_id=` + + The difference between the `id` and `rule_id` is that the `id` is a unique rule identifier that is randomly generated when a rule is created and cannot be set, whereas `rule_id` is a stable rule identifier that can be assigned during rule creation. + operationId: DeleteRule + parameters: + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + - $ref: '#/components/parameters/spaceId' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + description: Indicates a successful call. + summary: Delete a detection rule + tags: + - Security Detections API + x-codeSamples: + - lang: cURL + source: | + curl \ + --request DELETE https://localhost:5601/api/detection_engine/rules?rule_id=bfeaf89b-a2a7-48a3-817f-e41829dc61ee \ + --header "Content-Type: application/json; Elastic-Api-Version=2023-10-31" + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/maintenance_window: + post: + description: |- + **Spaces method and path for this operation:** + +
post /s/{space_id}/api/maintenance_window
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: post-maintenance-window + parameters: + - $ref: '#/components/parameters/spaceId' + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + schedule: + additionalProperties: false + properties: + custom: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + type: object + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + type: object + required: + - custom + type: object + scope: + additionalProperties: false + properties: + alerting: + additionalProperties: false + properties: + query: + additionalProperties: false + properties: + kql: + description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. + type: string + required: + - kql + type: object + required: + - query + type: object + required: + - alerting + type: object + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string + required: + - title + - schedule + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + properties: + custom: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + type: object + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + type: object + required: + - custom + type: object + scope: + additionalProperties: false + properties: + alerting: + additionalProperties: false + properties: + query: + additionalProperties: false + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + type: object + required: + - query + type: object + required: + - alerting + type: object + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + type: object + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + summary: Create a maintenance window. + tags: + - maintenance-window + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 9.1.0 + /s/{spaceId}/api/maintenance_window/{id}: + get: + description: |- + **Spaces method and path for this operation:** + +
get /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: read-maintenance-window. + operationId: get-maintenance-window-id + parameters: + - description: The identifier for the maintenance window. + in: path + name: id + required: true + schema: + type: string + - $ref: '#/components/parameters/spaceId' + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + properties: + custom: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + type: object + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + type: object + required: + - custom + type: object + scope: + additionalProperties: false + properties: + alerting: + additionalProperties: false + properties: + query: + additionalProperties: false + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + type: object + required: + - query + type: object + required: + - alerting + type: object + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + type: object + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a maintenance window with the given ID does not exist. + summary: Get maintenance window details. + tags: + - maintenance-window + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 9.1.0 + patch: + description: |- + **Spaces method and path for this operation:** + +
patch /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: patch-maintenance-window-id + parameters: + - in: path + name: id + required: true + schema: + type: string + - $ref: '#/components/parameters/spaceId' + requestBody: + content: + application/json: + schema: + additionalProperties: false + properties: + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + schedule: + additionalProperties: false + properties: + custom: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + minimum: 1 + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + maximum: 12 + minimum: 1 + type: number + minItems: 1 + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + maximum: 31 + minimum: 1 + type: number + minItems: 1 + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + minItems: 1 + type: array + type: object + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + type: object + required: + - custom + type: object + scope: + additionalProperties: false + properties: + alerting: + additionalProperties: false + properties: + query: + additionalProperties: false + properties: + kql: + description: A filter written in Kibana Query Language (KQL). Only alerts matching this query will be supressed by the maintenance window. + type: string + required: + - kql + type: object + required: + - query + type: object + required: + - alerting + type: object + title: + description: The name of the maintenance window. While this name does not have to be unique, a distinctive name can help you identify a specific maintenance window. + type: string + type: object + responses: + "200": + content: + application/json: + schema: + additionalProperties: false + properties: + created_at: + description: The date and time when the maintenance window was created. + type: string + created_by: + description: The identifier for the user that created the maintenance window. + nullable: true + type: string + enabled: + description: Whether the current maintenance window is enabled. Disabled maintenance windows do not suppress notifications. + type: boolean + id: + description: The identifier for the maintenance window. + type: string + schedule: + additionalProperties: false + properties: + custom: + additionalProperties: false + properties: + duration: + description: 'The duration of the schedule. It allows values in `` format. `` is one of `d`, `h`, `m`, or `s` for hours, minutes, seconds. For example: `1d`, `5h`, `30m`, `5000s`.' + type: string + recurring: + additionalProperties: false + properties: + end: + description: 'The end date of a recurring schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-04-01T00:00:00.000Z`.' + type: string + every: + description: 'The interval and frequency of a recurring schedule. It allows values in `` format. `` is one of `d`, `w`, `M`, or `y` for days, weeks, months, years. For example: `15d`, `2w`, `3m`, `1y`.' + type: string + occurrences: + description: The total number of recurrences of the schedule. + type: number + onMonth: + description: The specific months for a recurring schedule. Valid values are 1-12. + items: + type: number + type: array + onMonthDay: + description: The specific days of the month for a recurring schedule. Valid values are 1-31. + items: + type: number + type: array + onWeekDay: + description: The specific days of the week (`[MO,TU,WE,TH,FR,SA,SU]`) or nth day of month (`[+1MO, -3FR, +2WE, -4SA, -5SU]`) for a recurring schedule. + items: + type: string + type: array + type: object + start: + description: 'The start date and time of the schedule, provided in ISO 8601 format and set to the UTC timezone. For example: `2025-03-12T12:00:00.000Z`.' + type: string + timezone: + description: The timezone of the schedule. The default timezone is UTC. + type: string + required: + - start + - duration + type: object + required: + - custom + type: object + scope: + additionalProperties: false + properties: + alerting: + additionalProperties: false + properties: + query: + additionalProperties: false + properties: + kql: + description: A filter written in Kibana Query Language (KQL). + type: string + required: + - kql + type: object + required: + - query + type: object + required: + - alerting + type: object + status: + description: The current status of the maintenance window. + enum: + - running + - upcoming + - finished + - archived + type: string + title: + description: The name of the maintenance window. + type: string + updated_at: + description: The date and time when the maintenance window was last updated. + type: string + updated_by: + description: The identifier for the user that last updated this maintenance window. + nullable: true + type: string + required: + - id + - title + - enabled + - created_by + - updated_by + - created_at + - updated_at + - status + - schedule + type: object + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a maintenance window with the given ID does not exist. + "409": + description: Indicates that the maintenance window has already been updated by another user. + summary: Update a maintenance window. + tags: + - maintenance-window + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 9.1.0 + delete: + description: |- + **Spaces method and path for this operation:** + +
delete /s/{space_id}/api/maintenance_window/{id}
+ + Refer to [Spaces](https://www.elastic.co/docs/deploy-manage/manage-spaces) for more information. + + [Required authorization] Route required privileges: write-maintenance-window. + operationId: delete-maintenance-window-id + parameters: + - description: The identifier for the maintenance window to be deleted. + in: path + name: id + required: true + schema: + type: string + - $ref: '#/components/parameters/spaceId' + responses: + "204": + description: Indicates a successful call. + "400": + description: Indicates an invalid schema or parameters. + "403": + description: Indicates that this call is forbidden. + "404": + description: Indicates a maintenance window with the given ID does not exist. + summary: Delete a maintenance window. + tags: + - maintenance-window + x-metaTags: + - content: Kibana + name: product_name + x-state: Generally available; added in 9.1.0 + /s/{spaceId}/api/observability/slos: + get: + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: findSlosOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + - description: A valid kql query to filter the SLO with + in: query + name: kqlQuery + schema: + type: string + - description: The page size to use for cursor-based pagination, must be greater or equal than 1 + in: query + name: size + schema: + default: 1 + type: integer + - description: The cursor to use for fetching the results from, when using a cursor-base pagination. + in: query + name: searchAfter + schema: + items: + type: string + type: array + - description: The page to use for pagination, must be greater or equal than 1 + in: query + name: page + schema: + default: 1 + type: integer + - description: Number of SLOs returned by page + in: query + name: perPage + schema: + default: 25 + maximum: 5000 + type: integer + - description: Sort by field + in: query + name: sortBy + schema: + default: status + enum: + - sli_value + - status + - error_budget_consumed + - error_budget_remaining + type: string + - description: Sort order + in: query + name: sortDirection + schema: + default: asc + enum: + - asc + - desc + type: string + - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings + in: query + name: hideStale + schema: + type: boolean + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_find_slo_response' + description: Successful request + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get a paginated list of SLOs + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name + post: + description: | + You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: createSloOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_create_slo_request' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_create_slo_response' + description: Successful request + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + "409": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_409_response' + description: Conflict - The SLO id already exists + summary: Create an SLO + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/observability/slos/_bulk_delete: + post: + description: | + Bulk delete SLO definitions and their associated summary and rollup data. This endpoint initiates a bulk deletion operation for SLOs, which may take some time to complete. The status of the operation can be checked using the `GET /api/slo/_bulk_delete/{taskId}` endpoint. + operationId: bulkDeleteOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_bulk_delete_request' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_bulk_delete_response' + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + summary: Bulk delete SLO definitions and their associated summary and rollup data. + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/observability/slos/_bulk_delete/{taskId}: + get: + description: | + Retrieve the status of the bulk deletion operation for SLOs. This endpoint returns the status of the bulk deletion operation, including whether it is completed and the results of the operation. + operationId: bulkDeleteStatusOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + - description: The task id of the bulk delete operation + in: path + name: taskId + required: true + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_bulk_delete_status_response' + description: Successful response + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + summary: Retrieve the status of the bulk deletion + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/observability/slos/_bulk_purge_rollup: + post: + description: | + The deletion occurs for the specified list of `sloId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: deleteRollupDataOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_bulk_purge_rollup_request' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_bulk_purge_rollup_response' + description: Successful request + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + summary: Batch delete rollup and summary data + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/observability/slos/_delete_instances: + post: + description: | + The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: deleteSloInstancesOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_delete_slo_instances_request' + required: true + responses: + "204": + description: Successful request + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + summary: Batch delete rollup and summary data + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}: + get: + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: getSloOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + - description: the specific instanceId used by the summary calculation + in: query + name: instanceId + schema: + type: string + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + description: Successful request + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get an SLO + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name + put: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: updateSloOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + requestBody: + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_update_slo_request' + required: true + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Update an SLO + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name + delete: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: deleteSloOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + "204": + description: Successful request + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Delete an SLO + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}/_reset: + post: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: resetSloOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Reset an SLO + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}/disable: + post: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: disableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + "204": + description: Successful request + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Disable an SLO + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/api/observability/slos/{sloId}/enable: + post: + description: | + You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: enableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + "204": + description: Successful request + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + "404": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Enable an SLO + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name + /s/{spaceId}/internal/observability/slos/_definitions: + get: + description: | + You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges. + operationId: getDefinitionsOp + parameters: + - $ref: '#/components/parameters/SLOs_space_id' + - description: Indicates if the API returns only outdated SLO or all SLO definitions + in: query + name: includeOutdatedOnly + schema: + type: boolean + - description: Indicates if the API returns SLO health data with definitions + in: query + name: includeHealth + schema: + type: boolean + - description: Filters the SLOs by tag + in: query + name: tags + schema: + type: string + - description: Filters the SLOs by name + in: query + name: search + schema: + type: string + - description: The page to use for pagination, must be greater or equal than 1 + in: query + name: page + schema: + type: number + - description: Number of SLOs returned by page + in: query + name: perPage + schema: + default: 100 + maximum: 1000 + type: integer + responses: + "200": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_find_slo_definitions_response' + description: Successful request + "400": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + "401": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + "403": + content: + application/json: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + summary: Get the SLO definitions + tags: + - slo + x-metaTags: + - content: Kibana + name: product_name +openapi: 3.0.3 +tags: + - description: | + Agent Builder is a set of AI-powered capabilities for developing and interacting with agents that work with your Elasticsearch data. + Most users will probably want to integrate with Agent Builder using MCP or A2A, but you can also work programmatically with tools, agents, and conversations using these Kibana APIs. + externalDocs: + description: Learn about working with Agent Builder programmatically + url: https://www.elastic.co/docs/solutions/search/agent-builder/programmatic-access + name: agent builder + x-displayName: Agent Builder + - description: | + Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations. + externalDocs: + description: Alerting documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts + name: alerting + x-displayName: Alerting + - description: | + Adjust APM agent configuration without need to redeploy your application. + name: APM agent configuration + - description: | + Configure APM agent keys to authorize requests from APM agents to the APM Server. + name: APM agent keys + - description: | + Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications. + name: APM annotations + - description: Create APM fleet server schema. + name: APM server schema + - description: | + Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. + For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur. + name: APM sourcemaps + - description: | + Cases are used to open and track issues. You can add assignees and tags to your cases, set their severity and status, and add alerts, comments, and visualizations. You can also send cases to external incident management systems by configuring connectors. + externalDocs: + description: Cases documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/cases + name: cases + x-displayName: Cases + - description: | + Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met. + externalDocs: + description: Connector documentation + url: https://www.elastic.co/docs/reference/kibana/connectors-kibana + name: connectors + x-displayName: Connectors + - description: | + Data stream APIs enable you to manage data streams, which are collections of indices that share the same index template and are managed as a single unit for time-series data. + name: Data streams + x-displayName: Data streams + - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns. + name: data views + x-displayName: Data views + - description: | + Elastic Agent actions APIs enable you to manage actions performed on Elastic Agents, including agent reassignment, diagnostics collection, enrollment management, upgrades, and bulk operations for agent lifecycle management. + name: Elastic Agent actions + x-displayName: Elastic Agent actions + - description: | + Elastic Agent binary download sources APIs enable you to manage download sources for Elastic Agent binaries, including creating, updating, and deleting custom download sources for agent binaries. + name: Elastic Agent binary download sources + x-displayName: Elastic Agent binary download sources + - description: | + Elastic Agent policies APIs enable you to manage agent policies, including creating, updating, and deleting policies, as well as to retrieve agent policy outputs, manifests, and auto-upgrade status information. + name: Elastic Agent policies + x-displayName: Elastic Agent policies + - description: | + Enables you to retrieve status information about Elastic Agents, including health summaries and operational status. + name: Elastic Agent status + x-displayName: Elastic Agent status + - description: | + Elastic Agents APIs enable you to manage Elastic Agents, including retrieving agent information, managing agent lifecycle, handling file uploads, and initiating agent setup. + name: Elastic Agents + x-displayName: Elastic Agents + - description: | + Elastic Package Manager (EPM) APIs enable you to manage packages and integrations, including installing, updating, and uninstalling packages, managing custom integrations, and handling package assets. + name: Elastic Package Manager (EPM) + x-displayName: Elastic Package Manager (EPM) + - name: Fleet agentless policies + - description: | + Fleet cloud connectors APIs enable you to manage Fleet cloud connectors, including creating, updating, and deleting cloud connector configurations for Fleet integrations. + name: Fleet cloud connectors + x-displayName: Fleet cloud connectors + - description: | + Fleet enrollment API keys APIs enable you to manage enrollment API keys for Fleet, including creating, retrieving, and revoking API keys used for agent enrollment. + name: Fleet enrollment API keys + x-displayName: Fleet enrollment API keys + - description: | + Fleet internals APIs enable you to manage Fleet internal operations, including checking permissions, monitoring Fleet Server health, managing settings, and initiating Fleet setup. + name: Fleet internals + x-displayName: Fleet internals + - description: | + Fleet outputs APIs enable you to manage Fleet outputs, including creating, updating, and deleting output configurations, generating Logstash API keys, and monitoring output health. + name: Fleet outputs + x-displayName: Fleet outputs + - description: | + Fleet package policies APIs enable you to manage Fleet package policies, including creating, updating, and deleting policies, performing bulk operations, and managing policy upgrades. + name: Fleet package policies + x-displayName: Fleet package policies + - description: | + Fleet proxies APIs enable you to manage Fleet proxies, including creating, updating, and deleting proxy configurations for Fleet agent communication. + name: Fleet proxies + x-displayName: Fleet proxies + - description: | + Use the Fleet remote synced integrations API to check the status of the automatic integrations synchronization on a remote cluster: + * Use the `/api/fleet/remote_synced_integrations/{outputId}/remote_status` endpoint on the management cluster to query the synchronization status of the integrations installed on the remote cluster by the ID of the configured remote Elasticsearch output. + * Use the `/api/fleet/remote_synced_integrations/status` endpoint on the remote cluster to query the synchronization status of the installed integrations. + externalDocs: + description: Automatic integrations synchronization documentation + url: https://www.elastic.co/docs/reference/fleet/automatic-integrations-synchronization + name: Fleet remote synced integrations + - description: | + Fleet Server hosts APIs enable you to manage Fleet Server hosts, including creating, updating, and deleting Fleet Server host configurations. + name: Fleet Server hosts + x-displayName: Fleet Server hosts + - description: | + Enables you to create tokens for Fleet service authentication and authorization. + name: Fleet service tokens + x-displayName: Fleet service tokens + - description: | + Fleet uninstall tokens APIs enable you to manage Fleet uninstall tokens, including retrieving metadata and decrypted tokens for agent uninstallation. + name: Fleet uninstall tokens + x-displayName: Fleet uninstall tokens + - description: | + Programmatically integrate with Logstash configuration management. + > warn + > Do not directly access the `.logstash` index. The structure of the `.logstash` index is subject to change, which could cause your integration to break. Instead, use the Logstash configuration management APIs. + externalDocs: + description: Centralized pipeline management + url: https://www.elastic.co/docs/reference/logstash/logstash-centralized-pipeline-management + name: logstash + x-displayName: Logstash configuration management + - description: | + You can schedule single or recurring maintenance windows to temporarily reduce rule notifications. For example, a maintenance window prevents false alarms during planned outages. + externalDocs: + description: Maintenance window documentation + url: https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/maintenance-windows + name: maintenance-window + x-displayName: Maintenance windows + - description: | + Enables you to rotate message signing key pairs for secure Fleet communication. + name: Message Signing Service + x-displayName: Fleet Message Signing Service + - description: | + Enables you to synchronize machine learning saved objects. + name: ml + x-displayName: Machine learning + - description: Interact with the Observability AI Assistant resources. + externalDocs: + description: Observability AI Assistant + url: https://www.elastic.co/docs/solutions/observability/observability-ai-assistant + name: observability_ai_assistant + x-displayName: Observability AI Assistant + - description: Manage the roles that grant Elasticsearch and Kibana privileges. + externalDocs: + description: Kibana role management + url: https://www.elastic.co/docs/deploy-manage/users-roles/cluster-or-deployment-auth/defining-roles + name: roles + x-displayName: Roles + - description: | + Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs. + + To manage a specific type of saved object, use the corresponding APIs. + For example, use: + + * [Data views](../group/endpoint-data-views) + * [Spaces](../group/endpoint-spaces) + * [Short URLs](../group/endpoint-short-url) + + Warning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions. + name: saved objects + x-displayName: Saved objects + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + x-displayName: Security AI assistant + - description: Use the Attack discovery APIs to generate and manage Attack discoveries. Attack Discovery leverages large language models (LLMs) to analyze alerts in your environment and identify threats. Each "discovery" represents a potential attack and describes relationships among multiple alerts to tell you which users and hosts are involved, how alerts correspond to the MITRE ATT&CK matrix, and which threat actor might be responsible. `Technical preview` + name: Security Attack discovery API + x-displayName: Security Attack discovery + - description: | + Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the **Alerts** page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged. + + This API supports both key-based authentication and basic authentication. + + To use key-based authentication, create an API key, then specify the key in the header of your API calls. + + To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges. + + In both cases, the API key is subsequently used for authorization when the rule runs. + > warn + > If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change. + + > If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running. + + To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the [Detections requirements](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html) for a complete list of requirements. + name: Security Detections API + x-displayName: Security detections + - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met. + name: Security Endpoint Exceptions API + x-displayName: Security Elastic Endpoint exceptions + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Endpoint Management API + x-displayName: Security endpoint management + - description: | + Use the Security entity analytics APIs to manage entity analytics and risk scoring, including asset criticality, privileged user monitoring, and entity engines. + name: Security Entity Analytics API + x-displayName: Security entity analytics + - description: | + Exceptions are associated with detection and endpoint rules, and are used to prevent a rule from generating an alert from incoming events, even when the rule's other criteria are met. They can help reduce the number of false positives and prevent trusted processes and network activity from generating unnecessary alerts. + + Exceptions are made up of: + + * **Exception containers**: A container for related exceptions. Generally, a single exception container contains all the exception items relevant for a subset of rules. For example, a container can be used to group together network-related exceptions that are relevant for a large number of network rules. The container can then be associated with all the relevant rules. + * **Exception items**: The query (fields, values, and logic) used to prevent rules from generating alerts. When an exception item's query evaluates to `true`, the rule does not generate an alert. + + For detection rules, you can also use lists to define rule exceptions. A list holds multiple values of the same Elasticsearch data type, such as IP addresses. These values are used to determine when an exception prevents an alert from being generated. + > info + > You cannot use lists with endpoint rule exceptions. + + > info + > Only exception containers can be associated with rules. You cannot directly associate an exception item or a list container with a rule. To use list exceptions, create an exception item that references the relevant list container. + + ## Exceptions requirements + + Before you can start working with exceptions that use value lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. For a complete list of requirements, refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui). + name: Security Exceptions API + x-displayName: Security exceptions + - description: | + Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts. + + Lists are made up of: + + * **List containers**: A container for values of the same Elasticsearch data type. The following data types can be used: + * `boolean` + * `byte` + * `date` + * `date_nanos` + * `date_range` + * `double` + * `double_range` + * `float` + * `float_range` + * `half_float` + * `integer` + * `integer_range` + * `ip` + * `ip_range` + * `keyword` + * `long` + * `long_range` + * `short` + * `text` + * **List items**: The values used to determine whether the exception prevents an alert from being generated. + + All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named `internal-ip-addresses-southport` contains five items, where each item defines one internal IP address: + 1. `192.168.1.1` + 2. `192.168.1.3` + 3. `192.168.1.18` + 4. `192.168.1.12` + 5. `192.168.1.7` + + To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to [create an exception list item](../operation/operation-createexceptionlistitem) that references the `internal-ip-addresses-southport` list. + > info + > Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (`is in list`, `is not in list`). Use an exception item to define the operator and associate it with an [exception container](../operation/operation-createexceptionlist). You can then add the exception container to a rule's `exceptions_list` object. + + ## Lists requirements + + Before you can start using lists, you must create the `.lists` and `.items` data streams for the relevant Kibana space. To do this, use the [Create list data streams](../operation/operation-createlistindex) endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to [Enable and access detections](https://www.elastic.co/guide/en/security/current/detections-permissions-section.html#enable-detections-ui) for a complete list of requirements. + name: Security Lists API + x-displayName: Security lists + - description: Run live queries, manage packs and saved queries. + name: Security Osquery API + x-displayName: Security Osquery + - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file. + name: Security Timeline API + x-displayName: Security timeline + - description: Manage Kibana short URLs. + name: short url + x-displayName: Short URLs + - description: SLO APIs enable you to define, manage and track service-level objectives + name: slo + x-displayName: Service level objectives + - description: Manage your Kibana spaces. + externalDocs: + description: Space overview + url: https://www.elastic.co/docs/deploy-manage/manage-spaces + name: spaces + x-displayName: Spaces + - description: | + Streams is a new and experimental way to manage your data in Kibana (currently experimental - expect changes). + name: streams + x-displayName: Streams + - description: Synthetics APIs enable you to check the status of your services and applications. + externalDocs: + description: Synthetic monitoring + url: https://www.elastic.co/docs/solutions/observability/synthetics + name: synthetics + x-displayName: Synthetics + - description: | + Get information about the system status, resource usage, features, and installed plugins. + name: system + x-displayName: System + - description: | + Get information about the system status, resource usage, features, and installed plugins. + name: system + x-displayName: System + - description: Task manager APIs enable you to check the health of the Kibana task manager, which is used by features such as alerting, actions, and reporting to run mission critical work as persistent background tasks. + externalDocs: + description: Task manager + url: https://www.elastic.co/docs/deploy-manage/distributed-architecture/kibana-tasks-management + name: task manager + x-displayName: Task manager + - description: The assistant helps you prepare for the next major version of Elasticsearch. + name: upgrade + x-displayName: Upgrade assistant + - description: Uptime APIs enable you to view and update uptime monitoring settings. + externalDocs: + description: Uptime monitoring + url: https://www.elastic.co/docs/solutions/observability/uptime + name: uptime + x-displayName: Uptime + - description: | + Enables you to invalidate user sessions for security and session management purposes. + name: user session + x-displayName: User session management +servers: + - url: https://{kibana_url} + variables: + kibana_url: + default: localhost:5601 +components: + examples: {} + parameters: + APM_UI_elastic_api_version: + description: The version of the API to use + in: header + name: elastic-api-version + required: true + schema: + default: "2023-10-31" + enum: + - "2023-10-31" + type: string + Cases_alert_id: + description: An identifier for the alert. + in: path + name: alertId + required: true + schema: + type: string + Cases_assignees_filter: + description: | + Filters the returned cases by assignees. Valid values are `none` or unique identifiers for the user profiles. These identifiers can be found by using the suggest user profile API. + in: query + name: assignees + schema: + oneOf: + - $ref: '#/components/schemas/Cases_string' + - $ref: '#/components/schemas/Cases_string_array' + Cases_case_id: + description: The identifier for the case. To retrieve case IDs, use the find cases API. All non-ASCII characters must be URL encoded. + in: path + name: caseId + required: true + schema: + type: string + Cases_category: + description: Filters the returned cases by category. + in: query + name: category + schema: + oneOf: + - $ref: '#/components/schemas/Cases_case_category' + - $ref: '#/components/schemas/Cases_case_categories' + Cases_comment_id: + description: | + The identifier for the comment. To retrieve comment IDs, use the get case or find cases APIs. + in: path + name: commentId + required: true + schema: + type: string + Cases_configuration_id: + description: An identifier for the configuration. + in: path + name: configurationId + required: true + schema: + type: string + Cases_connector_id: + description: An identifier for the connector. To retrieve connector IDs, use the find connectors API. + in: path + name: connectorId + required: true + schema: + type: string + Cases_defaultSearchOperator: + description: he default operator to use for the simple_query_string. + in: query + name: defaultSearchOperator + schema: + default: OR + type: string + Cases_from: + description: | + Returns only cases that were created after a specific date. The date must be specified as a KQL data range or date match expression. + in: query + name: from + schema: + type: string + Cases_ids: + description: | + The cases that you want to removed. All non-ASCII characters must be URL encoded. + in: query + name: ids + required: true + schema: + items: + maxItems: 100 + minItems: 1 + type: string + type: array + Cases_owner_filter: + description: | + A filter to limit the response to a specific set of applications. If this parameter is omitted, the response contains information about all the cases that the user has access to read. + in: query + name: owner + schema: + oneOf: + - $ref: '#/components/schemas/Cases_owner' + - $ref: '#/components/schemas/Cases_owners' + Cases_page_index: + description: The page number to return. + in: query + name: page + required: false + schema: + default: 1 + type: integer + Cases_page_size: + description: The number of items to return. Limited to 100 items. + in: query + name: perPage + required: false + schema: + default: 20 + maximum: 100 + type: integer + Cases_reporters: + description: Filters the returned cases by the user name of the reporter. + in: query + name: reporters + schema: + oneOf: + - $ref: '#/components/schemas/Cases_string' + - $ref: '#/components/schemas/Cases_string_array' + Cases_search: + description: An Elasticsearch simple_query_string query that filters the objects in the response. + in: query + name: search + schema: + type: string + Cases_searchFields: + description: The fields to perform the simple_query_string parsed query against. + in: query + name: searchFields + schema: + oneOf: + - $ref: '#/components/schemas/Cases_searchFieldsType' + - $ref: '#/components/schemas/Cases_searchFieldsTypeArray' + Cases_severity: + description: The severity of the case. + in: query + name: severity + schema: + enum: + - critical + - high + - low + - medium + type: string + Cases_sort_order: + description: Determines the sort order. + in: query + name: sortOrder + required: false + schema: + default: desc + enum: + - asc + - desc + type: string + Cases_sortField: + description: Determines which field is used to sort the results. + in: query + name: sortField + schema: + default: createdAt + enum: + - createdAt + - updatedAt + - closedAt + - title + - category + - status + - severity + type: string + Cases_status: + description: Filters the returned cases by state. + in: query + name: status + schema: + enum: + - closed + - in-progress + - open + type: string + Cases_tags: + description: Filters the returned cases by tags. + in: query + name: tags + schema: + oneOf: + - $ref: '#/components/schemas/Cases_string' + - $ref: '#/components/schemas/Cases_string_array' + Cases_to: + description: | + Returns only cases that were created before a specific date. The date must be specified as a KQL data range or date match expression. + in: query + name: to + schema: + type: string + Cases_user_action_types: + description: Determines the types of user actions to return. + in: query + name: types + schema: + items: + enum: + - action + - alert + - assignees + - attachment + - comment + - connector + - create_case + - description + - pushed + - settings + - severity + - status + - tags + - title + - user + type: string + type: array + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + type: string + Machine_learning_APIs_simulateParam: + description: When true, simulates the synchronization by returning only the list of actions that would be performed. + in: query + name: simulate + required: false + schema: + type: boolean + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + type: string + SLOs_space_id: + description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + type: string + Saved_objects_saved_object_id: + description: An identifier for the saved object. + in: path + name: id + required: true + schema: + type: string + Saved_objects_saved_object_type: + description: Valid options include `visualization`, `dashboard`, `search`, `index-pattern`, `config`. + in: path + name: type + required: true + schema: + type: string + Short_URL_APIs_idParam: + description: The identifier for the short URL. + in: path + name: id + required: true + schema: + type: string + spaceId: + description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + type: string + schemas: + APM_UI_400_response: + properties: + error: + description: Error type + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + type: number + type: object + APM_UI_401_response: + properties: + error: + description: Error type + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + type: number + type: object + APM_UI_403_response: + properties: + error: + description: Error type + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + type: number + type: object + APM_UI_404_response: + properties: + error: + description: Error type + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + type: number + type: object + APM_UI_500_response: + properties: + error: + description: Error type + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + type: number + type: object + APM_UI_501_response: + properties: + error: + description: Error type + type: string + message: + description: Error message + type: string + statusCode: + description: Error status code + type: number + type: object + APM_UI_agent_configuration_intake_object: + properties: + agent_name: + description: The agent name is used by the UI to determine which settings to display. + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + type: object + APM_UI_agent_configuration_object: + description: Agent configuration + properties: + '@timestamp': + description: Timestamp + type: number + agent_name: + description: Agent name + type: string + applied_by_agent: + description: Applied by agent + type: boolean + etag: + description: | + `etag` is sent by the APM agent to indicate the `etag` of the last successfully applied configuration. If the `etag` matches an existing configuration its `applied_by_agent` property will be set to `true`. Every time a configuration is edited `applied_by_agent` is reset to `false`. + type: string + service: + $ref: '#/components/schemas/APM_UI_service_object' + settings: + $ref: '#/components/schemas/APM_UI_settings_object' + required: + - service + - settings + - '@timestamp' + - etag + type: object + APM_UI_agent_configurations_response: + properties: + configurations: + description: Agent configuration + items: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + type: array + type: object + APM_UI_agent_keys_object: + properties: + name: + description: The name of the APM agent key. + type: string + privileges: + description: | + The APM agent key privileges. It can take one or more of the following values: + * `event:write`, which is required for ingesting APM agent events. * `config_agent:read`, which is required for APM agents to read agent configuration remotely. + items: + enum: + - event:write + - config_agent:read + type: string + type: array + required: + - name + - privileges + type: object + APM_UI_agent_keys_response: + properties: + agentKey: + description: Agent key + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: + type: string + required: + - id + - name + - api_key + - encoded + type: object + type: object + APM_UI_annotation_search_response: + properties: + annotations: + description: Annotations + items: + properties: + '@timestamp': + type: number + id: + type: string + text: + type: string + type: + enum: + - version + type: string + type: object + type: array + type: object + APM_UI_base_source_map_object: + properties: + compressionAlgorithm: + description: Compression Algorithm + type: string + created: + description: Created date + type: string + decodedSha256: + description: Decoded SHA-256 + type: string + decodedSize: + description: Decoded size + type: number + encodedSha256: + description: Encoded SHA-256 + type: string + encodedSize: + description: Encoded size + type: number + encryptionAlgorithm: + description: Encryption Algorithm + type: string + id: + description: Identifier + type: string + identifier: + description: Identifier + type: string + packageName: + description: Package name + type: string + relative_url: + description: Relative URL + type: string + type: + description: Type + type: string + type: object + APM_UI_create_annotation_object: + properties: + '@timestamp': + description: The date and time of the annotation. It must be in ISO 8601 format. + type: string + message: + description: The message displayed in the annotation. It defaults to `service.version`. + type: string + service: + description: The service that identifies the configuration to create or update. + properties: + environment: + description: The environment of the service. + type: string + version: + description: The version of the service. + type: string + required: + - version + type: object + tags: + description: | + Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to `[apm]`. While you can add additional tags, you cannot remove the `apm` tag. + items: + type: string + type: array + required: + - '@timestamp' + - service + type: object + APM_UI_create_annotation_response: + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _source: + description: Response + properties: + '@timestamp': + type: string + annotation: + properties: + title: + type: string + type: + type: string + type: object + event: + properties: + created: + type: string + type: object + message: + type: string + service: + properties: + environment: + type: string + name: + type: string + version: + type: string + type: object + tags: + items: + type: string + type: array + type: object + type: object + APM_UI_delete_agent_configurations_response: + properties: + result: + description: Result + type: string + type: object + APM_UI_delete_service_object: + description: Service + properties: + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + type: object + APM_UI_search_agent_configuration_object: + properties: + etag: + description: If etags match then `applied_by_agent` field will be set to `true` + type: string + mark_as_applied_by_agent: + description: | + `markAsAppliedByAgent=true` means "force setting it to true regardless of etag". + This is needed for Jaeger agent that doesn't have etags + type: boolean + service: + $ref: '#/components/schemas/APM_UI_service_object' + required: + - service + type: object + APM_UI_search_agent_configuration_response: + properties: + _id: + description: Identifier + type: string + _index: + description: Index + type: string + _score: + description: Score + type: number + _source: + $ref: '#/components/schemas/APM_UI_agent_configuration_object' + type: object + APM_UI_service_agent_name_response: + properties: + agentName: + description: Agent name + type: string + type: object + APM_UI_service_environment_object: + properties: + alreadyConfigured: + description: Already configured + type: boolean + name: + description: Service environment name + type: string + type: object + APM_UI_service_environments_response: + properties: + environments: + description: Service environment list + items: + $ref: '#/components/schemas/APM_UI_service_environment_object' + type: array + type: object + APM_UI_service_object: + description: Service + properties: + environment: + description: The environment of the service. + type: string + name: + description: The name of the service. + type: string + type: object + APM_UI_settings_object: + additionalProperties: + type: string + description: Agent configuration settings + type: object + APM_UI_single_agent_configuration_response: + allOf: + - properties: + id: + type: string + required: + - id + type: object + - $ref: '#/components/schemas/APM_UI_agent_configuration_object' + APM_UI_source_maps_response: + properties: + artifacts: + description: Artifacts + items: + allOf: + - properties: + body: + properties: + bundleFilepath: + type: string + serviceName: + type: string + serviceVersion: + type: string + sourceMap: + properties: + file: + type: string + mappings: + type: string + sourceRoot: + type: string + sources: + items: + type: string + type: array + sourcesContent: + items: + type: string + type: array + version: + type: number + type: object + type: object + type: object + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + type: array + type: object + APM_UI_upload_source_map_object: + properties: + bundle_filepath: + description: The absolute path of the final bundle as used in the web application. + type: string + service_name: + description: The name of the service that the service map should apply to. + type: string + service_version: + description: The version of the service that the service map should apply to. + type: string + sourcemap: + description: | + The source map. It can be a string or file upload. It must follow the + [source map format specification](https://tc39.es/ecma426/). + format: binary + type: string + required: + - service_name + - service_version + - bundle_filepath + - sourcemap + type: object + APM_UI_upload_source_maps_response: + allOf: + - properties: + body: + type: string + type: object + - $ref: '#/components/schemas/APM_UI_base_source_map_object' + Alerting_401_response: + properties: + error: + enum: + - Unauthorized + type: string + message: + type: string + statusCode: + enum: + - 401 + type: integer + title: Unsuccessful rule API response + type: object + Alerting_fieldmap_properties: + properties: + array: + description: Indicates whether the field is an array. + type: boolean + dynamic: + description: Indicates whether it is a dynamic field mapping. + type: boolean + format: + description: | + Indicates the format of the field. For example, if the `type` is `date_range`, the `format` can be `epoch_millis||strict_date_optional_time`. + type: string + ignore_above: + description: Specifies the maximum length of a string field. Longer strings are not indexed or stored. + type: integer + index: + description: Indicates whether field values are indexed. + type: boolean + path: + description: TBD + type: string + properties: + additionalProperties: + properties: + type: + description: The data type for each object property. + type: string + type: object + description: | + Details about the object properties. This property is applicable when `type` is `object`. + type: object + required: + description: Indicates whether the field is required. + type: boolean + scaling_factor: + description: "The scaling factor to use when encoding values. This property is applicable when `type` is `scaled_float`. Values will be multiplied by this factor at index time and rounded to the closest long value. \n" + type: integer + type: + description: Specifies the data type for the field. + type: string + title: Field map objects in the get rule types response + type: object + Cases_4xx_response: + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + title: Unsuccessful cases API response + type: object + Cases_actions: + enum: + - add + - create + - delete + - push_to_service + - update + type: string + Cases_add_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + type: string + required: + - alertId + - index + - owner + - rule + - type + title: Add case comment request properties for alerts + type: object + Cases_add_case_comment_request: + description: The add comment to case API request body varies depending on whether you are adding an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_add_alert_comment_request_properties' + user: '#/components/schemas/Cases_add_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' + title: Add case comment request + Cases_add_case_file_request: + description: Defines the file that will be attached to the case. Optional parameters will be generated automatically from the file metadata if not defined. + properties: + file: + description: The file being attached to the case. + format: binary + type: string + filename: + description: The desired name of the file being attached to the case, it can be different than the name of the file in the filesystem. **This should not include the file extension.** + type: string + required: + - file + title: Add case file request properties + type: object + Cases_add_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + maxLength: 30000 + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + description: The type of comment. + enum: + - user + type: string + required: + - comment + - owner + - type + title: Add case comment request properties for user comments + type: object + Cases_alert_comment_response_properties: + properties: + alertId: + items: + type: string + type: array + created_at: + format: date-time + type: string + created_by: + properties: + email: + nullable: true + type: string + x-omitempty: true + full_name: + nullable: true + type: string + x-omitempty: true + profile_uid: + type: string + username: + nullable: true + type: string + x-omitempty: true + required: + - email + - full_name + - username + type: object + id: + type: string + index: + items: + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + format: date-time + nullable: true + type: string + x-omitempty: true + pushed_by: + nullable: true + properties: + email: + nullable: true + type: string + x-omitempty: true + full_name: + nullable: true + type: string + x-omitempty: true + profile_uid: + type: string + username: + nullable: true + type: string + x-omitempty: true + required: + - email + - full_name + - username + type: object + x-omitempty: true + rule: + properties: + id: + description: The rule identifier. + type: string + name: + description: The rule name. + type: string + type: object + type: + enum: + - alert + type: string + updated_at: + format: date-time + nullable: true + type: string + x-omitempty: true + updated_by: + nullable: true + properties: + email: + nullable: true + type: string + x-omitempty: true + full_name: + nullable: true + type: string + x-omitempty: true + profile_uid: + type: string + username: + nullable: true + type: string + x-omitempty: true + required: + - email + - full_name + - username + type: object + x-omitempty: true + version: + type: string + required: + - type + title: Add case comment response properties for alerts + type: object + Cases_alert_identifiers: + description: | + The alert identifiers. It is required only when `type` is `alert`. You can use an array of strings to add multiple alerts to a case, provided that they all relate to the same rule; `index` must also be an array with the same length or number of elements. Adding multiple alerts in this manner is recommended rather than calling the API multiple times. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert identifiers + x-state: Technical preview + Cases_alert_indices: + description: | + The alert indices. It is required only when `type` is `alert`. If you are adding multiple alerts to a case, use an array of strings; the position of each index name in the array must match the position of the corresponding alert identifier in the `alertId` array. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + oneOf: + - type: string + - items: + type: string + maxItems: 1000 + type: array + title: Alert indices + x-state: Technical preview + Cases_alert_response_properties: + properties: + attached_at: + format: date-time + type: string + id: + description: The alert identifier. + type: string + index: + description: The alert index. + type: string + type: object + Cases_assignees: + description: An array containing users that are assigned to the case. + items: + properties: + uid: + description: A unique identifier for the user profile. These identifiers can be found by using the suggest user profile API. + type: string + required: + - uid + type: object + maxItems: 10 + nullable: true + type: array + x-omitempty: true + Cases_case_categories: + items: + $ref: '#/components/schemas/Cases_case_category' + maxItems: 100 + type: array + Cases_case_category: + description: A word or phrase that categorizes the case. + maxLength: 50 + type: string + Cases_case_description: + description: The description for the case. + maxLength: 30000 + type: string + Cases_case_response_closed_by_properties: + nullable: true + properties: + email: + nullable: true + type: string + x-omitempty: true + full_name: + nullable: true + type: string + x-omitempty: true + profile_uid: + type: string + username: + nullable: true + type: string + x-omitempty: true + required: + - email + - full_name + - username + title: Case response properties for closed_by + type: object + x-omitempty: true + Cases_case_response_created_by_properties: + properties: + email: + nullable: true + type: string + x-omitempty: true + full_name: + nullable: true + type: string + x-omitempty: true + profile_uid: + type: string + username: + nullable: true + type: string + x-omitempty: true + required: + - email + - full_name + - username + title: Case response properties for created_by + type: object + Cases_case_response_properties: + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + description: The case category. + nullable: true + type: string + x-omitempty: true + closed_at: + format: date-time + nullable: true + type: string + x-omitempty: true + closed_by: + $ref: '#/components/schemas/Cases_case_response_closed_by_properties' + comments: + description: An array of comment objects for the case. + items: + discriminator: + mapping: + alert: '#/components/schemas/Cases_alert_comment_response_properties' + user: '#/components/schemas/Cases_user_comment_response_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_alert_comment_response_properties' + - $ref: '#/components/schemas/Cases_user_comment_response_properties' + maxItems: 10000 + title: Case response properties for comments + type: array + connector: + discriminator: + mapping: + .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' + .jira: '#/components/schemas/Cases_connector_properties_jira' + .none: '#/components/schemas/Cases_connector_properties_none' + .resilient: '#/components/schemas/Cases_connector_properties_resilient' + .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' + .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' + .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + title: Case response properties for connectors + created_at: + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + customFields: + description: Custom field values for the case. + items: + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + x-omitempty: true + - type: boolean + type: object + type: array + description: + type: string + duration: + description: | + The elapsed time from the creation of the case to its closure (in seconds). If the case has not been closed, the duration is set to null. If the case was closed after less than half a second, the duration is rounded down to zero. + nullable: true + type: integer + x-omitempty: true + external_service: + $ref: '#/components/schemas/Cases_external_service' + id: + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + items: + type: string + type: array + title: + type: string + totalAlerts: + type: integer + totalComment: + type: integer + updated_at: + format: date-time + nullable: true + type: string + x-omitempty: true + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + type: string + required: + - closed_at + - closed_by + - comments + - connector + - created_at + - created_by + - description + - duration + - external_service + - id + - owner + - settings + - severity + - status + - tags + - title + - totalAlerts + - totalComment + - updated_at + - updated_by + - version + title: Case response properties + type: object + Cases_case_response_pushed_by_properties: + nullable: true + properties: + email: + nullable: true + type: string + x-omitempty: true + full_name: + nullable: true + type: string + x-omitempty: true + profile_uid: + type: string + username: + nullable: true + type: string + x-omitempty: true + required: + - email + - full_name + - username + title: Case response properties for pushed_by + type: object + x-omitempty: true + Cases_case_response_updated_by_properties: + nullable: true + properties: + email: + nullable: true + type: string + x-omitempty: true + full_name: + nullable: true + type: string + x-omitempty: true + profile_uid: + type: string + username: + nullable: true + type: string + x-omitempty: true + required: + - email + - full_name + - username + title: Case response properties for updated_by + type: object + x-omitempty: true + Cases_case_severity: + default: low + description: The severity of the case. + enum: + - critical + - high + - low + - medium + type: string + Cases_case_status: + description: The status of the case. + enum: + - closed + - in-progress + - open + type: string + Cases_case_tags: + description: | + The words and phrases that help categorize cases. It can be an empty array. + items: + maxLength: 256 + type: string + maxItems: 200 + type: array + Cases_case_title: + description: A title for the case. + maxLength: 160 + type: string + Cases_closure_types: + description: Indicates whether a case is automatically closed when it is pushed to external systems (`close-by-pushing`) or not automatically closed (`close-by-user`). + enum: + - close-by-pushing + - close-by-user + type: string + Cases_connector_properties_cases_webhook: + description: Defines properties for connectors when type is `.cases-webhook`. + properties: + fields: + nullable: true + type: string + x-omitempty: true + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .cases-webhook + type: string + required: + - fields + - id + - name + - type + title: Create or upate case request properties for Cases Webhook connector + type: object + Cases_connector_properties_jira: + description: Defines properties for connectors when type is `.jira`. + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + properties: + issueType: + description: The type of issue. + nullable: true + type: string + x-omitempty: true + parent: + description: The key of the parent issue, when the issue type is sub-task. + nullable: true + type: string + x-omitempty: true + priority: + description: The priority of the issue. + nullable: true + type: string + x-omitempty: true + required: + - issueType + - parent + - priority + type: object + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .jira + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for a Jira connector + type: object + Cases_connector_properties_none: + description: Defines properties for connectors when type is `.none`. + properties: + fields: + description: An object containing the connector fields. To create a case without a connector, specify null. To update a case to remove the connector, specify null. + nullable: true + type: string + x-omitempty: true + id: + description: The identifier for the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. + type: string + name: + description: The name of the connector. To create a case without a connector, use `none`. To update a case to remove the connector, specify `none`. + type: string + type: + description: The type of connector. To create a case without a connector, use `.none`. To update a case to remove the connector, specify `.none`. + enum: + - .none + type: string + required: + - fields + - id + - name + - type + title: Create or update case request properties for no connector + type: object + Cases_connector_properties_resilient: + description: Defines properties for connectors when type is `.resilient`. + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + nullable: true + properties: + issueTypes: + description: The type of incident. + items: + type: string + type: array + severityCode: + description: The severity code of the incident. + type: string + required: + - issueTypes + - severityCode + type: object + x-omitempty: true + id: + description: The identifier for the connector. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .resilient + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a IBM Resilient connector + type: object + Cases_connector_properties_servicenow: + description: Defines properties for connectors when type is `.servicenow`. + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + properties: + category: + description: The category of the incident. + nullable: true + type: string + x-omitempty: true + impact: + description: The effect an incident had on business. + nullable: true + type: string + x-omitempty: true + severity: + description: The severity of the incident. + nullable: true + type: string + x-omitempty: true + subcategory: + description: The subcategory of the incident. + nullable: true + type: string + x-omitempty: true + urgency: + description: The extent to which the incident resolution can be delayed. + nullable: true + type: string + x-omitempty: true + required: + - category + - impact + - severity + - subcategory + - urgency + type: object + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .servicenow + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow ITSM connector + type: object + Cases_connector_properties_servicenow_sir: + description: Defines properties for connectors when type is `.servicenow-sir`. + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + properties: + category: + description: The category of the incident. + nullable: true + type: string + x-omitempty: true + destIp: + description: Indicates whether cases will send a comma-separated list of destination IPs. + nullable: true + type: boolean + x-omitempty: true + malwareHash: + description: Indicates whether cases will send a comma-separated list of malware hashes. + nullable: true + type: boolean + x-omitempty: true + malwareUrl: + description: Indicates whether cases will send a comma-separated list of malware URLs. + nullable: true + type: boolean + x-omitempty: true + priority: + description: The priority of the issue. + nullable: true + type: string + x-omitempty: true + sourceIp: + description: Indicates whether cases will send a comma-separated list of source IPs. + nullable: true + type: boolean + x-omitempty: true + subcategory: + description: The subcategory of the incident. + nullable: true + type: string + x-omitempty: true + required: + - category + - destIp + - malwareHash + - malwareUrl + - priority + - sourceIp + - subcategory + type: object + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .servicenow-sir + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a ServiceNow SecOps connector + type: object + Cases_connector_properties_swimlane: + description: Defines properties for connectors when type is `.swimlane`. + properties: + fields: + description: An object containing the connector fields. If you want to omit any individual field, specify null as its value. + properties: + caseId: + description: The case identifier for Swimlane connectors. + nullable: true + type: string + x-omitempty: true + required: + - caseId + type: object + id: + description: The identifier for the connector. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. + type: string + type: + description: The type of connector. + enum: + - .swimlane + type: string + required: + - fields + - id + - name + - type + title: Create case request properties for a Swimlane connector + type: object + Cases_connector_types: + description: The type of connector. + enum: + - .cases-webhook + - .jira + - .none + - .resilient + - .servicenow + - .servicenow-sir + - .swimlane + type: string + Cases_create_case_request: + description: The create case API request body varies depending on the type of connector. + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: | + Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. + items: + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + x-omitempty: true + - type: boolean + required: + - key + - type + - value + type: object + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + required: + - connector + - description + - owner + - settings + - tags + - title + title: Create case request + type: object + Cases_external_service: + nullable: true + properties: + connector_id: + type: string + connector_name: + type: string + external_id: + type: string + external_title: + type: string + external_url: + type: string + pushed_at: + format: date-time + type: string + pushed_by: + nullable: true + properties: + email: + nullable: true + type: string + x-omitempty: true + full_name: + nullable: true + type: string + x-omitempty: true + profile_uid: + type: string + username: + nullable: true + type: string + x-omitempty: true + type: object + x-omitempty: true + type: object + x-omitempty: true + Cases_owner: + description: | + The application that owns the cases: Stack Management, Observability, or Elastic Security. + enum: + - cases + - observability + - securitySolution + type: string + Cases_owners: + items: + $ref: '#/components/schemas/Cases_owner' + type: array + Cases_payload_alert_comment: + properties: + comment: + properties: + alertId: + oneOf: + - type: string + - items: + type: string + type: array + index: + oneOf: + - type: string + - items: + type: string + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + properties: + id: + description: The rule identifier. + type: string + name: + description: The rule name. + type: string + type: object + type: + enum: + - alert + type: string + type: object + type: object + Cases_payload_assignees: + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + type: object + Cases_payload_connector: + properties: + connector: + properties: + fields: + description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. + nullable: true + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + type: string + destIp: + description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + x-omitempty: true + impact: + description: The effect an incident had on business for ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. + nullable: true + type: boolean + x-omitempty: true + malwareUrl: + description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + x-omitempty: true + parent: + description: The key of the parent issue, when the issue type is sub-task for Jira connectors. + type: string + priority: + description: The priority of the issue for Jira and ServiceNow SecOps connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: The severity code of the incident for IBM Resilient connectors. + type: string + sourceIp: + description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + x-omitempty: true + subcategory: + description: The subcategory of the incident for ServiceNow ITSM connectors. + type: string + urgency: + description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. + type: string + type: object + x-omitempty: true + id: + description: The identifier for the connector. To create a case without a connector, use `none`. + type: string + name: + description: The name of the connector. To create a case without a connector, use `none`. + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + type: object + type: object + Cases_payload_create_case: + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + connector: + properties: + fields: + description: An object containing the connector fields. To create a case without a connector, specify null. If you want to omit any individual field, specify null as its value. + nullable: true + properties: + caseId: + description: The case identifier for Swimlane connectors. + type: string + category: + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + type: string + destIp: + description: Indicates whether cases will send a comma-separated list of destination IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + x-omitempty: true + impact: + description: The effect an incident had on business for ServiceNow ITSM connectors. + type: string + issueType: + description: The type of issue for Jira connectors. + type: string + issueTypes: + description: The type of incident for IBM Resilient connectors. + items: + type: string + type: array + malwareHash: + description: Indicates whether cases will send a comma-separated list of malware hashes for ServiceNow SecOps connectors. + nullable: true + type: boolean + x-omitempty: true + malwareUrl: + description: Indicates whether cases will send a comma-separated list of malware URLs for ServiceNow SecOps connectors. + nullable: true + type: boolean + x-omitempty: true + parent: + description: The key of the parent issue, when the issue type is sub-task for Jira connectors. + type: string + priority: + description: The priority of the issue for Jira and ServiceNow SecOps connectors. + type: string + severity: + description: The severity of the incident for ServiceNow ITSM connectors. + type: string + severityCode: + description: The severity code of the incident for IBM Resilient connectors. + type: string + sourceIp: + description: Indicates whether cases will send a comma-separated list of source IPs for ServiceNow SecOps connectors. + nullable: true + type: boolean + x-omitempty: true + subcategory: + description: The subcategory of the incident for ServiceNow ITSM connectors. + type: string + urgency: + description: The extent to which the incident resolution can be delayed for ServiceNow ITSM connectors. + type: string + type: object + x-omitempty: true + id: + description: The identifier for the connector. To create a case without a connector, use `none`. + type: string + name: + description: The name of the connector. To create a case without a connector, use `none`. + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + type: object + description: + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + items: + type: string + type: array + title: + type: string + type: object + Cases_payload_delete: + description: If the `action` is `delete` and the `type` is `delete_case`, the payload is nullable. + nullable: true + type: object + x-omitempty: true + Cases_payload_description: + properties: + description: + type: string + type: object + Cases_payload_pushed: + properties: + externalService: + $ref: '#/components/schemas/Cases_external_service' + type: object + Cases_payload_settings: + properties: + settings: + $ref: '#/components/schemas/Cases_settings' + type: object + Cases_payload_severity: + properties: + severity: + $ref: '#/components/schemas/Cases_case_severity' + type: object + Cases_payload_status: + properties: + status: + $ref: '#/components/schemas/Cases_case_status' + type: object + Cases_payload_tags: + properties: + tags: + items: + type: string + type: array + type: object + Cases_payload_title: + properties: + title: + type: string + type: object + Cases_payload_user_comment: + properties: + comment: + properties: + comment: + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + enum: + - user + type: string + type: object + type: object + Cases_rule: + description: | + The rule that is associated with the alerts. It is required only when `type` is `alert`. This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. + properties: + id: + description: The rule identifier. + type: string + name: + description: The rule name. + type: string + title: Alerting rule + type: object + x-state: Technical preview + Cases_searchFieldsType: + description: The fields to perform the `simple_query_string` parsed query against. + enum: + - description + - title + type: string + Cases_searchFieldsTypeArray: + items: + $ref: '#/components/schemas/Cases_searchFieldsType' + type: array + Cases_set_case_configuration_request: + description: External connection details, such as the closure type and default connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + x-omitempty: true + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + type: object + customFields: + description: Custom fields case configuration. + items: + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + - key + - label + - required + - type + type: object + maxItems: 10 + minItems: 0 + type: array + owner: + $ref: '#/components/schemas/Cases_owner' + templates: + $ref: '#/components/schemas/Cases_templates' + required: + - closure_type + - connector + - owner + title: Set case configuration request + type: object + Cases_settings: + description: An object that contains the case settings. + properties: + syncAlerts: + description: Turns alert syncing on or off. + type: boolean + required: + - syncAlerts + type: object + Cases_string: + type: string + Cases_string_array: + items: + $ref: '#/components/schemas/Cases_string' + maxItems: 100 + type: array + Cases_template_tags: + description: | + The words and phrases that help categorize templates. It can be an empty array. + items: + maxLength: 256 + type: string + maxItems: 200 + type: array + Cases_templates: + items: + properties: + caseFields: + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + x-omitempty: true + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + type: object + customFields: + description: Custom field values in the template. + items: + properties: + key: + description: The unique key for the custom field. + type: string + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + value: + description: | + The default value for the custom field when a case uses the template. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + type: object + type: array + x-state: Technical preview + description: + $ref: '#/components/schemas/Cases_case_description' + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + type: object + description: + description: A description for the template. + type: string + key: + description: | + A unique key for the template. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific template. + type: string + name: + description: The name of the template. + type: string + tags: + $ref: '#/components/schemas/Cases_template_tags' + type: object + type: array + x-state: Technical preview + Cases_update_alert_comment_request_properties: + description: Defines properties for case comment requests when type is alert. + properties: + alertId: + $ref: '#/components/schemas/Cases_alert_identifiers' + id: + description: | + The identifier for the comment. To retrieve comment IDs, use the get comments API. + type: string + index: + $ref: '#/components/schemas/Cases_alert_indices' + owner: + $ref: '#/components/schemas/Cases_owner' + rule: + $ref: '#/components/schemas/Cases_rule' + type: + description: The type of comment. + enum: + - alert + type: string + version: + description: | + The current comment version. To retrieve version values, use the get comments API. + type: string + required: + - alertId + - id + - index + - owner + - rule + - type + - version + title: Update case comment request properties for alerts + type: object + Cases_update_case_comment_request: + description: The update case comment API request body varies depending on whether you are updating an alert or a comment. + discriminator: + mapping: + alert: '#/components/schemas/Cases_update_alert_comment_request_properties' + user: '#/components/schemas/Cases_update_user_comment_request_properties' + propertyName: type + oneOf: + - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' + - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' + title: Update case comment request + Cases_update_case_configuration_request: + description: | + You can update settings such as the closure type, custom fields, templates, and the default connector for cases. + properties: + closure_type: + $ref: '#/components/schemas/Cases_closure_types' + connector: + description: An object that contains the connector configuration. + properties: + fields: + description: The fields specified in the case configuration are not used and are not propagated to individual cases, therefore it is recommended to set it to `null`. + nullable: true + type: object + x-omitempty: true + id: + description: The identifier for the connector. If you do not want a default connector, use `none`. To retrieve connector IDs, use the find connectors API. + type: string + name: + description: The name of the connector. If you do not want a default connector, use `none`. To retrieve connector names, use the find connectors API. + type: string + type: + $ref: '#/components/schemas/Cases_connector_types' + required: + - fields + - id + - name + - type + type: object + customFields: + description: Custom fields case configuration. + items: + properties: + defaultValue: + description: | + A default value for the custom field. If the `type` is `text`, the default value must be a string. If the `type` is `toggle`, the default value must be boolean. + oneOf: + - type: string + - type: boolean + key: + description: | + A unique key for the custom field. Must be lower case and composed only of a-z, 0-9, '_', and '-' characters. It is used in API calls to refer to a specific custom field. + maxLength: 36 + minLength: 1 + type: string + label: + description: The custom field label that is displayed in the case. + maxLength: 50 + minLength: 1 + type: string + required: + description: | + Indicates whether the field is required. If `false`, the custom field can be set to null or omitted when a case is created or updated. + type: boolean + type: + description: The type of the custom field. + enum: + - text + - toggle + type: string + required: + - key + - label + - required + - type + type: object + type: array + templates: + $ref: '#/components/schemas/Cases_templates' + version: + description: | + The version of the connector. To retrieve the version value, use the get configuration API. + type: string + required: + - version + title: Update case configuration request + type: object + Cases_update_case_request: + description: The update case API request body varies depending on the type of connector. + properties: + cases: + description: An array containing one or more case objects. + items: + properties: + assignees: + $ref: '#/components/schemas/Cases_assignees' + category: + $ref: '#/components/schemas/Cases_case_category' + connector: + oneOf: + - $ref: '#/components/schemas/Cases_connector_properties_none' + - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' + - $ref: '#/components/schemas/Cases_connector_properties_jira' + - $ref: '#/components/schemas/Cases_connector_properties_resilient' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow' + - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' + - $ref: '#/components/schemas/Cases_connector_properties_swimlane' + customFields: + description: | + Custom field values for a case. Any optional custom fields that are not specified in the request are set to null. + items: + properties: + key: + description: | + The unique identifier for the custom field. The key value must exist in the case configuration settings. + type: string + type: + description: | + The custom field type. It must match the type specified in the case configuration settings. + enum: + - text + - toggle + type: string + value: + description: | + The custom field value. If the custom field is required, it cannot be explicitly set to null. However, for cases that existed when the required custom field was added, the default value stored in Elasticsearch is `undefined`. The value returned in the API and user interface in this case is `null`. + oneOf: + - maxLength: 160 + minLength: 1 + nullable: true + type: string + x-omitempty: true + - type: boolean + required: + - key + - type + - value + type: object + maxItems: 10 + minItems: 0 + type: array + description: + $ref: '#/components/schemas/Cases_case_description' + id: + description: The identifier for the case. + maxLength: 30000 + type: string + settings: + $ref: '#/components/schemas/Cases_settings' + severity: + $ref: '#/components/schemas/Cases_case_severity' + status: + $ref: '#/components/schemas/Cases_case_status' + tags: + $ref: '#/components/schemas/Cases_case_tags' + title: + $ref: '#/components/schemas/Cases_case_title' + version: + description: The current version of the case. To determine this value, use the get case or find cases APIs. + type: string + required: + - id + - version + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - cases + title: Update case request + type: object + Cases_update_user_comment_request_properties: + description: Defines properties for case comment requests when type is user. + properties: + comment: + description: The new comment. It is required only when `type` is `user`. + maxLength: 30000 + type: string + id: + description: | + The identifier for the comment. To retrieve comment IDs, use the get comments API. + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + type: + description: The type of comment. + enum: + - user + type: string + version: + description: | + The current comment version. To retrieve version values, use the get comments API. + type: string + required: + - comment + - id + - owner + - type + - version + title: Update case comment request properties for user comments + type: object + Cases_user_actions_find_response_properties: + properties: + action: + $ref: '#/components/schemas/Cases_actions' + comment_id: + nullable: true + type: string + x-omitempty: true + created_at: + format: date-time + type: string + created_by: + properties: + email: + nullable: true + type: string + x-omitempty: true + full_name: + nullable: true + type: string + x-omitempty: true + profile_uid: + type: string + username: + nullable: true + type: string + x-omitempty: true + required: + - email + - full_name + - username + type: object + id: + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + payload: + oneOf: + - $ref: '#/components/schemas/Cases_payload_alert_comment' + - $ref: '#/components/schemas/Cases_payload_assignees' + - $ref: '#/components/schemas/Cases_payload_connector' + - $ref: '#/components/schemas/Cases_payload_create_case' + - $ref: '#/components/schemas/Cases_payload_delete' + - $ref: '#/components/schemas/Cases_payload_description' + - $ref: '#/components/schemas/Cases_payload_pushed' + - $ref: '#/components/schemas/Cases_payload_settings' + - $ref: '#/components/schemas/Cases_payload_severity' + - $ref: '#/components/schemas/Cases_payload_status' + - $ref: '#/components/schemas/Cases_payload_tags' + - $ref: '#/components/schemas/Cases_payload_title' + - $ref: '#/components/schemas/Cases_payload_user_comment' + type: + description: The type of action. + enum: + - assignees + - create_case + - comment + - connector + - description + - pushed + - tags + - title + - status + - settings + - severity + type: string + version: + type: string + required: + - action + - comment_id + - created_at + - created_by + - id + - owner + - payload + - type + - version + type: object + Cases_user_comment_response_properties: + properties: + comment: + type: string + created_at: + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Cases_case_response_created_by_properties' + id: + type: string + owner: + $ref: '#/components/schemas/Cases_owner' + pushed_at: + format: date-time + nullable: true + type: string + x-omitempty: true + pushed_by: + $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' + type: + enum: + - user + type: string + updated_at: + format: date-time + nullable: true + type: string + x-omitempty: true + updated_by: + $ref: '#/components/schemas/Cases_case_response_updated_by_properties' + version: + type: string + required: + - type + title: Case response properties for user comments + type: object + Data_views_400_response: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + required: + - statusCode + - error + - message + title: Bad request + type: object + Data_views_404_response: + properties: + error: + enum: + - Not Found + type: string + message: + type: string + statusCode: + enum: + - 404 + type: integer + type: object + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. Defaults to `false`. + type: boolean + Data_views_create_data_view_request_object: + properties: + data_view: + $ref: '#/components/schemas/Data_views_create_data_view_request_object_inner' + override: + default: false + description: Override an existing data view if a data view with the provided title already exists. + type: boolean + required: + - data_view + title: Create data view request + type: object + Data_views_create_data_view_request_object_inner: + description: The data view object. + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: + type: string + required: + - title + type: object + Data_views_data_view_response_object: + properties: + data_view: + $ref: '#/components/schemas/Data_views_data_view_response_object_inner' + title: Data view response properties + type: object + Data_views_data_view_response_object_inner: + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + type: string + name: + description: The data view name. + type: string + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + type: string + type: object + Data_views_fieldattrs: + description: A map of field attributes by field name. + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + type: object + Data_views_fieldformat: + properties: + id: + type: string + params: + $ref: '#/components/schemas/Data_views_fieldformat_params' + type: object + Data_views_fieldformat_params: + properties: + colors: + items: + $ref: '#/components/schemas/Data_views_fieldformat_params_color' + type: array + fieldLength: + type: integer + fieldType: + type: string + height: + type: integer + includeSpaceWithSuffix: + type: boolean + inputFormat: + type: string + labelTemplate: + type: string + lookupEntries: + items: + $ref: '#/components/schemas/Data_views_fieldformat_params_lookup' + type: array + outputFormat: + type: string + outputPrecision: + type: integer + pattern: + type: string + timezone: + type: string + transform: + type: string + type: + type: string + unknownKeyValue: + type: string + urlTemplate: + type: string + useShortSuffix: + type: boolean + width: + type: integer + type: object + Data_views_fieldformat_params_color: + properties: + background: + type: string + range: + type: string + regex: + type: string + text: + type: string + type: object + Data_views_fieldformat_params_lookup: + properties: + key: + type: string + value: + type: string + type: object + Data_views_fieldformats: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldformat' + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: An array of space identifiers for sharing the data view between multiple spaces. + items: + default: default + type: string + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + properties: + script: + $ref: '#/components/schemas/Data_views_runtimefieldmap_script' + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + type: object + Data_views_runtimefieldmap_script: + properties: + source: + description: Script for the runtime field. + type: string + type: object + Data_views_sourcefilter_item: + properties: + value: + type: string + required: + - value + type: object + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + $ref: '#/components/schemas/Data_views_sourcefilter_item' + type: array + Data_views_swap_data_view_request_object: + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: | + Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + title: Data view reference swap request + type: object + Data_views_timefieldname: + description: The timestamp field name, which you use for time-based data views. + type: string + Data_views_title: + description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: When set to `rollup`, identifies the rollup data views. + type: string + Data_views_typemeta: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + type: object + Data_views_typemeta_response: + description: When you use rollup indices, contains the field list for the rollup data view API endpoints. + nullable: true + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + type: object + x-omitempty: true + Data_views_update_data_view_request_object: + properties: + data_view: + $ref: '#/components/schemas/Data_views_update_data_view_request_object_inner' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + title: Update data view request + type: object + Data_views_update_data_view_request_object_inner: + description: | + The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted. + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: + type: string + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + type: object + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. + properties: + status: + additionalProperties: false + properties: + overall: + additionalProperties: false + properties: + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + required: + - level + type: object + required: + - overall + type: object + required: + - status + type: object + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request. + properties: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. + type: number + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + type: object + last_updated: + description: The time metrics were collected. + type: string + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + type: object + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + properties: + elasticsearch: + additionalProperties: false + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + type: object + http: + additionalProperties: false + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + type: object + savedObjects: + additionalProperties: false + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + type: object + required: + - elasticsearch + - savedObjects + type: object + overall: + additionalProperties: false + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + type: object + plugins: + additionalProperties: + additionalProperties: false + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + type: object + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + type: object + uuid: + description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts. + type: string + version: + additionalProperties: false + properties: + build_date: + description: The date and time of this build. + type: string + build_flavor: + description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases. + enum: + - serverless + - traditional + type: string + build_hash: + description: A unique hash value representing the git commit of this Kibana build. + type: string + build_number: + description: A monotonically increasing number, each subsequent build will have a higher number. + type: number + build_snapshot: + description: Whether this build is a snapshot build. + type: boolean + number: + description: A semantic version number. + type: string + required: + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date + type: object + required: + - name + - uuid + - version + - status + - metrics + type: object + Machine_learning_APIs_mlSync4xxResponse: + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + title: Unsuccessful sync API response + type: object + Machine_learning_APIs_mlSync200Response: + properties: + datafeedsAdded: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API. + type: object + datafeedsRemoved: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API. + type: object + savedObjectsCreated: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated' + savedObjectsDeleted: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted' + title: Successful sync API response + type: object + Machine_learning_APIs_mlSyncResponseAnomalyDetectors: + description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for anomaly detection jobs + type: object + Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: + description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for data frame analytics jobs + type: object + Machine_learning_APIs_mlSyncResponseDatafeeds: + description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for datafeeds + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: + description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If saved objects are missing for anomaly detection jobs, they are created. + type: object + data-frame-analytics: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If saved objects are missing for data frame analytics jobs, they are created. + type: object + trained-model: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' + description: If saved objects are missing for trained models, they are created. + type: object + title: Sync API response for created saved objects + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: + description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors' + description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted. + type: object + data-frame-analytics: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics' + description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted. + type: object + trained-model: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels' + description: If there are saved objects exist for nonexistent trained models, they are deleted. + type: object + title: Sync API response for deleted saved objects + type: object + Machine_learning_APIs_mlSyncResponseSuccess: + description: The success or failure of the synchronization. + type: boolean + Machine_learning_APIs_mlSyncResponseTrainedModels: + description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for trained models + type: object + Observability_AI_Assistant_API_Function: + properties: + description: + description: The description of the function. + type: string + name: + description: The name of the function. + type: string + parameters: + description: The parameters of the function. + type: object + type: object + Observability_AI_Assistant_API_FunctionCall: + description: Details of the function call within the message. + properties: + arguments: + description: The arguments for the function call. + type: string + name: + description: The name of the function. + type: string + trigger: + description: The trigger of the function call. + enum: + - assistant + - user + - elastic + type: string + required: + - name + - trigger + type: object + Observability_AI_Assistant_API_Instruction: + oneOf: + - description: A simple instruction represented as a string. + type: string + - description: A detailed instruction with an ID and text. + properties: + id: + description: A unique identifier for the instruction. + type: string + text: + description: The text of the instruction. + type: string + required: + - id + - text + type: object + Observability_AI_Assistant_API_Message: + name: Message + properties: + '@timestamp': + description: The timestamp when the message was created. + type: string + message: + description: The main content of the message. + properties: + content: + description: The content of the message. + type: string + data: + description: Additional data associated with the message. + type: string + event: + description: The event related to the message. + type: string + function_call: + $ref: '#/components/schemas/Observability_AI_Assistant_API_FunctionCall' + name: + description: The name associated with the message. + type: string + role: + $ref: '#/components/schemas/Observability_AI_Assistant_API_MessageRoleEnum' + required: + - role + type: object + required: + - '@timestamp' + - message + type: object + Observability_AI_Assistant_API_MessageRoleEnum: + description: The role of the message sender. + enum: + - system + - assistant + - function + - user + - elastic + type: string + SLOs_400_response: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + required: + - statusCode + - error + - message + title: Bad request + type: object + SLOs_401_response: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + required: + - statusCode + - error + - message + title: Unauthorized + type: object + SLOs_403_response: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + required: + - statusCode + - error + - message + title: Unauthorized + type: object + SLOs_404_response: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + required: + - statusCode + - error + - message + title: Not found + type: object + SLOs_409_response: + properties: + error: + type: string + message: + type: string + statusCode: + type: number + required: + - statusCode + - error + - message + title: Conflict + type: object + SLOs_artifacts: + description: Links to related assets for the SLO + properties: + dashboards: + description: Array of dashboard references + items: + properties: + id: + description: Dashboard saved-object id + type: string + required: + - id + type: object + type: array + title: Artifacts + type: object + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + title: Budgeting method + type: string + SLOs_bulk_delete_request: + description: | + The bulk delete SLO request takes a list of SLOs Definition id to delete. + properties: + list: + description: An array of SLO Definition id + items: + description: The SLO Definition id + type: string + type: array + required: + - list + title: Bulk delete SLO request + type: object + SLOs_bulk_delete_response: + description: | + The bulk delete SLO response returns a taskId that can be used to poll for its status + properties: + taskId: + description: The taskId of the bulk delete operation + type: string + title: Bulk delete SLO response + type: object + SLOs_bulk_delete_status_response: + description: Indicates if the bulk deletion is completed, with the detailed results of the operation. + properties: + error: + description: The error message if the bulk deletion operation failed + type: string + isDone: + description: Indicates if the bulk deletion operation is completed + type: boolean + results: + description: The results of the bulk deletion operation, including the success status and any errors for each SLO + items: + properties: + error: + description: The error message if the deletion operation failed for this SLO + type: string + id: + description: The ID of the SLO that was deleted + type: string + success: + description: The result of the deletion operation for this SLO + type: boolean + type: object + type: array + title: The status of the bulk deletion + type: object + SLOs_bulk_purge_rollup_request: + description: | + The bulk purge rollup data request takes a list of SLO ids and a purge policy, then deletes the rollup data according to the purge policy. This API can be used to remove the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo ids + items: + description: The SLO Definition id + type: string + type: array + purgePolicy: + description: Policy that dictates which SLI documents to purge based on age + oneOf: + - properties: + age: + description: The duration to determine which documents to purge, formatted as {duration}{unit}. This value should be greater than or equal to the time window of every SLO provided. + type: string + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-age + type: string + type: object + - properties: + purgeType: + description: Specifies whether documents will be purged based on a specific age or on a timestamp + enum: + - fixed-time + type: string + timestamp: + description: The timestamp to determine which documents to purge, formatted in ISO. This value should be older than the applicable time window of every SLO provided. + type: string + type: object + type: object + required: + - list + - purgePolicy + title: Bulk Purge Rollup data request + type: object + SLOs_bulk_purge_rollup_response: + description: | + The bulk purge rollup data response returns a task id from the elasticsearch deleteByQuery response. + properties: + taskId: + description: The task id of the purge operation + type: string + title: Bulk Purge Rollup data response + type: object + SLOs_create_slo_request: + description: | + The create SLO API request body varies depending on the type of indicator, time window and budgeting method. + properties: + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars + type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + required: + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request + type: object + SLOs_create_slo_response: + properties: + id: + type: string + required: + - id + title: Create SLO response + type: object + SLOs_delete_slo_instances_request: + description: | + The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo id and instance id + items: + properties: + instanceId: + description: The SLO instance identifier + type: string + sloId: + description: The SLO unique identifier + type: string + required: + - sloId + - instanceId + type: object + type: array + required: + - list + title: Delete SLO instances request + type: object + SLOs_error_budget: + properties: + consumed: + description: The error budget consummed, as a percentage of the initial value. + type: number + initial: + description: The initial error budget, as 1 - objective + type: number + isEstimated: + description: Only for SLO defined with occurrences budgeting method and calendar aligned time window. + type: boolean + remaining: + description: The error budget remaining, as a percentage of the initial value. + type: number + required: + - initial + - consumed + - remaining + - isEstimated + title: Error budget + type: object + SLOs_filter: + description: Defines properties for a filter + properties: + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter + type: object + SLOs_filter_meta: + description: Defines properties for a filter + properties: + alias: + nullable: true + type: string + x-omitempty: true + controlledBy: + type: string + disabled: + type: boolean + field: + type: string + group: + type: string + index: + type: string + isMultiIndex: + type: boolean + key: + type: string + negate: + type: boolean + params: + type: object + type: + type: string + value: + type: string + title: FilterMeta + type: object + SLOs_find_slo_definitions_response: + description: | + A paginated response of SLO definitions matching the query. + oneOf: + - properties: + page: + type: number + perPage: + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + total: + type: number + type: object + - properties: + page: + default: 1 + description: for backward compability + type: number + perPage: + description: for backward compability + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: + description: the cursor to provide to get the next paged results + items: + type: string + type: array + size: + type: number + total: + type: number + type: object + title: Find SLO definitions response + type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. + properties: + page: + type: number + perPage: + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + searchAfter: + type: string + size: + description: Size provided for cursor based pagination + type: number + total: + type: number + title: Find SLO response + type: object + SLOs_group_by: + description: optional group by field or fields to use to generate an SLO per distinct value + oneOf: + - type: string + - items: + type: string + type: array + title: Group by + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type + properties: + params: + description: An object containing the indicator parameters. + nullable: false + properties: + environment: + description: The APM service environment or "*" + type: string + filter: + description: KQL query used for filtering the data + type: string + index: + description: The index used by APM metrics + type: string + service: + description: The APM service name + type: string + transactionName: + description: The APM transaction name or "*" + type: string + transactionType: + description: The APM transaction type or "*" + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + type: object + type: + description: The type of indicator. + type: string + required: + - type + - params + title: APM availability + type: object + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type + properties: + params: + description: An object containing the indicator parameters. + nullable: false + properties: + environment: + description: The APM service environment or "*" + type: string + filter: + description: KQL query used for filtering the data + type: string + index: + description: The index used by APM metrics + type: string + service: + description: The APM service name + type: string + threshold: + description: The latency threshold in milliseconds + type: number + transactionName: + description: The APM transaction name or "*" + type: string + transactionType: + description: The APM transaction type or "*" + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: object + type: + description: The type of indicator. + type: string + required: + - type + - params + title: APM latency + type: object + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type + properties: + params: + description: An object containing the indicator parameters. + nullable: false + properties: + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + type: string + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + type: string + timestampField: + description: | + The timestamp field used in the source indice. + type: string + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' + required: + - index + - timestampField + - good + - total + type: object + type: + description: The type of indicator. + type: string + required: + - type + - params + title: Custom Query + type: object + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type + properties: + params: + description: An object containing the indicator parameters. + nullable: false + properties: + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + type: string + filter: + description: the KQL query to filter the documents with. + type: string + good: + description: | + An object defining the "good" metrics and equation + properties: + equation: + description: The equation to calculate the "good" metric. + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + type: string + field: + description: The field of the metric. + type: string + filter: + description: The filter to apply to the metric. + type: string + name: + description: The name of the metric. Only valid options are A-Z + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + type: object + - properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + type: string + filter: + description: The filter to apply to the metric. + type: string + name: + description: The name of the metric. Only valid options are A-Z + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: object + type: array + required: + - metrics + - equation + type: object + index: + description: The index or index pattern to use + type: string + timestampField: + description: | + The timestamp field used in the source indice. + type: string + total: + description: | + An object defining the "total" metrics and equation + properties: + equation: + description: The equation to calculate the "total" metric. + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + oneOf: + - properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + type: string + field: + description: The field of the metric. + type: string + filter: + description: The filter to apply to the metric. + type: string + name: + description: The name of the metric. Only valid options are A-Z + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + type: object + - properties: + aggregation: + description: The aggregation type of the metric. + enum: + - doc_count + type: string + filter: + description: The filter to apply to the metric. + type: string + name: + description: The name of the metric. Only valid options are A-Z + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + type: object + type: array + required: + - metrics + - equation + type: object + required: + - index + - timestampField + - good + - total + type: object + type: + description: The type of indicator. + type: string + required: + - type + - params + title: Custom metric + type: object + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type + properties: + params: + description: An object containing the indicator parameters. + nullable: false + properties: + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + type: string + filter: + description: the KQL query to filter the documents with. + type: string + good: + description: | + An object defining the "good" events + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + type: string + field: + description: The field use to aggregate the good events. + type: string + filter: + description: The filter for good events. + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + type: number + required: + - aggregation + - field + type: object + index: + description: The index or index pattern to use + type: string + timestampField: + description: | + The timestamp field used in the source indice. + type: string + total: + description: | + An object defining the "total" events + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + type: string + field: + description: The field use to aggregate the good events. + type: string + filter: + description: The filter for total events. + type: string + from: + description: The starting value of the range. Only required for "range" aggregations. + type: number + to: + description: The ending value of the range. Only required for "range" aggregations. + type: number + required: + - aggregation + - field + type: object + required: + - index + - timestampField + - good + - total + type: object + type: + description: The type of indicator. + type: string + required: + - type + - params + title: Histogram indicator + type: object + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type + properties: + params: + description: An object containing the indicator parameters. + nullable: false + properties: + dataViewId: + description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries. + type: string + filter: + description: the KQL query to filter the documents with. + type: string + index: + description: The index or index pattern to use + type: string + metric: + description: | + An object defining the metrics, equation, and threshold to determine if it's a good slice or not + properties: + comparator: + description: The comparator to use to compare the equation to the threshold. + enum: + - GT + - GTE + - LT + - LTE + type: string + equation: + description: The equation to calculate the metric. + type: string + metrics: + description: List of metrics with their name, aggregation type, and field. + items: + anyOf: + - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + discriminator: + mapping: + avg: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + cardinality: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + doc_count: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric' + last_value: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + max: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + min: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + percentile: '#/components/schemas/SLOs_timeslice_metric_percentile_metric' + std_deviation: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + sum: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field' + propertyName: aggregation + type: array + threshold: + description: The threshold used to determine if the metric is a good slice or not. + type: number + required: + - metrics + - equation + - comparator + - threshold + type: object + timestampField: + description: | + The timestamp field used in the source indice. + type: string + required: + - index + - timestampField + - metric + type: object + type: + description: The type of indicator. + type: string + required: + - type + - params + title: Timeslice metric + type: object + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + type: string + - properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + type: object + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + type: string + - properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + type: object + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + type: string + - properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + type: object + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective + properties: + target: + description: the target objective between 0 and 1 excluded + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 + type: number + timesliceTarget: + description: the target objective for each slice when using a timeslices budgeting method + maximum: 100 + minimum: 0 + type: number + timesliceWindow: + description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit} + type: string + required: + - target + title: Objective + type: object + SLOs_settings: + description: Defines properties for SLO settings. + properties: + frequency: + default: 1m + description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute. + type: string + preventInitialBackfill: + default: false + description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window. + type: boolean + syncDelay: + default: 1m + description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval. + type: string + syncField: + description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field. + type: string + title: Settings + type: object + SLOs_slo_definition_response: + properties: + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + type: string + description: + description: The description of the SLO. + type: string + enabled: + description: Indicate if the SLO is enabled + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: The name of the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + type: string + version: + description: The internal SLO version + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt + - version + title: SLO definition response + type: object + SLOs_slo_with_summary_response: + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + type: string + description: + description: The description of the SLO. + type: string + enabled: + description: Indicate if the SLO is enabled + type: boolean + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + id: + description: The identifier of the SLO. + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: the value derived from the groupBy field, if present, otherwise '*' + type: string + name: + description: The name of the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + type: string + version: + description: The internal SLO version + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + title: SLO response + type: object + SLOs_summary: + description: The SLO computed data + properties: + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + type: number + status: + $ref: '#/components/schemas/SLOs_summary_status' + required: + - status + - sliValue + - errorBudget + title: Summary + type: object + SLOs_summary_status: + enum: + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + title: summary status + type: string + SLOs_time_window: + description: Defines properties for the SLO time window + properties: + duration: + description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)' + type: string + type: + description: Indicates weither the time window is a rolling or a calendar aligned time window. + enum: + - rolling + - calendarAligned + type: string + required: + - duration + - type + title: Time window + type: object + SLOs_timeslice_metric_basic_metric_with_field: + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + type: string + field: + description: The field of the metric. + type: string + filter: + description: The filter to apply to the metric. + type: string + name: + description: The name of the metric. Only valid options are A-Z + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + type: object + SLOs_timeslice_metric_doc_count_metric: + properties: + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" + enum: + - doc_count + type: string + filter: + description: The filter to apply to the metric. + type: string + name: + description: The name of the metric. Only valid options are A-Z + pattern: ^[A-Z]$ + type: string + required: + - name + - aggregation + title: Timeslice Metric Doc Count Metric + type: object + SLOs_timeslice_metric_percentile_metric: + properties: + aggregation: + description: The aggregation type of the metric. Only valid option is "percentile" + enum: + - percentile + type: string + field: + description: The field of the metric. + type: string + filter: + description: The filter to apply to the metric. + type: string + name: + description: The name of the metric. Only valid options are A-Z + pattern: ^[A-Z]$ + type: string + percentile: + description: The percentile value. + type: number + required: + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + type: object + SLOs_update_slo_request: + description: | + The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled. + properties: + artifacts: + $ref: '#/components/schemas/SLOs_artifacts' + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + groupBy: + $ref: '#/components/schemas/SLOs_group_by' + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + title: Update SLO request + type: object + Saved_objects_400_response: + properties: + error: + enum: + - Bad Request + type: string + message: + type: string + statusCode: + enum: + - 400 + type: integer + required: + - error + - message + - statusCode + title: Bad request + type: object + Saved_objects_attributes: + description: | + The data that you want to create. WARNING: When you create saved objects, attributes are not validated, which allows you to pass arbitrary and ill-formed data into the API that can break Kibana. Make sure any data that you send to the API is properly formed. + type: object + Saved_objects_initial_namespaces: + description: | + Identifiers for the spaces in which this object is created. If this is provided, the object is created only in the explicitly defined spaces. If this is not provided, the object is created in the current space (default behavior). For shareable object types (registered with `namespaceType: 'multiple'`), this option can be used to specify one or more spaces, including the "All spaces" identifier ('*'). For isolated object types (registered with `namespaceType: 'single'` or `namespaceType: 'multiple-isolated'`), this option can only be used to specify a single space, and the "All spaces" identifier ('*') is not allowed. For global object types (`registered with `namespaceType: agnostic`), this option cannot be used. + type: array + Saved_objects_references: + description: | + Objects with `name`, `id`, and `type` properties that describe the other saved objects that this object references. Use `name` in attributes to refer to the other saved object, but never the `id`, which can update automatically during migrations or import and export. + type: array + Security_AI_Assistant_API_AnonymizationFieldCreateProps: + properties: + allowed: + description: Whether this field is allowed to be sent to the model. + type: boolean + anonymized: + description: Whether this field should be anonymized. + type: boolean + field: + description: Name of the anonymization field to create. + type: string + required: + - field + type: object + Security_AI_Assistant_API_AnonymizationFieldDetailsInError: + properties: + id: + description: The ID of the anonymization field. + type: string + name: + description: Name of the anonymization field. + type: string + required: + - id + type: object + Security_AI_Assistant_API_AnonymizationFieldResponse: + properties: + allowed: + description: Whether this field is allowed to be sent to the model. + type: boolean + anonymized: + description: Whether this field should be anonymized. + type: boolean + createdAt: + description: Timestamp of when the anonymization field was created. + type: string + createdBy: + description: Username of the person who created the anonymization field. + type: string + field: + description: Name of the anonymization field. + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The ID of the anonymization field. + namespace: + description: Kibana space in which this anonymization field exists. + type: string + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' + description: Timestamp when the anonymization field was initially created. + updatedAt: + description: Timestamp of the last update. + type: string + updatedBy: + description: Username of the person who last updated the field. + type: string + required: + - id + - field + type: object + Security_AI_Assistant_API_AnonymizationFieldUpdateProps: + properties: + allowed: + description: Whether this field is allowed to be sent to the model. + type: boolean + anonymized: + description: Whether this field should be anonymized. + type: boolean + id: + description: The ID of the anonymization field to update. + type: string + required: + - id + type: object + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: + description: Reason why the anonymization field was not modified. + enum: + - ANONYMIZATION_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: + properties: + id: + description: The ID of the anonymization field that was not modified. + type: string + name: + description: Name of the anonymization field that was not modified. + type: string + skip_reason: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason' + description: Reason why the anonymization field was not modified. + required: + - id + - skip_reason + type: object + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: + properties: + anonymization_fields_count: + description: Total number of anonymization fields processed. + type: integer + attributes: + properties: + errors: + description: List of errors that occurred during the bulk operation. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError' + type: array + results: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' + required: + - results + - summary + type: object + message: + description: Message providing information about the bulk action result. + type: string + status_code: + description: HTTP status code returned. + type: integer + success: + description: Indicates if the bulk action was successful. + type: boolean + required: + - attributes + type: object + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: + properties: + created: + description: List of anonymization fields successfully created. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + deleted: + items: + description: Array of IDs of anonymization fields that were deleted. + type: string + type: array + skipped: + description: List of anonymization fields that were skipped during the operation. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult' + type: array + updated: + description: List of anonymization fields successfully updated. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse' + type: array + required: + - updated + - created + - deleted + - skipped + type: object + Security_AI_Assistant_API_ApiConfig: + properties: + actionTypeId: + description: Action type ID + type: string + connectorId: + description: Connector ID + type: string + defaultSystemPromptId: + description: Default system prompt ID + type: string + model: + description: Model + type: string + provider: + $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' + description: Provider + required: + - connectorId + - actionTypeId + type: object + Security_AI_Assistant_API_BaseContentReference: + description: The basis of a content reference + properties: + id: + description: Id of the content reference + type: string + type: + description: Type of the content reference + type: string + required: + - id + - type + type: object + Security_AI_Assistant_API_BaseInterruptResumeValue: + description: The basis of an interrupt resume value + properties: + type: + $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptType' + description: Type of the resume value + required: + - type + type: object + Security_AI_Assistant_API_BaseInterruptValue: + description: The basis of an agent interrupt + properties: + expired: + description: Whether the interrupt has expired and can no longer be resumed. + type: boolean + threadId: + description: Thread ID of the graph execution that produced this message. + type: string + type: + $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptType' + description: Type of the interrupt + required: + - type + - threadId + type: object + Security_AI_Assistant_API_BulkCrudActionSummary: + properties: + failed: + description: The number of failed actions. + type: integer + skipped: + description: The number of skipped actions. + type: integer + succeeded: + description: The number of successfully performed actions. + type: integer + total: + description: The total number of actions attempted. + type: integer + required: + - failed + - skipped + - succeeded + - total + type: object + Security_AI_Assistant_API_ChatCompleteProps: + description: The request payload for creating a chat completion. + properties: + connectorId: + description: Required connector identifier to route the request. + type: string + conversationId: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: Existing conversation ID to continue. + isStream: + description: If true, the response will be streamed in chunks. + type: boolean + langSmithApiKey: + description: API key for LangSmith integration. + type: string + langSmithProject: + description: LangSmith project name for tracing. + type: string + messages: + description: List of chat messages exchanged so far. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' + type: array + model: + description: Model ID or name to use for the response. + type: string + persist: + description: Whether to persist the chat and response to storage. + type: boolean + promptId: + description: Prompt template identifier. + type: string + responseLanguage: + description: ISO language code for the assistant's response. + type: string + required: + - messages + - persist + - connectorId + type: object + Security_AI_Assistant_API_ChatMessage: + description: A message exchanged within the AI chat conversation. + properties: + content: + description: The textual content of the message. + type: string + data: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' + description: Metadata to attach to the context of the message. + fields_to_anonymize: + description: List of field names within the data object that should be anonymized. + items: + type: string + type: array + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' + description: The sender role of the message. + required: + - role + type: object + Security_AI_Assistant_API_ChatMessageRole: + description: The role associated with the message in the chat. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_ContentReferences: + additionalProperties: + oneOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_SecurityAlertsPageContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_ProductDocumentationContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_EsqlContentReference' + - $ref: '#/components/schemas/Security_AI_Assistant_API_HrefContentReference' + additionalProperties: false + description: A union of all content reference types + type: object + Security_AI_Assistant_API_ConversationCategory: + description: The conversation category. + enum: + - assistant + - insights + type: string + Security_AI_Assistant_API_ConversationCreateProps: + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: Exclude from last conversation storage. + type: boolean + id: + description: The conversation id. + type: string + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + title: + description: The conversation title. + type: string + required: + - title + type: object + Security_AI_Assistant_API_ConversationResponse: + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + createdAt: + description: The time conversation was created. + type: string + createdBy: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + description: The user who created the conversation. + excludeFromLastConversationStorage: + description: Exclude from last conversation storage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + namespace: + description: Kibana space + type: string + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' + title: + description: The conversation title. + type: string + updatedAt: + description: The last time conversation was updated. + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - title + - createdAt + - createdBy + - users + - namespace + - category + type: object + Security_AI_Assistant_API_ConversationUpdateProps: + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: Exclude from last conversation storage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + title: + description: The conversation title. + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + type: object + Security_AI_Assistant_API_DeleteResponseFields: + properties: + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + required: + - id + type: object + Security_AI_Assistant_API_DocumentEntry: + allOf: + - properties: + global: + description: Whether this Knowledge Base Entry is global, defaults to false. + type: boolean + name: + description: Name of the Knowledge Base Entry. + type: string + namespace: + description: Kibana Space, defaults to 'default' space. + type: string + users: + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - name + - namespace + - global + - users + type: object + - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryResponseFields' + Security_AI_Assistant_API_DocumentEntryCreateFields: + allOf: + - properties: + global: + description: Whether this Knowledge Base Entry is global, defaults to false. + type: boolean + name: + description: Name of the Knowledge Base Entry. + type: string + namespace: + description: Kibana Space, defaults to 'default' space. + type: string + users: + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - name + type: object + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' + Security_AI_Assistant_API_DocumentEntryOptionalFields: + properties: + required: + description: Whether this resource should always be included, defaults to false. + type: boolean + vector: + $ref: '#/components/schemas/Security_AI_Assistant_API_Vector' + type: object + Security_AI_Assistant_API_DocumentEntryRequiredFields: + properties: + kbResource: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseResource' + source: + description: Source document name or filepath. + type: string + text: + description: Knowledge Base Entry content. + type: string + type: + description: Entry type. + enum: + - document + type: string + required: + - type + - kbResource + - source + - text + type: object + Security_AI_Assistant_API_DocumentEntryResponseFields: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryOptionalFields' + Security_AI_Assistant_API_DocumentEntryUpdateFields: + allOf: + - properties: + global: + description: Whether this Knowledge Base Entry is global, defaults to false. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + name: + description: Name of the Knowledge Base Entry. + type: string + namespace: + description: Kibana Space, defaults to 'default' space. + type: string + users: + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + type: object + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + Security_AI_Assistant_API_EsqlContentReference: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' + - properties: + label: + description: Label of the query + type: string + query: + description: An ESQL query + type: string + timerange: + description: Time range to select in the time picker. + properties: + from: + type: string + to: + type: string + required: + - from + - to + type: object + type: + enum: + - EsqlQuery + type: string + required: + - type + - query + - label + type: object + description: References an ESQL query + Security_AI_Assistant_API_FindAnonymizationFieldsSortField: + enum: + - created_at + - anonymized + - allowed + - field + - updated_at + type: string + Security_AI_Assistant_API_FindConversationsSortField: + description: The field by which to sort the conversations. Possible values are `created_at`, `title`, and `updated_at`. + enum: + - created_at + - title + - updated_at + type: string + Security_AI_Assistant_API_FindKnowledgeBaseEntriesSortField: + description: Fields available for sorting Knowledge Base Entries. + enum: + - created_at + - is_default + - title + - updated_at + type: string + Security_AI_Assistant_API_FindPromptsSortField: + description: Field by which to sort the prompts. + enum: + - created_at + - is_default + - name + - updated_at + type: string + Security_AI_Assistant_API_HrefContentReference: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' + - properties: + href: + description: URL to the external resource + type: string + label: + description: Label of the query + type: string + type: + enum: + - Href + type: string + required: + - type + - href + type: object + description: References an external URL + Security_AI_Assistant_API_IndexEntry: + allOf: + - properties: + global: + description: Whether this Knowledge Base Entry is global, defaults to false. + type: boolean + name: + description: Name of the Knowledge Base Entry. + type: string + namespace: + description: Kibana Space, defaults to 'default' space. + type: string + users: + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - name + - namespace + - global + - users + type: object + - $ref: '#/components/schemas/Security_AI_Assistant_API_ResponseFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryResponseFields' + Security_AI_Assistant_API_IndexEntryCreateFields: + allOf: + - properties: + global: + description: Whether this Knowledge Base Entry is global, defaults to false. + type: boolean + name: + description: Name of the Knowledge Base Entry. + type: string + namespace: + description: Kibana Space, defaults to 'default' space. + type: string + users: + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - name + type: object + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' + Security_AI_Assistant_API_IndexEntryOptionalFields: + properties: + inputSchema: + $ref: '#/components/schemas/Security_AI_Assistant_API_InputSchema' + outputFields: + description: Fields to extract from the query result, defaults to all fields if not provided or empty. + items: + type: string + type: array + type: object + Security_AI_Assistant_API_IndexEntryRequiredFields: + properties: + description: + description: Description for when this index or data stream should be queried for Knowledge Base content. Passed to the LLM as a tool description. + type: string + field: + description: Field to query for Knowledge Base content. + type: string + index: + description: Index or Data Stream to query for Knowledge Base content. + type: string + queryDescription: + description: Description of query field used to fetch Knowledge Base content. Passed to the LLM as part of the tool input schema. + type: string + type: + description: Entry type. + enum: + - index + type: string + required: + - type + - index + - field + - description + - queryDescription + type: object + Security_AI_Assistant_API_IndexEntryResponseFields: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryRequiredFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryOptionalFields' + Security_AI_Assistant_API_IndexEntryUpdateFields: + allOf: + - properties: + global: + description: Whether this Knowledge Base Entry is global, defaults to false. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + name: + description: Name of the Knowledge Base Entry. + type: string + namespace: + description: Kibana Space, defaults to 'default' space. + type: string + users: + description: Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + type: object + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + Security_AI_Assistant_API_InputSchema: + description: Array of objects defining the input schema, allowing the LLM to extract structured data to be used in retrieval. + items: + properties: + description: + description: Description of the field. + type: string + fieldName: + description: Name of the field. + type: string + fieldType: + description: Type of the field. + type: string + required: + - fieldName + - fieldType + - description + type: object + type: array + Security_AI_Assistant_API_InputTextInterruptResumeValue: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' + - properties: + type: + enum: + - INPUT_TEXT + type: string + value: + description: Text value used to resume the graph execution with. + type: string + required: + - value + - type + type: object + description: A resume value for input text + Security_AI_Assistant_API_InputTextInterruptValue: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptValue' + - properties: + description: + description: Description of action required + type: string + placeholder: + description: Placeholder text for the input field + type: string + type: + enum: + - INPUT_TEXT + type: string + required: + - type + type: object + description: Interrupt that requests user to provide text input + Security_AI_Assistant_API_InterruptResumeValue: + description: Union of the interrupt resume values + oneOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptResumeValue' + additionalProperties: false + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptResumeValue' + additionalProperties: false + Security_AI_Assistant_API_InterruptType: + description: The type of interrupt + enum: + - SELECT_OPTION + - INPUT_TEXT + type: string + Security_AI_Assistant_API_InterruptValue: + description: Union of the interrupt values + oneOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptValue' + additionalProperties: false + - $ref: '#/components/schemas/Security_AI_Assistant_API_InputTextInterruptValue' + additionalProperties: false + Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason: + description: Reason why a Knowledge Base Entry was skipped during the bulk action. + enum: + - KNOWLEDGE_BASE_ENTRY_NOT_MODIFIED + type: string + Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult: + properties: + id: + description: ID of the skipped Knowledge Base Entry. + type: string + name: + description: Name of the skipped Knowledge Base Entry. + type: string + skip_reason: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipReason' + required: + - id + - skip_reason + type: object + Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResponse: + properties: + attributes: + properties: + errors: + description: List of errors encountered during the bulk action. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError' + type: array + results: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary' + required: + - results + - summary + type: object + knowledgeBaseEntriesCount: + description: Total number of Knowledge Base Entries processed. + type: integer + message: + description: Message describing the result of the bulk action. + type: string + statusCode: + description: HTTP status code of the response. + type: integer + success: + description: Indicates whether the bulk action was successful. + type: boolean + required: + - attributes + type: object + Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionResults: + properties: + created: + description: List of Knowledge Base Entries that were successfully created. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + type: array + deleted: + description: List of IDs of Knowledge Base Entries that were successfully deleted. + items: + type: string + type: array + skipped: + description: List of Knowledge Base Entries that were skipped during the bulk action. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryBulkActionSkipResult' + type: array + updated: + description: List of Knowledge Base Entries that were successfully updated. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryResponse' + type: array + required: + - updated + - created + - deleted + - skipped + type: object + Security_AI_Assistant_API_KnowledgeBaseEntryBulkCrudActionSummary: + properties: + failed: + description: Number of Knowledge Base Entries that failed during the bulk action. + type: integer + skipped: + description: Number of Knowledge Base Entries that were skipped during the bulk action. + type: integer + succeeded: + description: Number of Knowledge Base Entries that were successfully processed during the bulk action. + type: integer + total: + description: Total number of Knowledge Base Entries involved in the bulk action. + type: integer + required: + - failed + - skipped + - succeeded + - total + type: object + Security_AI_Assistant_API_KnowledgeBaseEntryContentReference: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' + - properties: + knowledgeBaseEntryId: + description: Id of the Knowledge Base Entry + type: string + knowledgeBaseEntryName: + description: Name of the knowledge base entry + type: string + type: + enum: + - KnowledgeBaseEntry + type: string + required: + - type + - knowledgeBaseEntryId + - knowledgeBaseEntryName + type: object + description: References a knowledge base entry + Security_AI_Assistant_API_KnowledgeBaseEntryCreateProps: + anyOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError: + properties: + id: + description: ID of the Knowledge Base Entry that encountered an error. + type: string + name: + description: Name of the Knowledge Base Entry that encountered an error. + type: string + required: + - id + type: object + Security_AI_Assistant_API_KnowledgeBaseEntryErrorSchema: + additionalProperties: false + properties: + error: + description: Error type or category. + type: string + message: + description: Detailed error message. + type: string + statusCode: + description: HTTP status code of the error. + type: number + required: + - statusCode + - error + - message + type: object + Security_AI_Assistant_API_KnowledgeBaseEntryResponse: + anyOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntry' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntry' + Security_AI_Assistant_API_KnowledgeBaseEntryUpdateProps: + anyOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryUpdateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryUpdateFields' + Security_AI_Assistant_API_KnowledgeBaseEntryUpdateRouteProps: + anyOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_DocumentEntryCreateFields' + - $ref: '#/components/schemas/Security_AI_Assistant_API_IndexEntryCreateFields' + Security_AI_Assistant_API_KnowledgeBaseResource: + description: Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc. + enum: + - security_labs + - defend_insights + - user + type: string + Security_AI_Assistant_API_KnowledgeBaseResponse: + description: AI assistant KnowledgeBase. + properties: + success: + description: Identify the success of the method execution. + type: boolean + type: object + Security_AI_Assistant_API_Message: + description: AI assistant conversation message. + properties: + content: + description: Message content. + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: Message id + isError: + description: Is error message. + type: boolean + metadata: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageMetadata' + description: Metadata + reader: + $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' + description: Message content. + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' + description: Message role. + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' + description: The timestamp message was sent or received. + traceData: + $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' + description: Trace data + user: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + description: The user who sent the message. + required: + - timestamp + - content + - role + type: object + Security_AI_Assistant_API_MessageData: + additionalProperties: true + description: ECS-style metadata attached to the message. + type: object + Security_AI_Assistant_API_MessageMetadata: + description: Message metadata + properties: + contentReferences: + $ref: '#/components/schemas/Security_AI_Assistant_API_ContentReferences' + description: Data referred to by the message content. + interruptResumeValue: + $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptResumeValue' + description: When the agent is resumed after an interrupt, this field is populated with the details of the resume value. + interruptValue: + $ref: '#/components/schemas/Security_AI_Assistant_API_InterruptValue' + description: When the agent is interrupted (for example, when user input is required), this field is populated with the details of the interrupt. Messages containing interruptValues in the metadata are excluded from the LLM context. + type: object + Security_AI_Assistant_API_MessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_NonEmptyString: + description: A string that does not contain only whitespace characters. + format: nonempty + minLength: 1 + type: string + Security_AI_Assistant_API_NonEmptyTimestamp: + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. + format: nonempty + minLength: 1 + type: string + Security_AI_Assistant_API_NormalizedAnonymizationFieldError: + properties: + anonymization_fields: + description: Array of anonymization fields that caused the error. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError' + type: array + err_code: + description: Error code indicating the type of failure. + type: string + message: + description: Error message. + type: string + status_code: + description: Status code of the response. + type: integer + required: + - message + - status_code + - anonymization_fields + type: object + Security_AI_Assistant_API_NormalizedKnowledgeBaseEntryError: + properties: + err_code: + description: Specific error code for the issue. + type: string + knowledgeBaseEntries: + description: List of Knowledge Base Entries that encountered the error. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_KnowledgeBaseEntryDetailsInError' + type: array + message: + description: Error message describing the issue. + type: string + statusCode: + description: HTTP status code associated with the error. + type: integer + required: + - message + - statusCode + - knowledgeBaseEntries + type: object + Security_AI_Assistant_API_NormalizedPromptError: + properties: + err_code: + description: A code representing the error type. + type: string + message: + description: A message describing the error encountered. + type: string + prompts: + description: List of prompts that encountered errors. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError' + type: array + status_code: + description: The HTTP status code associated with the error. + type: integer + required: + - message + - status_code + - prompts + type: object + Security_AI_Assistant_API_ProductDocumentationContentReference: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' + - properties: + title: + description: Title of the documentation + type: string + type: + enum: + - ProductDocumentation + type: string + url: + description: URL to the documentation + type: string + required: + - type + - title + - url + type: object + description: References the product documentation + Security_AI_Assistant_API_PromptCreateProps: + properties: + categories: + description: List of categories for the prompt. + items: + type: string + type: array + color: + description: The color associated with the prompt. + type: string + consumer: + description: The consumer associated with the prompt. + type: string + content: + description: The content of the prompt. + type: string + isDefault: + description: Whether this prompt should be the default. + type: boolean + isNewConversationDefault: + description: Whether this prompt should be the default for new conversations. + type: boolean + name: + description: The name of the prompt. + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + description: The type of the prompt. + required: + - name + - content + - promptType + type: object + Security_AI_Assistant_API_PromptDetailsInError: + properties: + id: + description: The ID of the prompt that encountered an error. + type: string + name: + description: The name of the prompt that encountered an error. + type: string + required: + - id + type: object + Security_AI_Assistant_API_PromptResponse: + properties: + categories: + description: Categories associated with the prompt. + items: + type: string + type: array + color: + description: The color associated with the prompt. + type: string + consumer: + description: The consumer that the prompt is associated with. + type: string + content: + description: The content of the prompt. + type: string + createdAt: + description: The timestamp of when the prompt was created. + type: string + createdBy: + description: The user who created the prompt. + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: + description: Whether this prompt is the default. + type: boolean + isNewConversationDefault: + description: Whether this prompt is the default for new conversations. + type: boolean + name: + description: The name of the prompt. + type: string + namespace: + description: Kibana space where the prompt is located. + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + description: The type of the prompt. + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyTimestamp' + updatedAt: + description: The timestamp of when the prompt was last updated. + type: string + updatedBy: + description: The user who last updated the prompt. + type: string + users: + description: List of users associated with the prompt. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - name + - promptType + - content + type: object + Security_AI_Assistant_API_PromptType: + description: Type of the prompt (either system or quick). + enum: + - system + - quick + type: string + Security_AI_Assistant_API_PromptUpdateProps: + properties: + categories: + description: The updated categories for the prompt. + items: + type: string + type: array + color: + description: The updated color associated with the prompt. + type: string + consumer: + description: The updated consumer for the prompt. + type: string + content: + description: The updated content for the prompt. + type: string + id: + description: The ID of the prompt to update. + type: string + isDefault: + description: Whether this prompt should be the default. + type: boolean + isNewConversationDefault: + description: Whether the prompt should be the default for new conversations. + type: boolean + required: + - id + type: object + Security_AI_Assistant_API_PromptsBulkActionSkipReason: + description: Reason why a prompt was skipped during the bulk action. + enum: + - PROMPT_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_PromptsBulkActionSkipResult: + properties: + id: + description: The ID of the prompt that was skipped. + type: string + name: + description: The name of the prompt that was skipped. + type: string + skip_reason: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason' + description: The reason for skipping the prompt. + required: + - id + - skip_reason + type: object + Security_AI_Assistant_API_PromptsBulkCrudActionResponse: + properties: + attributes: + properties: + errors: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError' + type: array + results: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary' + required: + - results + - summary + type: object + message: + description: A message describing the result of the bulk action. + type: string + prompts_count: + description: The number of prompts processed in the bulk action. + type: integer + status_code: + description: The HTTP status code of the response. + type: integer + success: + description: Indicates if the bulk action was successful. + type: boolean + required: + - attributes + type: object + Security_AI_Assistant_API_PromptsBulkCrudActionResults: + properties: + created: + description: List of prompts that were created. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + deleted: + description: List of IDs of prompts that were deleted. + items: + type: string + type: array + skipped: + description: List of prompts that were skipped. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult' + type: array + updated: + description: List of prompts that were updated. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + required: + - updated + - created + - deleted + - skipped + type: object + Security_AI_Assistant_API_Provider: + description: Provider + enum: + - OpenAI + - Azure OpenAI + - Other + type: string + Security_AI_Assistant_API_Reader: + additionalProperties: true + type: object + Security_AI_Assistant_API_Replacements: + additionalProperties: + type: string + description: Replacements object used to anonymize/deanonymize messages + type: object + Security_AI_Assistant_API_ResponseFields: + properties: + createdAt: + description: Time the Knowledge Base Entry was created. + type: string + createdBy: + description: User who created the Knowledge Base Entry. + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + description: Time the Knowledge Base Entry was last updated. + type: string + updatedBy: + description: User who last updated the Knowledge Base Entry. + type: string + required: + - id + - createdAt + - createdBy + - updatedAt + - updatedBy + type: object + Security_AI_Assistant_API_SecurityAlertContentReference: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' + - properties: + alertId: + description: ID of the Alert + type: string + type: + enum: + - SecurityAlert + type: string + required: + - type + - alertId + type: object + description: References a security alert + Security_AI_Assistant_API_SecurityAlertsPageContentReference: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseContentReference' + - properties: + type: + enum: + - SecurityAlertsPage + type: string + required: + - type + type: object + description: References the security alerts page + Security_AI_Assistant_API_SelectOptionInterruptOption: + description: A request approval option + properties: + buttonColor: + enum: + - text + - accent + - accentSecondary + - primary + - success + - warning + - danger + - neutral + - risk + type: string + label: + type: string + value: + type: string + required: + - label + - value + type: object + Security_AI_Assistant_API_SelectOptionInterruptResumeValue: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptResumeValue' + - properties: + type: + enum: + - SELECT_OPTION + type: string + value: + description: The value of the selected option to resume the graph execution with + type: string + required: + - value + - type + type: object + description: A request approval resume schema + Security_AI_Assistant_API_SelectOptionInterruptValue: + allOf: + - $ref: '#/components/schemas/Security_AI_Assistant_API_BaseInterruptValue' + - properties: + description: + description: Description of action required + type: string + options: + description: List of actions to choose from + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_SelectOptionInterruptOption' + type: array + type: + enum: + - SELECT_OPTION + type: string + required: + - type + - description + - options + type: object + description: Interrupt that requests user to select one of the provided options + Security_AI_Assistant_API_SortOrder: + description: The order in which results are sorted. + enum: + - asc + - desc + type: string + Security_AI_Assistant_API_TraceData: + description: Trace Data + properties: + traceId: + description: Could be any string, not necessarily a UUID + type: string + transactionId: + description: Could be any string, not necessarily a UUID + type: string + type: object + Security_AI_Assistant_API_User: + description: Could be any string, not necessarily a UUID. + properties: + id: + description: User id. + type: string + name: + description: User name. + type: string + type: object + Security_AI_Assistant_API_Vector: + description: Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings. + properties: + modelId: + description: ID of the model used to create the embeddings. + type: string + tokens: + additionalProperties: + type: number + description: Tokens with their corresponding values. + type: object + required: + - modelId + - tokens + type: object + Security_Attack_discovery_API_AnonymizationFieldResponse: + properties: + allowed: + description: Whether this field is allowed to be sent to the model. + type: boolean + anonymized: + description: Whether this field should be anonymized. + type: boolean + createdAt: + description: Timestamp of when the anonymization field was created. + type: string + createdBy: + description: Username of the person who created the anonymization field. + type: string + field: + description: Name of the anonymization field. + type: string + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + description: The ID of the anonymization field. + namespace: + description: Kibana space in which this anonymization field exists. + type: string + timestamp: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyTimestamp' + description: Timestamp when the anonymization field was initially created. + updatedAt: + description: Timestamp of the last update. + type: string + updatedBy: + description: Username of the person who last updated the field. + type: string + required: + - id + - field + type: object + Security_Attack_discovery_API_ApiConfig: + properties: + actionTypeId: + description: Action type ID + type: string + connectorId: + description: Connector ID + type: string + defaultSystemPromptId: + description: Default system prompt ID + type: string + model: + description: Model + type: string + provider: + $ref: '#/components/schemas/Security_Attack_discovery_API_Provider' + description: Provider + required: + - connectorId + - actionTypeId + type: object + Security_Attack_discovery_API_AttackDiscoveryApiAlert: + description: An attack discovery that's also an alert (Public API with snake_case) + properties: + alert_ids: + description: The alert IDs that the attack discovery is based on + items: + type: string + type: array + alert_rule_uuid: + description: The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs) + type: string + alert_start: + description: The optional time the attack discovery alert was created + type: string + alert_updated_at: + description: The optional time the attack discovery alert was last updated + type: string + alert_updated_by_user_id: + description: The optional id of the user who last updated the attack discovery alert + type: string + alert_updated_by_user_name: + description: The optional username of the user who updated the attack discovery alert + type: string + alert_workflow_status: + description: The optional kibana.alert.workflow_status of this attack discovery + type: string + alert_workflow_status_updated_at: + description: The optional time the attack discovery alert workflow status was last updated + type: string + connector_id: + description: The ID of the connector that generated the attack discovery + type: string + connector_name: + description: The (human readable) name of the connector that generated the attack discovery + type: string + details_markdown: + description: Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data. + type: string + entity_summary_markdown: + description: An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax + type: string + generation_uuid: + description: The generation ID of the run that created the attack discovery + type: string + id: + description: The unique ID of the attack discovery + type: string + mitre_attack_tactics: + description: An optional array of MITRE ATT&CK tactic for the attack discovery + items: + type: string + type: array + replacements: + $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' + description: Key-value pairs that are used to replace placeholders in the markdown fields + risk_score: + description: The optional, (but typically populated after generation) risk score of the alert + type: integer + summary_markdown: + description: A markdown summary of attack discovery, using the same syntax + type: string + timestamp: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyTimestamp' + description: The time the attack discovery was generated + title: + description: A title for the attack discovery, in plain text + type: string + user_id: + description: The optional id of the user who generated the attack discovery + type: string + user_name: + description: The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules) + type: string + users: + description: The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_User' + type: array + required: + - alert_ids + - connector_id + - connector_name + - details_markdown + - generation_uuid + - id + - summary_markdown + - timestamp + - title + type: object + Security_Attack_discovery_API_AttackDiscoveryApiSchedule: + description: An attack discovery schedule + properties: + actions: + description: The attack discovery schedule actions + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' + type: array + created_at: + description: The date the schedule was created + format: date-time + type: string + created_by: + description: The name of the user that created the schedule + type: string + enabled: + description: Indicates whether the schedule is enabled + type: boolean + id: + description: UUID of attack discovery schedule + type: string + last_execution: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution' + description: The attack discovery schedule last execution summary + name: + description: The name of the schedule + type: string + params: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' + description: The attack discovery schedule configuration parameters + schedule: + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' + description: The attack discovery schedule interval + updated_at: + description: The date the schedule was updated + format: date-time + type: string + updated_by: + description: The name of the user that updated the schedule + type: string + required: + - id + - name + - created_by + - updated_by + - created_at + - updated_at + - enabled + - params + - schedule + - actions + type: object + Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction: + oneOf: + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction' + - $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction' + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter: + additionalProperties: true + type: object + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency: + description: The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals). + properties: + notify_when: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen' + summary: + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert + type: boolean + throttle: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle' + nullable: true + x-omitempty: true + required: + - summary + - notify_when + - throttle + type: object + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup: + description: Groups actions by use cases. Use `default` for alert notifications. + type: string + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId: + description: The connector ID. + type: string + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionNotifyWhen: + description: 'The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`' + enum: + - onActiveAlert + - onThrottleInterval + - onActionGroupChange + type: string + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams: + additionalProperties: true + description: Object containing the allowed connector fields, which varies according to the connector type. + type: object + Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionThrottle: + description: Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days. + pattern: ^[1-9]\d*[smhd]$ + type: string + Security_Attack_discovery_API_AttackDiscoveryApiScheduleCreateProps: + description: An attack discovery schedule create properties + properties: + actions: + description: The attack discovery schedule actions + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' + type: array + enabled: + description: Indicates whether the schedule is enabled + type: boolean + name: + description: The name of the schedule + type: string + params: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' + description: The attack discovery schedule configuration parameters + schedule: + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' + description: The attack discovery schedule interval + required: + - name + - params + - schedule + type: object + Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecution: + description: An attack discovery schedule execution information + properties: + date: + description: Date of the execution + format: date-time + type: string + duration: + description: Duration of the execution + type: number + message: + type: string + status: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus' + description: Status of the execution + required: + - date + - status + - last_duration + type: object + Security_Attack_discovery_API_AttackDiscoveryApiScheduleExecutionStatus: + description: An attack discovery schedule execution status + enum: + - ok + - active + - error + - unknown + - warning + type: string + Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction: + properties: + action_type_id: + description: The action type used for sending notifications. + type: string + alerts_filter: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionAlertsFilter' + frequency: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionFrequency' + group: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionGroup' + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' + params: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' + uuid: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + required: + - action_type_id + - group + - id + - params + type: object + Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams: + description: An attack discovery schedule params + properties: + alerts_index_pattern: + description: The index pattern to get alerts from + type: string + api_config: + allOf: + - $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' + - properties: + name: + description: The name of the connector + type: string + required: + - name + type: object + description: LLM API configuration. + combined_filter: + additionalProperties: true + type: object + end: + type: string + filters: + $ref: '#/components/schemas/Security_Attack_discovery_API_Filters' + query: + $ref: '#/components/schemas/Security_Attack_discovery_API_Query' + size: + type: number + start: + type: string + required: + - alerts_index_pattern + - api_config + - size + type: object + Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction: + properties: + action_type_id: + description: The action type used for sending notifications. + type: string + id: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionId' + params: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleActionParams' + uuid: + $ref: '#/components/schemas/Security_Attack_discovery_API_NonEmptyString' + required: + - action_type_id + - id + - params + type: object + Security_Attack_discovery_API_AttackDiscoveryApiScheduleUpdateProps: + description: An attack discovery schedule update properties + properties: + actions: + description: The attack discovery schedule actions + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleAction' + type: array + name: + description: The name of the schedule + type: string + params: + $ref: '#/components/schemas/Security_Attack_discovery_API_AttackDiscoveryApiScheduleParams' + description: The attack discovery schedule configuration parameters + schedule: + $ref: '#/components/schemas/Security_Attack_discovery_API_IntervalApiSchedule' + description: The attack discovery schedule interval + required: + - name + - params + - schedule + - actions + type: object + Security_Attack_discovery_API_AttackDiscoveryFindSortField: + description: Allowed field names to sort Attack discovery results by. Clients should only pass one of the listed values. + enum: + - '@timestamp' + type: string + Security_Attack_discovery_API_AttackDiscoveryGeneration: + properties: + alerts_context_count: + description: The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation + type: number + connector_id: + description: The connector id (event.dataset) for this generation + type: string + connector_stats: + description: Stats applicable to the connector for this generation + properties: + average_successful_duration_nanoseconds: + description: The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user + type: number + successful_generations: + description: The number of successful generations for the same connector id, for the current user + type: number + type: object + discoveries: + description: The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation + type: number + end: + description: When generation ended (max event.end) + type: string + execution_uuid: + description: The unique identifier (kibana.alert.rule.execution.uuid) for the generation + type: string + loading_message: + description: Generation loading message (kibana.alert.rule.execution.status) + type: string + reason: + description: Reason for failed generations (event.reason) + type: string + start: + description: When generation started (min event.start) + type: string + status: + description: The status of the attack discovery generation + enum: + - canceled + - dismissed + - failed + - started + - succeeded + type: string + required: + - connector_id + - discoveries + - execution_uuid + - loading_message + - start + - status + type: object + Security_Attack_discovery_API_AttackDiscoveryGenerationConfig: + properties: + alertsIndexPattern: + description: | + The (space specific) index pattern that contains the alerts to use as + context for the attack discovery. + Example: .alerts-security.alerts-default + type: string + anonymizationFields: + description: The list of fields, and whether or not they are anonymized, allowed to be sent to LLMs. Consider using the output of the `/api/security_ai_assistant/anonymization_fields/_find` API (for a specific Kibana space) to provide this value. + items: + $ref: '#/components/schemas/Security_Attack_discovery_API_AnonymizationFieldResponse' + type: array + apiConfig: + $ref: '#/components/schemas/Security_Attack_discovery_API_ApiConfig' + description: LLM API configuration. + connectorName: + type: string + end: + type: string + filter: + additionalProperties: true + description: |- + An Elasticsearch-style query DSL object used to filter alerts. For example: + ```json { + "filter": { + "bool": { + "must": [], + "filter": [ + { + "bool": { + "should": [ + { + "term": { + "user.name": { "value": "james" } + } + } + ], + "minimum_should_match": 1 + } + } + ], + "should": [], + "must_not": [] + } + } + } ``` + type: object + model: + type: string + replacements: + $ref: '#/components/schemas/Security_Attack_discovery_API_Replacements' + size: + type: number + start: + type: string + subAction: + enum: + - invokeAI + - invokeStream + type: string + required: + - apiConfig + - alertsIndexPattern + - anonymizationFields + - size + - subAction + type: object + Security_Attack_discovery_API_AttackDiscoveryGenericError: + description: Generic error response for Attack discovery schedule operations + properties: + error: + description: Error type + type: string + message: + description: Human-readable error message describing what went wrong + type: string + status_code: + description: HTTP status code + type: number + type: object + Security_Attack_discovery_API_Filters: + description: The filter array used to define the conditions for when alerts are selected as an attack discovery context. Defaults to an empty array. + items: {} + type: array + Security_Attack_discovery_API_IntervalApiSchedule: + properties: + interval: + description: The schedule interval + type: string + required: + - interval + type: object + Security_Attack_discovery_API_NonEmptyString: + description: A string that does not contain only whitespace characters. + format: nonempty + minLength: 1 + type: string + Security_Attack_discovery_API_NonEmptyTimestamp: + description: A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters. + format: nonempty + minLength: 1 + type: string + Security_Attack_discovery_API_Provider: + description: Provider + enum: + - OpenAI + - Azure OpenAI + - Other + type: string + Security_Attack_discovery_API_Query: + description: An query condition to filter alerts + properties: + language: + type: string + query: + oneOf: + - type: string + - additionalProperties: true + type: object + required: + - query + - language + type: object + Security_Attack_discovery_API_Replacements: + additionalProperties: + type: string + description: Replacements object used to anonymize/deanonymize messages + type: object + Security_Attack_discovery_API_SortOrder: + description: The order in which results are sorted. + enum: + - asc + - desc + type: string + Security_Attack_discovery_API_User: + description: Could be any string, not necessarily a UUID. + properties: + id: + description: User id. + type: string + name: + description: User name. + type: string + type: object + Security_Detections_API_AlertAssignees: + properties: + add: + items: + description: A list of user profile `uid`s to assign. Users need to activate their user profile by logging into Kibana at least once. + format: nonempty + minLength: 1 + type: string + type: array + remove: + items: + description: A list of user profile `uid`s to unassign. Users need to activate their user profile by logging into Kibana at least once. + format: nonempty + minLength: 1 + type: string + type: array + required: + - add + - remove + type: object + Security_Detections_API_AlertIds: + description: A list of alerts `id`s. + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + Security_Detections_API_AlertStatusExceptClosed: + description: The status of an alert, which can be `open`, `acknowledged`, `in-progress`, or `closed`. + enum: + - open + - acknowledged + - in-progress + type: string + Security_Detections_API_AlertSuppression: + description: Defines alert suppression configuration. + properties: + duration: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' + group_by: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' + missing_fields_strategy: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy' + required: + - group_by + type: object + Security_Detections_API_AlertSuppressionDuration: + properties: + unit: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit' + value: + minimum: 1 + type: integer + required: + - value + - unit + type: object + Security_Detections_API_AlertSuppressionDurationUnit: + description: Time unit + enum: + - s + - m + - h + type: string + Security_Detections_API_AlertSuppressionGroupBy: + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Detections_API_AlertSuppressionMissingFieldsStrategy: + description: |- + Describes how alerts will be generated for documents with missing suppress by fields: + doNotSuppress - per each document a separate alert will be created + suppress - only alert will be created per suppress by bucket + enum: + - doNotSuppress + - suppress + type: string + Security_Detections_API_AlertTag: + description: Use alert tags to organize related alerts into categories that you can filter and group. + format: nonempty + minLength: 1 + type: string + Security_Detections_API_AlertTags: + description: List of keywords to organize related alerts into categories that you can filter and group. + items: + $ref: '#/components/schemas/Security_Detections_API_AlertTag' + type: array + Security_Detections_API_AlertVersion: + properties: + count: + type: integer + version: + type: integer + required: + - version + - count + type: object + Security_Detections_API_AlertsIndex: + deprecated: true + description: (deprecated) Has no effect. + type: string + Security_Detections_API_AlertsIndexMigrationError: + properties: + error: + properties: + message: + type: string + status_code: + type: string + required: + - message + - status_code + type: object + index: + type: string + required: + - index + - error + type: object + Security_Detections_API_AlertsIndexMigrationSuccess: + properties: + index: + type: string + migration_id: + type: string + migration_index: + type: string + required: + - index + - migration_id + - migration_index + type: object + Security_Detections_API_AlertsIndexNamespace: + description: Has no effect. + type: string + Security_Detections_API_AlertsReindexOptions: + properties: + requests_per_second: + description: The throttle for the migration task in sub-requests per second. Corresponds to requests_per_second on the Reindex API. + minimum: 1 + type: integer + size: + description: Number of alerts to migrate per batch. Corresponds to the source.size option on the Reindex API. + minimum: 1 + type: integer + slices: + description: The number of subtasks for the migration task. Corresponds to slices on the Reindex API. + minimum: 1 + type: integer + type: object + Security_Detections_API_AlertsSort: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' + - items: + $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' + type: array + Security_Detections_API_AlertsSortCombinations: + anyOf: + - type: string + - additionalProperties: true + type: object + Security_Detections_API_AnomalyThreshold: + description: Anomaly score threshold above which the rule creates an alert. Valid values are from 0 to 100. + minimum: 0 + type: integer + Security_Detections_API_BuildingBlockType: + description: | + Determines if the rule acts as a building block. If yes, the value must be `default`. + By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. + For more information, refer to [About building block rules](https://www.elastic.co/guide/en/security/current/building-block-rule.html). + type: string + Security_Detections_API_BulkActionEditPayload: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadAlertSuppression' + Security_Detections_API_BulkActionEditPayloadAlertSuppression: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppression' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold' + - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression' + Security_Detections_API_BulkActionEditPayloadDeleteAlertSuppression: + properties: + type: + enum: + - delete_alert_suppression + type: string + required: + - type + type: object + Security_Detections_API_BulkActionEditPayloadIndexPatterns: + description: | + Edits index patterns of rulesClient. + + - `add_index_patterns` adds index patterns to rules. If an index pattern already exists for a rule, no changes are made. + - `delete_index_patterns` removes index patterns from rules. If an index pattern does not exist for a rule, no changes are made. + - `set_index_patterns` sets index patterns for rules, overwriting any existing index patterns. If the set of index patterns is the same as the existing index patterns, no changes are made. + properties: + overwrite_data_views: + description: Resets the data view for the rule. + type: boolean + type: + enum: + - add_index_patterns + - delete_index_patterns + - set_index_patterns + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + required: + - type + - value + type: object + Security_Detections_API_BulkActionEditPayloadInvestigationFields: + description: | + Edits investigation fields of rules. + + - `add_investigation_fields` adds investigation fields to rules. If an investigation field already exists for a rule, no changes are made. + - `delete_investigation_fields` removes investigation fields from rules. If an investigation field does not exist for a rule, no changes are made. + - `set_investigation_fields` sets investigation fields for rules. If the set of investigation fields is the same as the existing investigation fields, no changes are made. + properties: + type: + enum: + - add_investigation_fields + - delete_investigation_fields + - set_investigation_fields + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + required: + - type + - value + type: object + Security_Detections_API_BulkActionEditPayloadRuleActions: + description: | + Edits rule actions of rules. + + - `add_rule_actions` adds rule actions to rules. This action is non-idempotent, meaning that even if the same rule action already exists for a rule, it will be added again with a new unique ID. + - `set_rule_actions` sets rule actions for rules. This action is non-idempotent, meaning that even if the same set of rule actions already exists for a rule, it will be set again and the actions will receive new unique IDs. + properties: + type: + enum: + - add_rule_actions + - set_rule_actions + type: string + value: + properties: + actions: + items: + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction' + type: array + throttle: + $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions' + required: + - actions + type: object + required: + - type + - value + type: object + Security_Detections_API_BulkActionEditPayloadSchedule: + description: "Overwrites schedule of rules. \n\n- `set_schedule` sets a schedule for rules. If the same schedule already exists for a rule, no changes are made.\n\nBoth `interval` and `lookback` have a format of \"{integer}{time_unit}\", where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: \"45s\", \"30m\", \"6h\"\n" + properties: + type: + enum: + - set_schedule + type: string + value: + properties: + interval: + description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. + pattern: ^[1-9]\d*[smh]$ + type: string + lookback: + description: | + Lookback time for the rules. + + Additional look-back time that the rule analyzes. For example, "10m" means the rule analyzes the last 10 minutes of data in addition to the frequency interval. + pattern: ^[1-9]\d*[smh]$ + type: string + required: + - interval + - lookback + type: object + required: + - type + - value + type: object + Security_Detections_API_BulkActionEditPayloadSetAlertSuppression: + properties: + type: + enum: + - set_alert_suppression + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + required: + - type + - value + type: object + Security_Detections_API_BulkActionEditPayloadSetAlertSuppressionForThreshold: + properties: + type: + enum: + - set_alert_suppression_for_threshold + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' + required: + - type + - value + type: object + Security_Detections_API_BulkActionEditPayloadTags: + description: | + Edits tags of rules. + + - `add_tags` adds tags to rules. If a tag already exists for a rule, no changes are made. + - `delete_tags` removes tags from rules. If a tag does not exist for a rule, no changes are made. + - `set_tags` sets tags for rules, overwriting any existing tags. If the set of tags is the same as the existing tags, no changes are made. + properties: + type: + enum: + - add_tags + - delete_tags + - set_tags + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + required: + - type + - value + type: object + Security_Detections_API_BulkActionEditPayloadTimeline: + description: | + Edits timeline of rules. + + - `set_timeline` sets a timeline for rules. If the same timeline already exists for a rule, no changes are made. + properties: + type: + enum: + - set_timeline + type: string + value: + properties: + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + required: + - timeline_id + - timeline_title + type: object + required: + - type + - value + type: object + Security_Detections_API_BulkActionSkipResult: + properties: + id: + type: string + name: + type: string + skip_reason: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' + - $ref: '#/components/schemas/Security_Detections_API_BulkGapsFillingSkipReason' + required: + - id + - skip_reason + type: object + Security_Detections_API_BulkActionsDryRunErrCode: + enum: + - IMMUTABLE + - PREBUILT_CUSTOMIZATION_LICENSE + - MACHINE_LEARNING_AUTH + - MACHINE_LEARNING_INDEX_PATTERN + - ESQL_INDEX_PATTERN + - MANUAL_RULE_RUN_FEATURE + - MANUAL_RULE_RUN_DISABLED_RULE + - THRESHOLD_RULE_TYPE_IN_SUPPRESSION + - UNSUPPORTED_RULE_IN_SUPPRESSION_FOR_THRESHOLD + - RULE_FILL_GAPS_DISABLED_RULE + type: string + Security_Detections_API_BulkDeleteRules: + properties: + action: + enum: + - delete + type: string + gaps_range_end: + description: Gaps range end, valid only when query is provided + type: string + gaps_range_start: + description: Gaps range start, valid only when query is provided + type: string + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules. + type: string + required: + - action + type: object + Security_Detections_API_BulkDisableRules: + properties: + action: + enum: + - disable + type: string + gaps_range_end: + description: Gaps range end, valid only when query is provided + type: string + gaps_range_start: + description: Gaps range start, valid only when query is provided + type: string + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules. + type: string + required: + - action + type: object + Security_Detections_API_BulkDuplicateRules: + properties: + action: + enum: + - duplicate + type: string + duplicate: + description: Duplicate object that describes applying an update action. + properties: + include_exceptions: + description: Whether to copy exceptions from the original rule + type: boolean + include_expired_exceptions: + description: Whether to copy expired exceptions from the original rule + type: boolean + required: + - include_exceptions + - include_expired_exceptions + type: object + gaps_range_end: + description: Gaps range end, valid only when query is provided + type: string + gaps_range_start: + description: Gaps range start, valid only when query is provided + type: string + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules. + type: string + required: + - action + type: object + Security_Detections_API_BulkEditActionResponse: + properties: + attributes: + properties: + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError' + type: array + results: + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults' + summary: + $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary' + required: + - results + - summary + type: object + message: + type: string + rules_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + type: object + Security_Detections_API_BulkEditActionResults: + properties: + created: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + deleted: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + skipped: + items: + $ref: '#/components/schemas/Security_Detections_API_BulkActionSkipResult' + type: array + updated: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleResponse' + type: array + required: + - updated + - created + - deleted + - skipped + type: object + Security_Detections_API_BulkEditActionSummary: + description: A rule can only be skipped when the bulk action to be performed on it results in nothing being done. For example, if the `edit` action is used to add a tag to a rule that already has that tag, or to delete an index pattern that is not specified in a rule. Objects returned in `attributes.results.skipped` will only include rules' `id`, `name`, and `skip_reason`. + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + type: object + Security_Detections_API_BulkEditRules: + properties: + action: + enum: + - edit + type: string + edit: + description: Array of objects containing the edit operations + items: + $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayload' + minItems: 1 + type: array + gaps_range_end: + description: Gaps range end, valid only when query is provided + type: string + gaps_range_start: + description: Gaps range start, valid only when query is provided + type: string + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules. + type: string + required: + - action + - edit + type: object + Security_Detections_API_BulkEditSkipReason: + enum: + - RULE_NOT_MODIFIED + type: string + Security_Detections_API_BulkEnableRules: + properties: + action: + enum: + - enable + type: string + gaps_range_end: + description: Gaps range end, valid only when query is provided + type: string + gaps_range_start: + description: Gaps range start, valid only when query is provided + type: string + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules. + type: string + required: + - action + type: object + Security_Detections_API_BulkExportActionResponse: + type: string + Security_Detections_API_BulkExportRules: + properties: + action: + enum: + - export + type: string + gaps_range_end: + description: Gaps range end, valid only when query is provided + type: string + gaps_range_start: + description: Gaps range start, valid only when query is provided + type: string + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules. + type: string + required: + - action + type: object + Security_Detections_API_BulkGapsFillingSkipReason: + enum: + - NO_GAPS_TO_FILL + type: string + Security_Detections_API_BulkManualRuleFillGaps: + properties: + action: + enum: + - fill_gaps + type: string + fill_gaps: + description: Object that describes applying a manual gap fill action for the specified time range. + properties: + end_date: + description: End date of the manual gap fill + type: string + start_date: + description: Start date of the manual gap fill + type: string + required: + - start_date + - end_date + type: object + gaps_range_end: + description: Gaps range end, valid only when query is provided + type: string + gaps_range_start: + description: Gaps range start, valid only when query is provided + type: string + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules. + type: string + required: + - action + - fill_gaps + type: object + Security_Detections_API_BulkManualRuleRun: + properties: + action: + enum: + - run + type: string + gaps_range_end: + description: Gaps range end, valid only when query is provided + type: string + gaps_range_start: + description: Gaps range start, valid only when query is provided + type: string + ids: + description: | + Array of rule `id`s to which a bulk action will be applied. Do not use rule's `rule_id` here. + Only valid when query property is undefined. + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules. + type: string + run: + description: Object that describes applying a manual rule run action. + properties: + end_date: + description: End date of the manual rule run + type: string + start_date: + description: Start date of the manual rule run + type: string + required: + - start_date + - end_date + type: object + required: + - action + - run + type: object + Security_Detections_API_CloseAlertsByIds: + properties: + reason: + $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' + signal_ids: + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + status: + enum: + - closed + type: string + required: + - signal_ids + - status + type: object + Security_Detections_API_CloseAlertsByQuery: + properties: + conflicts: + default: abort + enum: + - abort + - proceed + type: string + query: + additionalProperties: true + type: object + reason: + $ref: '#/components/schemas/Security_Detections_API_ReasonEnum' + status: + enum: + - closed + type: string + required: + - query + - status + type: object + Security_Detections_API_ConcurrentSearches: + minimum: 1 + type: integer + Security_Detections_API_DataViewId: + type: string + Security_Detections_API_DefaultParams: + properties: + command: + enum: + - isolate + type: string + comment: + type: string + required: + - command + type: object + Security_Detections_API_EcsMapping: + additionalProperties: + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + type: object + description: 'Map Osquery results columns or static values to Elastic Common Schema (ECS) fields. Example: "ecs_mapping": {"process.pid": {"field": "pid"}}' + type: object + Security_Detections_API_EndpointResponseAction: + properties: + action_type_id: + enum: + - .endpoint + type: string + params: + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_DefaultParams' + - $ref: '#/components/schemas/Security_Detections_API_ProcessesParams' + required: + - action_type_id + - params + type: object + Security_Detections_API_EqlOptionalFields: + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + event_category_override: + $ref: '#/components/schemas/Security_Detections_API_EventCategoryOverride' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + tiebreaker_field: + $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' + timestamp_field: + $ref: '#/components/schemas/Security_Detections_API_TimestampField' + type: object + Security_Detections_API_EqlQueryLanguage: + enum: + - eql + type: string + Security_Detections_API_EqlRequiredFields: + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' + description: Query language to use + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - eql + type: string + required: + - type + - query + - language + type: object + Security_Detections_API_EqlRule: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + type: object + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleResponseFields' + Security_Detections_API_EqlRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' + Security_Detections_API_EqlRuleCreateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' + Security_Detections_API_EqlRulePatchFields: + allOf: + - properties: + language: + $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' + description: Query language to use + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - eql + type: string + type: object + - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' + Security_Detections_API_EqlRulePatchProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + type: object + - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchFields' + Security_Detections_API_EqlRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' + Security_Detections_API_EqlRuleUpdateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' + Security_Detections_API_ErrorSchema: + additionalProperties: false + properties: + error: + properties: + message: + type: string + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + type: object + id: + type: string + item_id: + minLength: 1 + type: string + list_id: + minLength: 1 + type: string + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + required: + - error + type: object + Security_Detections_API_EsqlQueryLanguage: + enum: + - esql + type: string + Security_Detections_API_EsqlRule: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + type: object + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields' + Security_Detections_API_EsqlRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' + Security_Detections_API_EsqlRuleCreateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' + Security_Detections_API_EsqlRuleOptionalFields: + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + type: object + Security_Detections_API_EsqlRulePatchProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + language: + $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + type: + description: Rule type + enum: + - esql + type: string + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + type: object + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + Security_Detections_API_EsqlRuleRequiredFields: + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - esql + type: string + required: + - type + - language + - query + type: object + Security_Detections_API_EsqlRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' + Security_Detections_API_EsqlRuleUpdateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' + Security_Detections_API_EventCategoryOverride: + type: string + Security_Detections_API_ExceptionListType: + description: The exception type + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_trusted_devices + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Detections_API_ExternalRuleCustomizedFields: + description: An array of customized field names — that is, fields that the user has modified from their base value. Defaults to an empty array. + items: + properties: + field_name: + description: Name of a user-modified field in the rule object. + type: string + required: + - field_name + type: object + type: array + Security_Detections_API_ExternalRuleHasBaseVersion: + description: Determines whether an external/prebuilt rule has its original, unmodified version present when the calculation of its customization status is performed (`rule_source.is_customized` and `rule_source.customized_fields`). + type: boolean + Security_Detections_API_ExternalRuleSource: + description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo. + properties: + customized_fields: + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleCustomizedFields' + has_base_version: + $ref: '#/components/schemas/Security_Detections_API_ExternalRuleHasBaseVersion' + is_customized: + $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized' + type: + enum: + - external + type: string + required: + - type + - is_customized + - has_base_version + - customized_fields + type: object + Security_Detections_API_FindRulesSortField: + enum: + - created_at + - createdAt + - enabled + - execution_summary.last_execution.date + - execution_summary.last_execution.metrics.execution_gap_duration_s + - execution_summary.last_execution.metrics.total_indexing_duration_ms + - execution_summary.last_execution.metrics.total_search_duration_ms + - execution_summary.last_execution.status + - name + - risk_score + - riskScore + - severity + - updated_at + - updatedAt + type: string + Security_Detections_API_HistoryWindowStart: + description: Start date to use when checking if a term has been seen before. Supports relative dates – for example, now-30d will search the last 30 days of data when checking if a term is new. We do not recommend using absolute dates, which can cause issues with rule performance due to querying increasing amounts of data over time. + format: nonempty + minLength: 1 + type: string + Security_Detections_API_IndexMigrationStatus: + properties: + index: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + is_outdated: + type: boolean + migrations: + items: + $ref: '#/components/schemas/Security_Detections_API_MigrationStatus' + type: array + signal_versions: + items: + $ref: '#/components/schemas/Security_Detections_API_AlertVersion' + type: array + version: + type: integer + required: + - index + - version + - signal_versions + - migrations + - is_outdated + type: object + Security_Detections_API_IndexPatternArray: + description: | + Indices on which the rule functions. Defaults to the Security Solution indices defined on the Kibana Advanced Settings page (Kibana → Stack Management → Advanced Settings → `securitySolution:defaultIndex`). + > info + > This field is not supported for ES|QL rules. + items: + type: string + type: array + Security_Detections_API_InternalRuleSource: + description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps. + properties: + type: + enum: + - internal + type: string + required: + - type + type: object + Security_Detections_API_InvestigationFields: + description: | + Schema for fields relating to investigation fields. These are user defined fields we use to highlight + in various features in the UI such as alert details flyout and exceptions auto-population from alert. + properties: + field_names: + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + minItems: 1 + type: array + required: + - field_names + type: object + Security_Detections_API_InvestigationGuide: + description: Notes to help investigate alerts produced by the rule. + type: string + Security_Detections_API_IsExternalRuleCustomized: + description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value). + type: boolean + Security_Detections_API_IsRuleEnabled: + description: Determines whether the rule is enabled. Defaults to true. + type: boolean + Security_Detections_API_IsRuleImmutable: + deprecated: true + description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field. + type: boolean + Security_Detections_API_ItemsPerSearch: + minimum: 1 + type: integer + Security_Detections_API_KqlQueryLanguage: + enum: + - kuery + - lucene + type: string + Security_Detections_API_MachineLearningJobId: + description: Machine learning job ID(s) the rule monitors for anomaly scores. + oneOf: + - type: string + - items: + type: string + minItems: 1 + type: array + Security_Detections_API_MachineLearningRule: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + type: object + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields' + Security_Detections_API_MachineLearningRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' + Security_Detections_API_MachineLearningRuleCreateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' + Security_Detections_API_MachineLearningRuleOptionalFields: + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + type: object + Security_Detections_API_MachineLearningRulePatchFields: + allOf: + - properties: + anomaly_threshold: + $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' + machine_learning_job_id: + $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' + type: + description: Rule type + enum: + - machine_learning + type: string + type: object + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' + Security_Detections_API_MachineLearningRulePatchProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + type: object + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields' + Security_Detections_API_MachineLearningRuleRequiredFields: + properties: + anomaly_threshold: + $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' + machine_learning_job_id: + $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' + type: + description: Rule type + enum: + - machine_learning + type: string + required: + - type + - machine_learning_job_id + - anomaly_threshold + type: object + Security_Detections_API_MachineLearningRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields' + Security_Detections_API_MachineLearningRuleUpdateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields' + Security_Detections_API_MaxSignals: + default: 100 + description: | + Maximum number of alerts the rule can create during a single run (the rule’s Max alerts per run [advanced setting](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#rule-ui-advanced-params) value). + > info + > This setting can be superseded by the [Kibana configuration setting](https://www.elastic.co/guide/en/kibana/current/alert-action-settings-kb.html#alert-settings) `xpack.alerting.rules.run.alerts.max`, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, the rule can generate no more than 1000 alerts even if `max_signals` is set higher. + minimum: 1 + type: integer + Security_Detections_API_MigrationCleanupResult: + properties: + destinationIndex: + type: string + error: + properties: + message: + type: string + status_code: + type: integer + required: + - message + - status_code + type: object + id: + type: string + sourceIndex: + type: string + status: + enum: + - success + - failure + - pending + type: string + updated: + format: date-time + type: string + version: + type: string + required: + - id + - destinationIndex + - status + - sourceIndex + - version + - updated + type: object + Security_Detections_API_MigrationFinalizationResult: + properties: + completed: + type: boolean + destinationIndex: + type: string + error: + properties: + message: + type: string + status_code: + type: integer + required: + - message + - status_code + type: object + id: + type: string + sourceIndex: + type: string + status: + enum: + - success + - failure + - pending + type: string + updated: + format: date-time + type: string + version: + type: string + required: + - id + - completed + - destinationIndex + - status + - sourceIndex + - version + - updated + type: object + Security_Detections_API_MigrationStatus: + properties: + id: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + status: + enum: + - success + - failure + - pending + type: string + updated: + format: date-time + type: string + version: + type: integer + required: + - id + - status + - version + - updated + type: object + Security_Detections_API_NewTermsFields: + description: Fields to monitor for new values. + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Detections_API_NewTermsRule: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + type: object + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields' + Security_Detections_API_NewTermsRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' + Security_Detections_API_NewTermsRuleCreateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' + Security_Detections_API_NewTermsRuleDefaultableFields: + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + type: object + Security_Detections_API_NewTermsRuleOptionalFields: + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + type: object + Security_Detections_API_NewTermsRulePatchFields: + allOf: + - properties: + history_window_start: + $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' + new_terms_fields: + $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms + type: string + type: object + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields' + Security_Detections_API_NewTermsRulePatchProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + type: object + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields' + Security_Detections_API_NewTermsRuleRequiredFields: + properties: + history_window_start: + $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' + new_terms_fields: + $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms + type: string + required: + - type + - query + - new_terms_fields + - history_window_start + type: object + Security_Detections_API_NewTermsRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields' + - properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + type: object + Security_Detections_API_NewTermsRuleUpdateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields' + Security_Detections_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 + type: string + Security_Detections_API_NormalizedRuleAction: + additionalProperties: false + properties: + alerts_filter: + $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' + frequency: + $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' + group: + $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleActionId' + params: + $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' + required: + - id + - params + type: object + Security_Detections_API_NormalizedRuleError: + properties: + err_code: + $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode' + message: + type: string + rules: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError' + type: array + status_code: + type: integer + required: + - message + - status_code + - rules + type: object + Security_Detections_API_OsqueryParams: + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Detections_API_EcsMapping' + pack_id: + description: 'To specify a query pack, use the packId field. Example: "packId": "processes_elastic"' + type: string + queries: + items: + $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' + type: array + query: + description: 'To run a single query, use the query field and enter a SQL query. Example: "query": "SELECT * FROM processes;"' + type: string + saved_query_id: + description: 'To run a saved query, use the saved_query_id field and specify the saved query ID. Example: "saved_query_id": "processes_elastic"' + type: string + timeout: + description: 'A timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900. Example: "timeout": 120.' + type: number + type: object + Security_Detections_API_OsqueryQuery: + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Detections_API_EcsMapping' + id: + description: Query ID + type: string + platform: + type: string + query: + description: Query to run + type: string + removed: + type: boolean + snapshot: + type: boolean + version: + description: Query version + type: string + required: + - id + - query + type: object + Security_Detections_API_OsqueryResponseAction: + properties: + action_type_id: + enum: + - .osquery + type: string + params: + $ref: '#/components/schemas/Security_Detections_API_OsqueryParams' + required: + - action_type_id + - params + type: object + Security_Detections_API_PlatformErrorResponse: + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + type: object + Security_Detections_API_ProcessesParams: + properties: + command: + description: 'To run an endpoint response action, specify a value for the command field. Example: "command": "isolate"' + enum: + - kill-process + - suspend-process + type: string + comment: + description: 'Add a note that explains or describes the action. You can find your comment in the response actions history log. Example: "comment": "Check processes"' + type: string + config: + properties: + field: + description: Field to use instead of process.pid + type: string + overwrite: + default: true + description: Whether to overwrite field with process.pid + type: boolean + required: + - field + type: object + required: + - command + - config + type: object + Security_Detections_API_QueryRule: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + type: object + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields' + Security_Detections_API_QueryRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' + Security_Detections_API_QueryRuleCreateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' + Security_Detections_API_QueryRuleDefaultableFields: + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: object + Security_Detections_API_QueryRuleOptionalFields: + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + type: object + Security_Detections_API_QueryRulePatchFields: + allOf: + - properties: + type: + description: Rule type + enum: + - query + type: string + type: object + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields' + Security_Detections_API_QueryRulePatchProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + type: object + - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields' + Security_Detections_API_QueryRuleRequiredFields: + properties: + type: + description: Rule type + enum: + - query + type: string + required: + - type + type: object + Security_Detections_API_QueryRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' + - properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + required: + - query + - language + type: object + Security_Detections_API_QueryRuleUpdateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' + Security_Detections_API_ReasonEnum: + description: The reason for closing the alerts + enum: + - false_positive + - duplicate + - true_positive + - benign_positive + - automated_closure + - other + type: string + Security_Detections_API_RelatedIntegration: + description: | + Related integration is a potential dependency of a rule. It's assumed that if the user installs + one of the related integrations of a rule, the rule might start to work properly because it will + have source events (generated by this integration) potentially matching the rule's query. + + NOTE: Proper work is not guaranteed, because a related integration, if installed, can be + configured differently or generate data that is not necessarily relevant for this rule. + + Related integration is a combination of a Fleet package and (optionally) one of the + package's "integrations" that this package contains. It is represented by 3 properties: + + - `package`: name of the package (required, unique id) + - `version`: version of the package (required, semver-compatible) + - `integration`: name of the integration of this package (optional, id within the package) + + There are Fleet packages like `windows` that contain only one integration; in this case, + `integration` should be unspecified. There are also packages like `aws` and `azure` that contain + several integrations; in this case, `integration` should be specified. + properties: + integration: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + package: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + version: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - package + - version + type: object + Security_Detections_API_RelatedIntegrationArray: + items: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' + type: array + Security_Detections_API_RequiredField: + description: | + Describes an Elasticsearch field that is needed for the rule to function. + + Almost all types of Security rules check source event documents for a match to some kind of + query or filter. If a document has certain field with certain values, then it's a match and + the rule will generate an alert. + + Required field is an event field that must be present in the source indices of a given rule. + + @example + const standardEcsField: RequiredField = { + name: 'event.action', + type: 'keyword', + ecs: true, + }; + + @example + const nonEcsField: RequiredField = { + name: 'winlog.event_data.AttributeLDAPDisplayName', + type: 'keyword', + ecs: false, + }; + properties: + ecs: + description: Indicates whether the field is ECS-compliant. This property is only present in responses. Its value is computed based on field’s name and type. + type: boolean + name: + description: Name of an Elasticsearch field + format: nonempty + minLength: 1 + type: string + type: + description: Type of the Elasticsearch field + format: nonempty + minLength: 1 + type: string + required: + - name + - type + - ecs + type: object + Security_Detections_API_RequiredFieldArray: + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredField' + type: array + Security_Detections_API_RequiredFieldInput: + description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type. + properties: + name: + description: Name of an Elasticsearch field + format: nonempty + minLength: 1 + type: string + type: + description: Type of the Elasticsearch field + format: nonempty + minLength: 1 + type: string + required: + - name + - type + type: object + Security_Detections_API_ResponseAction: + discriminator: + mapping: + .endpoint: '#/components/schemas/Security_Detections_API_EndpointResponseAction' + .osquery: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' + propertyName: action_type_id + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' + - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction' + Security_Detections_API_ResponseFields: + properties: + created_at: + format: date-time + type: string + created_by: + type: string + execution_summary: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + immutable: + $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' + required_fields: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray' + revision: + $ref: '#/components/schemas/Security_Detections_API_RuleRevision' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_source: + $ref: '#/components/schemas/Security_Detections_API_RuleSource' + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - rule_id + - immutable + - rule_source + - updated_at + - updated_by + - created_at + - created_by + - revision + - related_integrations + - required_fields + type: object + Security_Detections_API_RiskScore: + description: | + A numerical representation of the alert's severity from 0 to 100, where: + * `0` - `21` represents low severity + * `22` - `47` represents medium severity + * `48` - `73` represents high severity + * `74` - `100` represents critical severity + maximum: 100 + minimum: 0 + type: integer + Security_Detections_API_RiskScoreMapping: + description: Overrides generated alerts' risk_score with a value from the source event + items: + properties: + field: + description: Source event field used to override the default `risk_score`. + type: string + operator: + enum: + - equals + type: string + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + value: + type: string + required: + - field + - operator + - value + type: object + type: array + Security_Detections_API_RuleAction: + properties: + action_type_id: + description: | + The action type used for sending notifications, can be: + + - `.slack` + - `.slack_api` + - `.email` + - `.index` + - `.pagerduty` + - `.swimlane` + - `.webhook` + - `.servicenow` + - `.servicenow-itom` + - `.servicenow-sir` + - `.jira` + - `.resilient` + - `.opsgenie` + - `.teams` + - `.torq` + - `.tines` + - `.d3security` + type: string + alerts_filter: + $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' + frequency: + $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' + group: + $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleActionId' + params: + $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' + uuid: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - action_type_id + - id + - params + type: object + Security_Detections_API_RuleActionAlertsFilter: + additionalProperties: true + description: | + Object containing an action’s conditional filters. + + - `timeframe` (object, optional): Object containing the time frame for when this action can be run. + - `days` (array of integers, required): List of days of the week on which this action will be run. Days of the week are expressed as numbers between `1-7`, where `1` is Monday and `7` is Sunday. To select all days of the week, enter an empty array. + - `hours` (object, required): The hours of the day during which this action will run. Hours of the day are expressed as two strings in the format `hh:mm` in `24` hour time. A start of `00:00` and an end of `24:00` means the action can run all day. + - start (string, required): Start time in `hh:mm` format. + - end (string, required): End time in `hh:mm` format. + - `timezone` (string, required): An ISO timezone name, such as `Europe/Madrid` or `America/New_York`. Specific offsets such as `UTC` or `UTC+1` will also work, but lack built-in DST. + - `query` (object, optional): Object containing a query filter which gets applied to an action and determines whether the action should run. + - `kql` (string, required): A KQL string. + - `filters` (array of objects, required): Array of filter objects, as defined in the `kbn-es-query` package. + type: object + Security_Detections_API_RuleActionFrequency: + description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals). + properties: + notifyWhen: + $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' + summary: + description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert + type: boolean + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + nullable: true + x-omitempty: true + required: + - summary + - notifyWhen + - throttle + type: object + Security_Detections_API_RuleActionGroup: + description: Optionally groups actions by use cases. Use `default` for alert notifications. + type: string + Security_Detections_API_RuleActionId: + description: The connector ID. + type: string + Security_Detections_API_RuleActionNotifyWhen: + description: Defines how often rules run actions. + enum: + - onActiveAlert + - onThrottleInterval + - onActionGroupChange + type: string + Security_Detections_API_RuleActionParams: + additionalProperties: true + description: | + Object containing the allowed connector fields, which varies according to the connector type. + + For Slack: + + - `message` (string, required): The notification message. + + For email: + + - `to`, `cc`, `bcc` (string): Email addresses to which the notifications are sent. At least one field must have a value. + - `subject` (string, optional): Email subject line. + - `message` (string, required): Email body text. + + For Webhook: + + - `body` (string, required): JSON payload. + + For PagerDuty: + + - `severity` (string, required): Severity of on the alert notification, can be: `Critical`, `Error`, `Warning` or `Info`. + - `eventAction` (string, required): Event [action type](https://v2.developer.pagerduty.com/docs/events-api-v2#event-action), which can be `trigger`, `resolve`, or `acknowledge`. + - `dedupKey` (string, optional): Groups alert notifications with the same PagerDuty alert. + - `timestamp` (DateTime, optional): ISO-8601 format [timestamp](https://v2.developer.pagerduty.com/docs/types#datetime). + - `component` (string, optional): Source machine component responsible for the event, for example `security-solution`. + - `group` (string, optional): Enables logical grouping of service components. + - `source` (string, optional): The affected system. Defaults to the Kibana saved object ID of the action. + - `summary` (string, options): Summary of the event. Defaults to `No summary provided`. Maximum length is 1024 characters. + - `class` (string, optional): Value indicating the class/type of the event. + type: object + Security_Detections_API_RuleActionThrottle: + description: Defines how often rule actions are taken. + oneOf: + - enum: + - no_actions + - rule + type: string + - description: Time interval in seconds, minutes, hours, or days. + pattern: ^[1-9]\d*[smhd]$ + type: string + Security_Detections_API_RuleAuthorArray: + description: The rule’s author. + items: + type: string + type: array + Security_Detections_API_RuleCreateProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + discriminator: + mapping: + eql: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' + esql: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps' + new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' + query: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps' + propertyName: type + Security_Detections_API_RuleDescription: + description: The rule’s description. + minLength: 1 + type: string + Security_Detections_API_RuleDetailsInError: + properties: + id: + type: string + name: + type: string + required: + - id + type: object + Security_Detections_API_RuleExceptionList: + description: | + Array of [exception containers](https://www.elastic.co/guide/en/security/current/exceptions-api-overview.html), which define exceptions that prevent the rule from generating alerts even when its other criteria are met. + properties: + id: + description: ID of the exception container + format: nonempty + minLength: 1 + type: string + list_id: + description: List ID of the exception container + format: nonempty + minLength: 1 + type: string + namespace_type: + description: Determines the exceptions validity in rule's Kibana space + enum: + - agnostic + - single + type: string + type: + $ref: '#/components/schemas/Security_Detections_API_ExceptionListType' + required: + - id + - list_id + - type + - namespace_type + type: object + Security_Detections_API_RuleExecutionMetrics: + properties: + execution_gap_duration_s: + description: Duration in seconds of execution gap + minimum: 0 + type: integer + frozen_indices_queried_count: + description: Count of frozen indices queried during the rule execution. These indices could not be entirely excluded after applying the time range filter. + minimum: 0 + type: integer + gap_range: + description: Range of the execution gap + properties: + gte: + description: Start date of the execution gap + type: string + lte: + description: End date of the execution gap + type: string + required: + - gte + - lte + type: object + total_enrichment_duration_ms: + description: Total time spent enriching documents during current rule execution cycle + minimum: 0 + type: integer + total_indexing_duration_ms: + description: Total time spent indexing documents during current rule execution cycle + minimum: 0 + type: integer + total_search_duration_ms: + description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response + minimum: 0 + type: integer + type: object + Security_Detections_API_RuleExecutionStatus: + description: |- + Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule. + - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes. + - running - Rule execution started but not reached any intermediate or final status. + - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist. + - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function. + - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it. + enum: + - going to run + - running + - partial failure + - failed + - succeeded + type: string + Security_Detections_API_RuleExecutionStatusOrder: + type: integer + Security_Detections_API_RuleExecutionSummary: + description: | + Summary of the last execution of a rule. + > info + > This field is under development and its usage or schema may change + properties: + last_execution: + properties: + date: + description: Date of the last execution + format: date-time + type: string + message: + type: string + metrics: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics' + status: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' + description: Status of the last execution + status_order: + $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder' + required: + - date + - status + - status_order + - message + - metrics + type: object + required: + - last_execution + type: object + Security_Detections_API_RuleFalsePositiveArray: + description: String array used to describe common reasons why the rule may issue false-positive alerts. Defaults to an empty array. + items: + type: string + type: array + Security_Detections_API_RuleFilterArray: + description: | + The query and filter context array used to define the conditions for when alerts are created from events. Defaults to an empty array. + > info + > This field is not supported for ES|QL rules. + items: {} + type: array + Security_Detections_API_RuleInterval: + description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes). + type: string + Security_Detections_API_RuleIntervalFrom: + description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time). + format: date-math + type: string + Security_Detections_API_RuleIntervalTo: + type: string + Security_Detections_API_RuleLicense: + description: The rule's license. + type: string + Security_Detections_API_RuleMetadata: + additionalProperties: true + description: | + Placeholder for metadata about the rule. + > info + > This field is overwritten when you save changes to the rule’s settings. + type: object + Security_Detections_API_RuleName: + description: A human-readable name for the rule. + minLength: 1 + type: string + Security_Detections_API_RuleNameOverride: + description: Sets which field in the source event is used to populate the alert's `signal.rule.name` value (in the UI, this value is displayed on the Rules page in the Rule column). When unspecified, the rule’s `name` value is used. The source field must be a string data type. + type: string + Security_Detections_API_RuleObjectId: + $ref: '#/components/schemas/Security_Detections_API_UUID' + description: A dynamic unique identifier for the rule object. It is randomly generated when a rule is created and cannot be changed after that. It is always a UUID. It is unique within a given Kibana space. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have different object `id`s. + Security_Detections_API_RulePatchProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' + Security_Detections_API_RulePreviewLoggedRequest: + properties: + description: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + duration: + type: integer + request: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + request_type: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + type: object + Security_Detections_API_RulePreviewLogs: + properties: + duration: + description: Execution duration in milliseconds + type: integer + errors: + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + type: array + requests: + items: + $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest' + type: array + startedAt: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + warnings: + items: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + type: array + required: + - errors + - warnings + - duration + type: object + Security_Detections_API_RulePreviewParams: + properties: + invocationCount: + type: integer + timeframeEnd: + format: date-time + type: string + required: + - invocationCount + - timeframeEnd + type: object + Security_Detections_API_RuleQuery: + description: | + [Query](https://www.elastic.co/guide/en/kibana/8.17/search.html) used by the rule to create alerts. + + - For indicator match rules, only the query’s results are used to determine whether an alert is generated. + - ES|QL rules have additional query requirements. Refer to [Create ES|QL](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-esql-rule) rules for more information. + type: string + Security_Detections_API_RuleReferenceArray: + description: Array containing notes about or references to relevant information about the rule. Defaults to an empty array. + items: + type: string + type: array + Security_Detections_API_RuleResponse: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRule' + - $ref: '#/components/schemas/Security_Detections_API_QueryRule' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' + discriminator: + mapping: + eql: '#/components/schemas/Security_Detections_API_EqlRule' + esql: '#/components/schemas/Security_Detections_API_EsqlRule' + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRule' + new_terms: '#/components/schemas/Security_Detections_API_NewTermsRule' + query: '#/components/schemas/Security_Detections_API_QueryRule' + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRule' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRule' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRule' + propertyName: type + Security_Detections_API_RuleRevision: + description: | + The rule's revision number. + + It represents the version of rule's object in Kibana. It is set to `0` when the rule is installed or created and then gets incremented on each update. + > info + > Not all updates to any rule fields will increment the revision. Only those fields that are considered static `rule parameters` can trigger revision increments. For example, an update to a rule's query or index fields will increment the rule's revision by `1`. However, changes to dynamic or technical fields like enabled or execution_summary will not cause revision increments. + minimum: 0 + type: integer + Security_Detections_API_RuleSignatureId: + description: A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same `rule_id`s. + type: string + Security_Detections_API_RuleSource: + description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo. + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' + - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' + Security_Detections_API_RuleTagArray: + description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array. + items: + type: string + type: array + Security_Detections_API_RuleUpdateProps: + anyOf: + - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' + - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' + discriminator: + mapping: + eql: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' + esql: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' + machine_learning: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps' + new_terms: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' + query: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' + saved_query: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps' + threat_match: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps' + threshold: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps' + propertyName: type + Security_Detections_API_RuleVersion: + description: "The rule's version number.\n\n- For prebuilt rules it represents the version of the rule's content in the source [detection-rules](https://github.com/elastic/detection-rules) repository (and the corresponding `security_detection_engine` Fleet package that is used for distributing prebuilt rules). \n- For custom rules it is set to `1` when the rule is created. \n> info\n> It is not incremented on each update. Compare this to the `revision` field.\n" + minimum: 1 + type: integer + Security_Detections_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Detections_API_SavedObjectResolveAliasTargetId: + type: string + Security_Detections_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Detections_API_SavedQueryId: + description: Kibana [saved search](https://www.elastic.co/guide/en/kibana/current/save-open-search.html) used by the rule to create alerts. + type: string + Security_Detections_API_SavedQueryRule: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + type: object + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields' + Security_Detections_API_SavedQueryRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' + Security_Detections_API_SavedQueryRuleCreateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' + Security_Detections_API_SavedQueryRuleDefaultableFields: + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + type: object + Security_Detections_API_SavedQueryRuleOptionalFields: + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + type: object + Security_Detections_API_SavedQueryRulePatchFields: + allOf: + - properties: + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + type: + description: Rule type + enum: + - saved_query + type: string + type: object + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields' + Security_Detections_API_SavedQueryRulePatchProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + type: object + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields' + Security_Detections_API_SavedQueryRuleRequiredFields: + properties: + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + type: + description: Rule type + enum: + - saved_query + type: string + required: + - type + - saved_id + type: object + Security_Detections_API_SavedQueryRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields' + - properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + type: object + Security_Detections_API_SavedQueryRuleUpdateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields' + Security_Detections_API_SetAlertTags: + description: Object with list of tags to add and remove. + properties: + tags_to_add: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Detections_API_AlertTags' + required: + - tags_to_add + - tags_to_remove + type: object + Security_Detections_API_SetAlertsStatusByIds: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByIds' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIdsBase' + Security_Detections_API_SetAlertsStatusByIdsBase: + properties: + signal_ids: + description: 'List of alert ids. Use field `_id` on alert document or `kibana.alert.uuid`. Note: signals are a deprecated term for alerts.' + items: + format: nonempty + minLength: 1 + type: string + minItems: 1 + type: array + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + required: + - signal_ids + - status + type: object + Security_Detections_API_SetAlertsStatusByQuery: + discriminator: + mapping: + closed: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + propertyName: status + oneOf: + - $ref: '#/components/schemas/Security_Detections_API_CloseAlertsByQuery' + - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQueryBase' + Security_Detections_API_SetAlertsStatusByQueryBase: + properties: + conflicts: + default: abort + enum: + - abort + - proceed + type: string + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Detections_API_AlertStatusExceptClosed' + required: + - query + - status + type: object + Security_Detections_API_SetupGuide: + description: Populates the rule’s setup guide with instructions on rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. + type: string + Security_Detections_API_Severity: + description: | + Severity level of alerts produced by the rule, which must be one of the following: + * `low`: Alerts that are of interest but generally not considered to be security incidents + * `medium`: Alerts that require investigation + * `high`: Alerts that require immediate investigation + * `critical`: Alerts that indicate it is highly likely a security incident has occurred + enum: + - low + - medium + - high + - critical + type: string + Security_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event + items: + properties: + field: + description: Source event field used to override the default `severity`. + type: string + operator: + enum: + - equals + type: string + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + value: + type: string + required: + - field + - operator + - severity + - value + type: object + type: array + Security_Detections_API_SiemErrorResponse: + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + type: object + Security_Detections_API_SkippedAlertsIndexMigration: + properties: + index: + type: string + required: + - index + type: object + Security_Detections_API_SortOrder: + enum: + - asc + - desc + type: string + Security_Detections_API_Threat: + description: | + > info + > Currently, only threats described using the MITRE ATT&CK™ framework are supported. + properties: + framework: + description: Relevant attack framework + type: string + tactic: + $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' + type: array + required: + - framework + - tactic + type: object + Security_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Detections_API_Threat' + type: array + Security_Detections_API_ThreatFilters: + items: + description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values + type: array + Security_Detections_API_ThreatIndex: + description: Elasticsearch indices used to check which field values generate alerts. + items: + type: string + type: array + Security_Detections_API_ThreatIndicatorPath: + description: Defines the path to the threat indicator in the indicator documents (optional) + type: string + Security_Detections_API_ThreatMapping: + description: "Array of entries objects that define mappings between the source event fields and the values in the Elasticsearch threat index. Each entries object must contain these fields:\n\n- field: field from the event indices on which the rule runs\n- type: must be mapping\n- value: field from the Elasticsearch threat index\n \nYou can use Boolean and and or logic to define the conditions for when matching fields and values generate alerts. Sibling entries objects are evaluated using or logic, whereas multiple entries in a single entries object use and logic. See Example of Threat Match rule which uses both `and` and `or` logic.\n" + items: + properties: + entries: + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatMappingEntry' + type: array + required: + - entries + type: object + minItems: 1 + type: array + Security_Detections_API_ThreatMappingEntry: + properties: + field: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + negate: + type: boolean + type: + enum: + - mapping + type: string + value: + $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' + required: + - field + - type + - value + type: object + Security_Detections_API_ThreatMatchRule: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + type: object + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields' + Security_Detections_API_ThreatMatchRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' + Security_Detections_API_ThreatMatchRuleCreateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' + Security_Detections_API_ThreatMatchRuleDefaultableFields: + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + type: object + Security_Detections_API_ThreatMatchRuleOptionalFields: + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' + concurrent_searches: + $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + items_per_search: + $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + threat_filters: + $ref: '#/components/schemas/Security_Detections_API_ThreatFilters' + threat_indicator_path: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath' + threat_language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + type: object + Security_Detections_API_ThreatMatchRulePatchFields: + allOf: + - properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threat_index: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' + type: + description: Rule type + enum: + - threat_match + type: string + type: object + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields' + Security_Detections_API_ThreatMatchRulePatchProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + type: object + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields' + Security_Detections_API_ThreatMatchRuleRequiredFields: + properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threat_index: + $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' + type: + description: Rule type + enum: + - threat_match + type: string + required: + - type + - query + - threat_query + - threat_mapping + - threat_index + type: object + Security_Detections_API_ThreatMatchRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields' + - properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + type: object + Security_Detections_API_ThreatMatchRuleUpdateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields' + Security_Detections_API_ThreatQuery: + description: Query used to determine which fields in the Elasticsearch index are used for generating alerts. + type: string + Security_Detections_API_ThreatSubtechnique: + properties: + id: + description: Subtechnique ID + type: string + name: + description: Subtechnique name + type: string + reference: + description: Subtechnique reference + type: string + required: + - id + - name + - reference + type: object + Security_Detections_API_ThreatTactic: + description: | + Object containing information on the attack type + properties: + id: + description: Tactic ID + type: string + name: + description: Tactic name + type: string + reference: + description: Tactic reference + type: string + required: + - id + - name + - reference + type: object + Security_Detections_API_ThreatTechnique: + properties: + id: + description: Technique ID + type: string + name: + description: Technique name + type: string + reference: + description: Technique reference + type: string + subtechnique: + description: | + Array containing more specific information on the attack technique. + items: + $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique' + type: array + required: + - id + - name + - reference + type: object + Security_Detections_API_Threshold: + properties: + cardinality: + $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality' + field: + $ref: '#/components/schemas/Security_Detections_API_ThresholdField' + value: + $ref: '#/components/schemas/Security_Detections_API_ThresholdValue' + required: + - field + - value + type: object + Security_Detections_API_ThresholdAlertSuppression: + description: Defines alert suppression configuration. + properties: + duration: + $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration' + required: + - duration + type: object + Security_Detections_API_ThresholdCardinality: + description: The field on which the cardinality is applied. + items: + properties: + field: + description: The field on which to calculate and compare the cardinality. + type: string + value: + description: The threshold value from which an alert is generated based on unique number of values of cardinality.field. + minimum: 0 + type: integer + required: + - field + - value + type: object + type: array + Security_Detections_API_ThresholdField: + description: The field on which the threshold is applied. If you specify an empty array ([]), alerts are generated when the query returns at least the number of results specified in the value field. + oneOf: + - type: string + - items: + type: string + maxItems: 5 + minItems: 0 + type: array + Security_Detections_API_ThresholdRule: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + type: object + - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields' + Security_Detections_API_ThresholdRuleCreateFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' + Security_Detections_API_ThresholdRuleCreateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' + Security_Detections_API_ThresholdRuleDefaultableFields: + properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + type: object + Security_Detections_API_ThresholdRuleOptionalFields: + properties: + alert_suppression: + $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression' + data_view_id: + $ref: '#/components/schemas/Security_Detections_API_DataViewId' + filters: + $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' + index: + $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' + saved_id: + $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' + type: object + Security_Detections_API_ThresholdRulePatchFields: + allOf: + - properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold + type: string + type: object + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields' + Security_Detections_API_ThresholdRulePatchProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + type: object + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields' + Security_Detections_API_ThresholdRuleRequiredFields: + properties: + query: + $ref: '#/components/schemas/Security_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold + type: string + required: + - type + - query + - threshold + type: object + Security_Detections_API_ThresholdRuleResponseFields: + allOf: + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields' + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields' + - properties: + language: + $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' + required: + - language + type: object + Security_Detections_API_ThresholdRuleUpdateProps: + allOf: + - properties: + actions: + description: Array defining the automated actions (notifications) taken when alerts are generated. + items: + $ref: '#/components/schemas/Security_Detections_API_RuleAction' + type: array + alias_purpose: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose' + alias_target_id: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId' + author: + $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' + building_block_type: + $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' + description: + $ref: '#/components/schemas/Security_Detections_API_RuleDescription' + enabled: + $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' + exceptions_list: + items: + $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' + type: array + false_positives: + $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray' + from: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' + id: + $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' + interval: + $ref: '#/components/schemas/Security_Detections_API_RuleInterval' + investigation_fields: + $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' + license: + $ref: '#/components/schemas/Security_Detections_API_RuleLicense' + max_signals: + $ref: '#/components/schemas/Security_Detections_API_MaxSignals' + meta: + $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' + name: + $ref: '#/components/schemas/Security_Detections_API_RuleName' + namespace: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace' + note: + $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' + outcome: + $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome' + output_index: + $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' + references: + $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' + related_integrations: + $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray' + required_fields: + description: | + Elasticsearch fields and their types that need to be present for the rule to function. + > info + > The value of `required_fields` does not affect the rule’s behavior, and specifying it incorrectly won’t cause the rule to fail. Use `required_fields` as an informational property to document the fields that the rule expects to be present in the data. + items: + $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput' + type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array + risk_score: + $ref: '#/components/schemas/Security_Detections_API_RiskScore' + risk_score_mapping: + $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' + rule_id: + $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' + rule_name_override: + $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' + setup: + $ref: '#/components/schemas/Security_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Detections_API_Severity' + severity_mapping: + $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' + tags: + $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' + threat: + $ref: '#/components/schemas/Security_Detections_API_ThreatArray' + throttle: + $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' + timeline_id: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' + timeline_title: + $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle' + timestamp_override: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' + timestamp_override_fallback_disabled: + $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled' + to: + $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' + version: + $ref: '#/components/schemas/Security_Detections_API_RuleVersion' + required: + - name + - description + - risk_score + - severity + type: object + - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields' + Security_Detections_API_ThresholdValue: + description: The threshold value from which an alert is generated. + minimum: 1 + type: integer + Security_Detections_API_ThrottleForBulkActions: + description: | + Defines the maximum interval in which a rule’s actions are executed. + > info + > The rule level `throttle` field is deprecated in Elastic Security 8.8 and will remain active for at least the next 12 months. + > In Elastic Security 8.8 and later, you can use the `frequency` field to define frequencies for individual actions. Actions without frequencies will acquire a converted version of the rule’s `throttle` field. In the response, the converted `throttle` setting appears in the individual actions' `frequency` field. + enum: + - rule + - 1h + - 1d + - 7d + type: string + Security_Detections_API_TiebreakerField: + description: Sets a secondary field for sorting events + type: string + Security_Detections_API_TimelineTemplateId: + description: Timeline template ID + type: string + Security_Detections_API_TimelineTemplateTitle: + description: Timeline template title + type: string + Security_Detections_API_TimestampField: + description: Specifies the name of the event timestamp field used for sorting a sequence of events. Not to be confused with `timestamp_override`, which specifies the more general field used for querying events within a range. Defaults to the @timestamp ECS field. + type: string + Security_Detections_API_TimestampOverride: + description: Sets the time field used to query indices. When unspecified, rules query the `@timestamp` field. The source field must be an Elasticsearch date data type. + type: string + Security_Detections_API_TimestampOverrideFallbackDisabled: + description: Disables the fallback to the event's @timestamp field + type: boolean + Security_Detections_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Detections_API_WarningSchema: + properties: + actionPath: + type: string + buttonLabel: + type: string + message: + type: string + type: + type: string + required: + - type + - message + - actionPath + type: object + Security_Endpoint_Exceptions_API_EndpointList: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList' + - additionalProperties: false + type: object + Security_Endpoint_Exceptions_API_EndpointListItem: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' + Security_Endpoint_Exceptions_API_ExceptionList: + properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + type: string + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId' + immutable: + type: boolean + list_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + type: string + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + type: string + version: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion' + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + type: object + Security_Endpoint_Exceptions_API_ExceptionListDescription: + description: Describes the exception list. + type: string + Security_Endpoint_Exceptions_API_ExceptionListHumanId: + description: The exception list's human readable string identifier, `endpoint_list`. + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListId: + description: Exception list's identifier. + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListItem: + properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray' + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + type: string + description: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray' + expire_time: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId' + item_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId' + list_id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + type: string + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + type: string + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + type: object + Security_Endpoint_Exceptions_API_ExceptionListItemComment: + properties: + comment: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + type: object + Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: + description: | + Array of comment fields: + + - comment (string): Comments about the exception item. + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment' + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemDescription: + description: Describes the exception list. + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard' + Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry' + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - exists + type: string + required: + - type + - field + - operator + type: object + Security_Endpoint_Exceptions_API_ExceptionListItemEntryList: + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + list: + properties: + id: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType' + required: + - id + - type + type: object + operator: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + type: object + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + type: object + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - match_any + type: string + value: + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + minItems: 1 + type: array + required: + - type + - field + - value + - operator + type: object + Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: + properties: + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - wildcard + type: string + value: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + type: object + Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested: + properties: + entries: + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem' + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string + required: + - type + - field + - entries + type: object + Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists' + Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemExpireTime: + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. + format: date-time + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: + description: Human readable string identifier, e.g. `trusted-linux-processes` + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemId: + description: Exception's identifier. + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Endpoint_Exceptions_API_ExceptionListItemName: + description: Exception list name. + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemTags: + items: + description: String array containing words and phrases to help categorize exception items. + format: nonempty + minLength: 1 + type: string + type: array + Security_Endpoint_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Endpoint_Exceptions_API_ExceptionListMeta: + additionalProperties: true + description: Placeholder for metadata about the list container. + type: object + Security_Endpoint_Exceptions_API_ExceptionListName: + description: The name of the exception list. + type: string + Security_Endpoint_Exceptions_API_ExceptionListOsType: + description: Use this field to specify the operating system. + enum: + - linux + - macos + - windows + type: string + Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: + description: Use this field to specify the operating system. Only enter one value. + items: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType' + type: array + Security_Endpoint_Exceptions_API_ExceptionListTags: + description: String array containing words and phrases to help categorize exception containers. + items: + type: string + type: array + Security_Endpoint_Exceptions_API_ExceptionListType: + description: The type of exception list to be created. Different list types may denote where they can be utilized. + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_trusted_devices + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Endpoint_Exceptions_API_ExceptionListVersion: + description: The document version, automatically increasd on updates. + minimum: 1 + type: integer + Security_Endpoint_Exceptions_API_ExceptionNamespaceType: + description: | + Determines whether the exception container is available in all Kibana spaces or just the space + in which it is created, where: + + - `single`: Only available in the Kibana space in which it is created. + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter: + $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' + Security_Endpoint_Exceptions_API_ListId: + description: Value list's identifier. + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_ListType: + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: + + - `keyword`: Many ECS fields are Elasticsearch keywords + - `ip`: IP addresses + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Endpoint_Exceptions_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 + type: string + Security_Endpoint_Exceptions_API_PlatformErrorResponse: + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + type: object + Security_Endpoint_Exceptions_API_SiemErrorResponse: + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + type: object + Security_Endpoint_Management_API_ActionDetailsResponse: + discriminator: + mapping: + cancel: '#/components/schemas/Security_Endpoint_Management_API_Cancel' + execute: '#/components/schemas/Security_Endpoint_Management_API_Execute' + get-file: '#/components/schemas/Security_Endpoint_Management_API_GetFile' + isolate: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + kill-process: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' + running-processes: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' + runscript: '#/components/schemas/Security_Endpoint_Management_API_Runscript' + scan: '#/components/schemas/Security_Endpoint_Management_API_Scan' + suspend-process: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' + unisolate: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + upload: '#/components/schemas/Security_Endpoint_Management_API_Upload' + propertyName: command + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcess' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFile' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Execute' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Runscript' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Upload' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Scan' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Cancel' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Isolate' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_Unisolate' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcess' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcesses' + Security_Endpoint_Management_API_ActionStateSuccessResponse: + properties: + body: + properties: + data: + properties: + canEncrypt: + type: boolean + type: object + required: + - data + type: object + required: + - body + type: object + Security_Endpoint_Management_API_ActionStatusSuccessResponse: + properties: + body: + properties: + data: + properties: + agent_id: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' + pending_actions: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema' + required: + - agent_id + - pending_actions + type: object + required: + - data + type: object + required: + - body + type: object + Security_Endpoint_Management_API_AgentId: + description: Agent ID + type: string + Security_Endpoint_Management_API_AgentIds: + description: A list of agent IDs. Max of 50. + minLength: 1 + oneOf: + - items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Endpoint_Management_API_AgentTypes: + description: List of agent types to retrieve. Defaults to `endpoint`. + enum: + - endpoint + - sentinel_one + - crowdstrike + - microsoft_defender_endpoint + type: string + Security_Endpoint_Management_API_Cancel: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - properties: + outputs: + additionalProperties: + properties: + content: + properties: + code: + type: string + type: object + type: object + type: object + parameters: + properties: + id: + format: uuid + type: string + type: object + type: object + Security_Endpoint_Management_API_CancelRouteRequestBody: + allOf: + - properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. + items: + minLength: 1 + type: string + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. + items: + minLength: 1 + type: string + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + type: object + - properties: + parameters: + properties: + id: + description: ID of the response action to cancel + minLength: 1 + type: string + required: + - id + type: object + required: + - parameters + type: object + Security_Endpoint_Management_API_CloudFileScriptParameters: + properties: + cloudFile: + description: Script name in cloud storage. + minLength: 1 + type: string + commandLine: + description: Command line arguments. + minLength: 1 + type: string + timeout: + description: Timeout in seconds. + minimum: 1 + type: integer + required: + - cloudFile + type: object + Security_Endpoint_Management_API_Command: + description: The command for the response action + enum: + - isolate + - unisolate + - kill-process + - suspend-process + - running-processes + - get-file + - execute + - upload + - scan + - runscript + - cancel + minLength: 1 + type: string + Security_Endpoint_Management_API_Commands: + description: A list of response action command names. + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' + type: array + Security_Endpoint_Management_API_Comment: + description: Optional comment + type: string + Security_Endpoint_Management_API_DownloadUri: + properties: + downloadUri: + description: | + The server relative URI to download the file associated with the output of the response action. + URI does **not** include the space prefix + format: uri-reference + type: string + type: object + Security_Endpoint_Management_API_EndDate: + description: An end date in ISO format or Date Math format. + type: string + Security_Endpoint_Management_API_EndpointIds: + description: List of endpoint IDs (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Endpoint_Management_API_EndpointMetadataResponse: + properties: {} + type: object + Security_Endpoint_Management_API_Execute: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - properties: + outputs: + additionalProperties: + properties: + content: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - properties: + code: + type: string + cwd: + type: string + output_file_id: + type: string + output_file_stderr_truncated: + type: boolean + output_file_stdout_truncated: + type: boolean + shell_code: + type: number + stderr: + type: string + stderr_truncated: + type: boolean + stdout: + type: string + stdout_truncated: + type: boolean + type: object + type: object + type: object + parameters: + properties: + command: + type: string + timeout: + type: number + type: object + type: object + Security_Endpoint_Management_API_ExecuteRouteRequestBody: + allOf: + - properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. + items: + minLength: 1 + type: string + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. + items: + minLength: 1 + type: string + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + type: object + - properties: + parameters: + properties: + command: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' + timeout: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Timeout' + required: + - command + type: object + required: + - parameters + type: object + Security_Endpoint_Management_API_ExecuteRouteResponse: + properties: {} + type: object + Security_Endpoint_Management_API_GetEndpointActionListResponse: + properties: {} + type: object + Security_Endpoint_Management_API_GetFile: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - properties: + outputs: + additionalProperties: + properties: + content: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - properties: + code: + type: string + contents: + items: + properties: + file_name: + type: string + path: + type: string + sha256: + type: string + size: + type: number + type: + type: string + type: object + type: array + zip_size: + type: number + type: object + type: object + type: object + parameters: + properties: + path: + type: string + type: object + type: object + Security_Endpoint_Management_API_GetFileRouteRequestBody: + allOf: + - properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. + items: + minLength: 1 + type: string + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. + items: + minLength: 1 + type: string + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + type: object + - properties: + parameters: + properties: + path: + type: string + required: + - path + type: object + required: + - parameters + type: object + Security_Endpoint_Management_API_GetFileRouteResponse: + properties: {} + type: object + Security_Endpoint_Management_API_GetProcessesRouteRequestBody: + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. + items: + minLength: 1 + type: string + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. + items: + minLength: 1 + type: string + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + type: object + Security_Endpoint_Management_API_GetProcessesRouteResponse: + properties: {} + type: object + Security_Endpoint_Management_API_HostPathScriptParameters: + properties: + commandLine: + description: Command line arguments. + minLength: 1 + type: string + hostPath: + description: Absolute or relative path of script on host machine. + minLength: 1 + type: string + timeout: + description: Timeout in seconds. + minimum: 1 + type: integer + required: + - hostPath + type: object + Security_Endpoint_Management_API_HostStatuses: + description: A set of agent health statuses to filter by. + items: + enum: + - healthy + - offline + - updating + - inactive + - unenrolled + type: string + type: array + Security_Endpoint_Management_API_Isolate: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + Security_Endpoint_Management_API_IsolateRouteResponse: + properties: {} + type: object + Security_Endpoint_Management_API_KillProcess: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - properties: + outputs: + additionalProperties: + properties: + content: + oneOf: + - properties: + code: + type: string + command: + type: string + pid: + type: number + type: object + - properties: + code: + type: string + command: + type: string + entity_id: + type: string + type: object + - properties: + code: + type: string + command: + type: string + process_name: + type: string + type: object + type: object + type: object + parameters: + oneOf: + - properties: + pid: + description: The process ID (PID) of the process to terminate. + minimum: 1 + type: number + type: object + - properties: + entity_id: + description: The entity ID of the process to terminate. + minLength: 1 + type: string + type: object + - properties: + process_name: + description: The name of the process to terminate. Valid for SentinelOne agent type only. + type: string + type: object + type: object + Security_Endpoint_Management_API_KillProcessRouteRequestBody: + allOf: + - properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. + items: + minLength: 1 + type: string + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. + items: + minLength: 1 + type: string + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + type: object + - properties: + parameters: + oneOf: + - properties: + pid: + description: The process ID (PID) of the process to terminate. + minimum: 1 + type: integer + type: object + - properties: + entity_id: + description: The entity ID of the process to terminate. + minLength: 1 + type: string + type: object + - properties: + process_name: + description: The name of the process to terminate. Valid for SentinelOne agent type only. + minLength: 1 + type: string + type: object + required: + - parameters + type: object + Security_Endpoint_Management_API_KillProcessRouteResponse: + properties: {} + type: object + Security_Endpoint_Management_API_Kuery: + description: A KQL string. + type: string + Security_Endpoint_Management_API_MDERunScriptParameters: + description: Parameters for Run Script response action against Microsoft Defender Endpoint agent type. + properties: + args: + description: Optional command line arguments for the script. + minLength: 1 + type: string + scriptName: + description: The name of the script to execute from the cloud storage. + minLength: 1 + type: string + required: + - scriptName + title: Microsoft Defender Endpoint Run Script Parameters + type: object + Security_Endpoint_Management_API_MetadataListResponse: + properties: {} + type: object + Security_Endpoint_Management_API_Page: + default: 1 + description: Page number + minimum: 1 + type: integer + Security_Endpoint_Management_API_PageSize: + default: 10 + description: Number of items per page + maximum: 100 + minimum: 1 + type: integer + Security_Endpoint_Management_API_Parameters: + description: Optional parameters object + type: object + Security_Endpoint_Management_API_PendingActionDataType: + type: integer + Security_Endpoint_Management_API_PendingActionsSchema: + oneOf: + - properties: + execute: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + get-file: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + isolate: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + kill-process: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + running-processes: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + scan: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + suspend-process: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + unisolate: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + upload: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' + type: object + - additionalProperties: true + type: object + Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: + properties: + note: + type: string + type: object + Security_Endpoint_Management_API_RawScriptParameters: + properties: + commandLine: + description: Command line arguments. + minLength: 1 + type: string + raw: + description: Raw script content. + minLength: 1 + type: string + timeout: + description: Timeout in seconds. + minimum: 1 + type: integer + required: + - raw + type: object + Security_Endpoint_Management_API_ResponseActionCreateSuccessResponse: + properties: + data: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + type: object + Security_Endpoint_Management_API_ResponseActionDetails: + properties: + agentState: + additionalProperties: + format: uuid + properties: + completedAt: + description: The date and time the response action was completed for the agent ID + type: string + isCompleted: + description: Whether the response action is completed for the agent ID + type: boolean + wasSuccessful: + description: Whether the response action was successful for the agent ID + type: boolean + type: object + description: The state of the response action for each agent ID that it was sent to + type: object + agentType: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + agents: + description: The agent IDs for the hosts that the response action was sent to + items: + format: uuid + type: string + type: array + command: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' + completedAt: + description: The response action completion time + format: date-time + type: string + createdBy: + description: The user who created the response action + type: string + hosts: + additionalProperties: + format: uuid + properties: + name: + description: The host name + type: string + type: object + description: An object containing the host names associated with the agent IDs the response action was sent to + type: object + id: + description: The response action ID + format: uuid + type: string + isComplete: + description: Whether the response action is complete + type: boolean + isExpired: + description: Whether the response action is expired + type: boolean + outputs: + additionalProperties: + description: The agent id + format: uuid + properties: + content: + description: The response action output content for the agent ID. Exact format depends on the response action command. + oneOf: + - type: object + - type: string + type: + enum: + - json + - text + type: string + required: + - type + - content + title: Agent ID + type: object + description: | + The outputs of the response action for each agent ID that it was sent to. Content different depending on the + response action command and will only be present for agents that have responded to the response action + type: object + parameters: + description: The parameters of the response action. Content different depending on the response action command + type: object + startedAt: + description: The response action start time + format: date-time + type: string + status: + description: The response action status + type: string + wasSuccessful: + description: Whether the response action was successful + type: boolean + required: + - command + type: object + Security_Endpoint_Management_API_RunScriptRouteRequestBody: + allOf: + - properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. + items: + minLength: 1 + type: string + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. + items: + minLength: 1 + type: string + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + type: object + - properties: + parameters: + description: | + One of the following set of parameters must be provided + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RawScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_HostPathScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_CloudFileScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_SentinelOneRunScriptParameters' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_MDERunScriptParameters' + required: + - parameters + type: object + Security_Endpoint_Management_API_RunningProcesses: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - properties: + outputs: + additionalProperties: + properties: + content: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputEndpoint' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne' + type: object + type: object + type: object + Security_Endpoint_Management_API_RunningProcessesOutputEndpoint: + description: Processes output for `agentType` of `endpoint` + properties: + code: + type: string + entries: + items: + properties: + command: + type: string + entity_id: + type: string + pid: + type: number + user: + type: string + type: object + type: array + type: object + Security_Endpoint_Management_API_RunningProcessesOutputSentinelOne: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - description: Processes output for `agentType` of `sentinel_one` + properties: + code: + type: string + type: object + Security_Endpoint_Management_API_Runscript: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - properties: + outputs: + additionalProperties: + properties: + content: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_DownloadUri' + - properties: + code: + type: string + stderr: + type: string + stdout: + type: string + type: object + type: object + type: object + parameters: + oneOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsCrowdStrike' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsMicrosoft' + - $ref: '#/components/schemas/Security_Endpoint_Management_API_RunscriptParamsSentinelOne' + type: object + Security_Endpoint_Management_API_RunscriptParamsCrowdStrike: + properties: + cloudFile: + type: string + commandLine: + type: string + hostPath: + type: string + raw: + type: string + timeout: + type: number + type: object + Security_Endpoint_Management_API_RunscriptParamsMicrosoft: + properties: + args: + type: string + scriptName: + type: string + type: object + Security_Endpoint_Management_API_RunscriptParamsSentinelOne: + properties: + scriptId: + type: string + scriptInput: + type: string + type: object + Security_Endpoint_Management_API_Scan: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - properties: + outputs: + additionalProperties: + properties: + content: + properties: + code: + type: string + type: object + type: object + type: object + parameters: + properties: + path: + type: string + type: object + type: object + Security_Endpoint_Management_API_ScanRouteRequestBody: + allOf: + - properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. + items: + minLength: 1 + type: string + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. + items: + minLength: 1 + type: string + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + type: object + - properties: + parameters: + properties: + path: + description: The folder or file’s full path (including the file name). + type: string + required: + - path + type: object + required: + - parameters + type: object + Security_Endpoint_Management_API_ScanRouteResponse: + properties: {} + type: object + Security_Endpoint_Management_API_SentinelOneRunScriptParameters: + description: Parameters for Run Script response action against SentinelOne agent type. + properties: + inputParams: + description: The input parameter arguments for the script that was selected. + minLength: 1 + type: string + script: + description: The script ID from SentinelOne scripts library that will be executed. + minLength: 1 + type: string + required: + - script + title: SentinelOne Run Script Parameters + type: object + Security_Endpoint_Management_API_SortDirection: + description: Determines the sort order. + enum: + - asc + - desc + type: string + Security_Endpoint_Management_API_SortField: + description: Determines which field is used to sort the results. + enum: + - enrolled_at + - metadata.host.hostname + - host_status + - metadata.Endpoint.policy.applied.name + - metadata.Endpoint.policy.applied.status + - metadata.host.os.name + - metadata.host.ip + - metadata.agent.version + - last_checkin + type: string + Security_Endpoint_Management_API_StartDate: + description: A start date in ISO 8601 format or Date Math format. + type: string + Security_Endpoint_Management_API_SuccessResponse: + properties: {} + type: object + Security_Endpoint_Management_API_SuspendProcess: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - properties: + outputs: + additionalProperties: + properties: + content: + oneOf: + - properties: + code: + type: string + command: + type: string + pid: + type: number + type: object + - properties: + code: + type: string + command: + type: string + entity_id: + type: string + type: object + type: object + type: object + parameters: + oneOf: + - properties: + pid: + description: The process ID (PID) of the process to terminate. + minimum: 1 + type: number + type: object + - properties: + entity_id: + description: The entity ID of the process to terminate. + minLength: 1 + type: string + type: object + type: object + Security_Endpoint_Management_API_SuspendProcessRouteRequestBody: + allOf: + - properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. + items: + minLength: 1 + type: string + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. + items: + minLength: 1 + type: string + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + type: object + - properties: + parameters: + oneOf: + - properties: + pid: + description: The process ID (PID) of the process to suspend. + minimum: 1 + type: integer + type: object + - properties: + entity_id: + description: The entity ID of the process to suspend. + minLength: 1 + type: string + type: object + required: + - parameters + type: object + Security_Endpoint_Management_API_SuspendProcessRouteResponse: + properties: {} + type: object + Security_Endpoint_Management_API_Timeout: + description: The maximum timeout value in milliseconds (optional) + minimum: 1 + type: integer + Security_Endpoint_Management_API_Type: + description: Type of response action + enum: + - automated + - manual + type: string + Security_Endpoint_Management_API_Types: + description: List of types of response actions + items: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' + maxLength: 2 + minLength: 1 + type: array + Security_Endpoint_Management_API_Unisolate: + $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + Security_Endpoint_Management_API_UnisolateRouteResponse: + properties: {} + type: object + Security_Endpoint_Management_API_Upload: + allOf: + - $ref: '#/components/schemas/Security_Endpoint_Management_API_ResponseActionDetails' + - properties: + outputs: + additionalProperties: + properties: + content: + properties: + code: + type: string + disk_free_space: + type: number + path: + type: string + type: object + type: object + type: object + parameters: + description: | + The parameters for upload returned on the details are derived via the API from the file that + was uploaded at the time that the response action was submitted + properties: + file_id: + type: string + file_name: + type: string + file_sha256: + type: string + file_size: + type: number + type: object + type: object + Security_Endpoint_Management_API_UploadRouteRequestBody: + allOf: + - properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + description: If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. + items: + minLength: 1 + type: string + minItems: 1 + type: array + case_ids: + description: The IDs of cases where the action taken will be logged. + items: + minLength: 1 + type: string + minItems: 1 + type: array + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids + type: object + - properties: + file: + description: The binary content of the file. + format: binary + type: string + parameters: + properties: + overwrite: + default: false + description: Overwrite the file on the host if it already exists. + type: boolean + type: object + required: + - parameters + - file + type: object + Security_Endpoint_Management_API_UploadRouteResponse: + properties: {} + type: object + Security_Endpoint_Management_API_UserIds: + description: A list of user IDs. + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Endpoint_Management_API_WithOutputs: + description: A list of action IDs that should include the complete output of the action. + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Entity_Analytics_API_Asset: + additionalProperties: false + properties: + business_unit: + type: string + criticality: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + environment: + type: string + id: + type: string + model: + type: string + name: + type: string + owner: + type: string + serial_number: + type: string + vendor: + type: string + type: object + Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: + properties: + index: + type: integer + message: + type: string + required: + - message + - index + type: object + Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats: + properties: + failed: + type: integer + successful: + type: integer + total: + type: integer + required: + - successful + - failed + - total + type: object + Security_Entity_Analytics_API_AssetCriticalityLevel: + description: The criticality level of the asset. + enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + Security_Entity_Analytics_API_AssetCriticalityLevelsForBulkUpload: + description: The criticality level of the asset for bulk upload. The value `unassigned` is used to indicate that the criticality level is not assigned and is only used for bulk upload. + enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + - unassigned + type: string + Security_Entity_Analytics_API_AssetCriticalityRecord: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts' + - properties: + '@timestamp': + description: The time the record was created or updated. + format: date-time + type: string + required: + - '@timestamp' + type: object + Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts: + properties: + asset: + properties: + criticality: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + required: + - asset + type: object + entity: + properties: + asset: + properties: + criticality: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + required: + - criticality + type: object + id: + type: string + required: + - id + type: object + host: + properties: + asset: + properties: + criticality: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + required: + - criticality + type: object + name: + type: string + required: + - name + type: object + service: + properties: + asset: + properties: + criticality: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + required: + - criticality + type: object + name: + type: string + required: + - name + type: object + user: + properties: + asset: + properties: + criticality: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + required: + - criticality + type: object + name: + type: string + required: + - name + type: object + required: + - asset + type: object + Security_Entity_Analytics_API_AssetCriticalityRecordIdParts: + properties: + id_field: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' + description: The field representing the ID. + id_value: + description: The ID value of the asset. + type: string + required: + - id_value + - id_field + type: object + Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse: + properties: + cleanup_successful: + type: boolean + errors: + items: + properties: + error: + type: string + seq: + type: integer + required: + - seq + - error + type: object + type: array + required: + - cleanup_successful + - errors + type: object + Security_Entity_Analytics_API_ConfigureRiskEngineSavedObjectErrorResponse: + properties: + errors: + items: + properties: + error: + type: string + seq: + type: integer + required: + - seq + - error + type: object + type: array + risk_engine_saved_object_configured: + type: boolean + required: + - risk_engine_saved_object_configured + - errors + type: object + Security_Entity_Analytics_API_CreateAssetCriticalityRecord: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts' + - properties: + criticality_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + required: + - criticality_level + type: object + Security_Entity_Analytics_API_EngineComponentResource: + enum: + - entity_engine + - entity_definition + - index + - data_stream + - component_template + - index_template + - ingest_pipeline + - enrich_policy + - task + - transform + - ilm_policy + type: string + Security_Entity_Analytics_API_EngineComponentStatus: + properties: + errors: + items: + properties: + message: + type: string + title: + type: string + type: object + type: array + health: + enum: + - green + - yellow + - red + - unavailable + - unknown + type: string + id: + type: string + installed: + type: boolean + metadata: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Metadata' + resource: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource' + required: + - id + - installed + - resource + type: object + Security_Entity_Analytics_API_EngineDataviewUpdateResult: + properties: + changes: + properties: + indexPatterns: + items: + type: string + type: array + type: object + type: + type: string + required: + - type + type: object + Security_Entity_Analytics_API_EngineDescriptor: + properties: + delay: + default: 1m + pattern: '[smdh]$' + type: string + docsPerSecond: + type: integer + error: + properties: + action: + enum: + - init + type: string + message: + type: string + required: + - message + - action + type: object + fieldHistoryLength: + type: integer + filter: + type: string + frequency: + default: 1m + pattern: '[smdh]$' + type: string + indexPattern: + $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' + lookbackPeriod: + default: 24h + pattern: '[smdh]$' + type: string + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' + timeout: + default: 180s + pattern: '[smdh]$' + type: string + timestampField: + type: string + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + required: + - type + - indexPattern + - status + - fieldHistoryLength + type: object + Security_Entity_Analytics_API_EngineMetadata: + additionalProperties: false + properties: + Type: + type: string + required: + - Type + type: object + Security_Entity_Analytics_API_EngineStatus: + enum: + - installing + - started + - stopped + - updating + - error + type: string + Security_Entity_Analytics_API_EntitiesContainer: + properties: + entities: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityContainer' + type: array + required: + - entities + type: object + Security_Entity_Analytics_API_Entity: + oneOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_ServiceEntity' + - $ref: '#/components/schemas/Security_Entity_Analytics_API_GenericEntity' + Security_Entity_Analytics_API_EntityAnalyticsPrivileges: + properties: + has_all_required: + type: boolean + has_read_permissions: + type: boolean + has_write_permissions: + type: boolean + privileges: + properties: + elasticsearch: + properties: + cluster: + additionalProperties: + type: boolean + type: object + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + type: object + kibana: + additionalProperties: + type: boolean + type: object + required: + - elasticsearch + type: object + required: + - has_all_required + - privileges + type: object + Security_Entity_Analytics_API_EntityContainer: + properties: + record: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity' + type: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' + required: + - type + - record + type: object + Security_Entity_Analytics_API_EntityField: + additionalProperties: false + properties: + EngineMetadata: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineMetadata' + attributes: + additionalProperties: false + properties: + asset: + type: boolean + managed: + type: boolean + mfa_enabled: + type: boolean + privileged: + type: boolean + type: object + behaviors: + additionalProperties: false + properties: + brute_force_victim: + type: boolean + new_country_login: + type: boolean + used_usb_device: + type: boolean + type: object + id: + type: string + lifecycle: + additionalProperties: false + properties: + first_seen: + format: date-time + type: string + last_activity: + format: date-time + type: string + type: object + name: + type: string + relationships: + additionalProperties: false + properties: + accessed_frequently_by: + items: + type: string + type: array + accesses_frequently: + items: + type: string + type: array + communicates_with: + items: + type: string + type: array + dependent_of: + items: + type: string + type: array + depends_on: + items: + type: string + type: array + owned_by: + items: + type: string + type: array + owns: + items: + type: string + type: array + supervised_by: + items: + type: string + type: array + supervises: + items: + type: string + type: array + type: object + risk: + additionalProperties: false + properties: + calculated_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' + description: Lexical description of the entity's risk. + calculated_score: + description: The raw numeric value of the given entity's risk score. + format: double + type: number + calculated_score_norm: + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. + format: double + maximum: 100 + minimum: 0 + type: number + type: object + source: + type: string + sub_type: + type: string + type: + type: string + required: + - id + type: object + Security_Entity_Analytics_API_EntityRiskLevels: + enum: + - Unknown + - Low + - Moderate + - High + - Critical + type: string + Security_Entity_Analytics_API_EntityRiskScoreRecord: + properties: + '@timestamp': + description: The time at which the risk score was calculated. + format: date-time + type: string + calculated_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' + description: Lexical description of the entity's risk. + calculated_score: + description: The raw numeric value of the given entity's risk score. + format: double + type: number + calculated_score_norm: + description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities. + format: double + maximum: 100 + minimum: 0 + type: number + category_1_count: + description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`). + type: integer + category_1_score: + description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts. + format: double + type: number + category_2_count: + type: integer + category_2_score: + format: double + type: number + criticality_level: + $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel' + criticality_modifier: + format: double + type: number + id_field: + description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored. + type: string + id_value: + description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored. + type: string + inputs: + description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes. + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' + type: array + notes: + items: + type: string + type: array + required: + - '@timestamp' + - id_field + - id_value + - calculated_level + - calculated_score + - calculated_score_norm + - category_1_score + - category_1_count + - inputs + - notes + type: object + Security_Entity_Analytics_API_EntityType: + enum: + - user + - host + - service + - generic + type: string + Security_Entity_Analytics_API_GenericEntity: + additionalProperties: false + properties: + '@timestamp': + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + required: + - entity + type: object + Security_Entity_Analytics_API_HostEntity: + additionalProperties: false + properties: + '@timestamp': + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false + properties: + ingested: + format: date-time + type: string + type: object + host: + additionalProperties: false + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + risk: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' + type: + items: + type: string + type: array + required: + - name + type: object + required: + - entity + type: object + Security_Entity_Analytics_API_IdField: + enum: + - host.name + - user.name + - service.name + - entity.id + type: string + Security_Entity_Analytics_API_IndexPattern: + type: string + Security_Entity_Analytics_API_InspectQuery: + properties: + dsl: + items: + type: string + type: array + response: + items: + type: string + type: array + required: + - dsl + - response + type: object + Security_Entity_Analytics_API_Interval: + description: Interval in which enrich policy runs. For example, `"1h"` means the rule runs every hour. Must be less than or equal to half the duration of the lookback period, + pattern: ^[1-9]\d*[smh]$ + type: string + Security_Entity_Analytics_API_Metadata: + $ref: '#/components/schemas/Security_Entity_Analytics_API_TransformStatsMetadata' + Security_Entity_Analytics_API_MonitoredUserDoc: + allOf: + - $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoredUserUpdateDoc' + - properties: + '@timestamp': + format: date-time + type: string + event: + properties: + ingested: + format: date-time + type: string + type: object + user: + properties: + entity: + properties: + attributes: + properties: + Privileged: + description: Indicates if the user is privileged. + type: boolean + type: object + type: object + is_privileged: + description: Indicates if the user is privileged. + type: boolean + name: + type: string + type: object + type: object + Security_Entity_Analytics_API_MonitoredUserUpdateDoc: + properties: + entity_analytics_monitoring: + properties: + labels: + items: + $ref: '#/components/schemas/Security_Entity_Analytics_API_MonitoringLabel' + type: array + type: object + id: + type: string + labels: + properties: + source_ids: + items: + type: string + type: array + source_integrations: + items: + type: string + type: array + sources: + items: + enum: + - csv + - index_sync + - api + type: array + type: object + user: + properties: + is_privileged: + description: Indicates if the user is privileged. + type: boolean + name: + type: string + type: object + type: object + Security_Entity_Analytics_API_MonitoringEngineDescriptor: + properties: + error: + properties: + message: + description: Error message typically only present if the engine is in error state + type: string + type: object + status: + $ref: '#/components/schemas/Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus' + required: + - status + type: object + Security_Entity_Analytics_API_MonitoringLabel: + properties: + field: + type: string + source: + type: string + value: + type: string + required: + - field + - value + - source + type: object + Security_Entity_Analytics_API_PrivilegeMonitoringEngineStatus: + description: The status of the Privilege Monitoring Engine + enum: + - started + - error + - disabled + - not_installed + type: string + Security_Entity_Analytics_API_PrivmonUserCsvUploadErrorItem: + properties: + index: + nullable: true + type: integer + x-omitempty: true + message: + type: string + username: + nullable: true + type: string + x-omitempty: true + required: + - message + - index + - username + type: object + Security_Entity_Analytics_API_PrivmonUserCsvUploadStats: + properties: + failed: + type: integer + successful: + type: integer + total: + type: integer + required: + - successful + - failed + - total + type: object + Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: + properties: + full_error: + type: string + message: + type: string + required: + - message + - full_error + type: object + Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: + properties: + success: + type: boolean + type: object + Security_Entity_Analytics_API_RiskScoreInput: + description: A generic representation of a document contributing to a Risk Score. + properties: + category: + description: The risk category of the risk input document. + type: string + contribution_score: + format: double + type: number + description: + description: A human-readable description of the risk input document. + type: string + id: + description: The unique identifier (`_id`) of the original source document + type: string + index: + description: The unique index (`_index`) of the original source document + type: string + risk_score: + description: The weighted risk score of the risk input document. + format: double + maximum: 100 + minimum: 0 + type: number + timestamp: + description: The @timestamp of the risk input document. + type: string + required: + - id + - index + - description + - category + type: object + Security_Entity_Analytics_API_ServiceEntity: + additionalProperties: false + properties: + '@timestamp': + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false + properties: + ingested: + format: date-time + type: string + type: object + service: + additionalProperties: false + properties: + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + name: + type: string + risk: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' + required: + - name + type: object + required: + - entity + type: object + Security_Entity_Analytics_API_StoreStatus: + enum: + - not_installed + - installing + - running + - stopped + - error + type: string + Security_Entity_Analytics_API_TaskManagerUnavailableResponse: + description: Task manager is unavailable + properties: + message: + type: string + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + type: object + Security_Entity_Analytics_API_TransformStatsMetadata: + properties: + delete_time_in_ms: + type: integer + documents_deleted: + type: integer + documents_indexed: + type: integer + documents_processed: + type: integer + exponential_avg_checkpoint_duration_ms: + type: integer + exponential_avg_documents_indexed: + type: integer + exponential_avg_documents_processed: + type: integer + index_failures: + type: integer + index_time_in_ms: + type: integer + index_total: + type: integer + pages_processed: + type: integer + processing_time_in_ms: + type: integer + processing_total: + type: integer + search_failures: + type: integer + search_time_in_ms: + type: integer + search_total: + type: integer + trigger_count: + type: integer + required: + - pages_processed + - documents_processed + - documents_indexed + - trigger_count + - index_time_in_ms + - index_total + - index_failures + - search_time_in_ms + - search_total + - search_failures + - processing_time_in_ms + - processing_total + - exponential_avg_checkpoint_duration_ms + - exponential_avg_documents_indexed + - exponential_avg_documents_processed + type: object + Security_Entity_Analytics_API_UserEntity: + additionalProperties: false + properties: + '@timestamp': + format: date-time + type: string + asset: + $ref: '#/components/schemas/Security_Entity_Analytics_API_Asset' + additionalProperties: false + entity: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityField' + event: + additionalProperties: false + properties: + ingested: + format: date-time + type: string + type: object + user: + additionalProperties: false + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + risk: + $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord' + additionalProperties: false + roles: + items: + type: string + type: array + required: + - name + type: object + required: + - entity + type: object + Security_Entity_Analytics_API_UserName: + properties: + user: + properties: + name: + description: The name of the user. + type: string + type: object + type: object + Security_Exceptions_API_CreateExceptionListItemComment: + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + type: object + Security_Exceptions_API_CreateExceptionListItemCommentArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment' + type: array + Security_Exceptions_API_CreateRuleExceptionListItemComment: + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + type: object + Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment' + type: array + Security_Exceptions_API_CreateRuleExceptionListItemProps: + properties: + comments: + $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray' + default: [] + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + expire_time: + format: date-time + type: string + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + default: single + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + default: [] + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + default: [] + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + required: + - type + - name + - description + - entries + type: object + Security_Exceptions_API_ExceptionList: + properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + immutable: + type: boolean + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + type: string + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + type: string + version: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + type: object + Security_Exceptions_API_ExceptionListDescription: + description: Describes the exception list. + type: string + Security_Exceptions_API_ExceptionListHumanId: + description: The exception list's human readable string identifier, `endpoint_list`. + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListId: + description: Exception list's identifier. + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItem: + properties: + _version: + description: The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version. + type: string + comments: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray' + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + type: string + description: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription' + entries: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray' + expire_time: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemExpireTime' + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + meta: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' + name: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' + namespace_type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' + os_types: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray' + tags: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + type: string + type: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + type: string + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + type: object + Security_Exceptions_API_ExceptionListItemComment: + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + type: object + Security_Exceptions_API_ExceptionListItemCommentArray: + description: | + Array of comment fields: + + - comment (string): Comments about the exception item. + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' + type: array + Security_Exceptions_API_ExceptionListItemDescription: + description: Describes the exception list. + type: string + Security_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard' + Security_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' + type: array + Security_Exceptions_API_ExceptionListItemEntryExists: + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - exists + type: string + required: + - type + - field + - operator + type: object + Security_Exceptions_API_ExceptionListItemEntryList: + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + list: + properties: + id: + $ref: '#/components/schemas/Security_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Exceptions_API_ListType' + required: + - id + - type + type: object + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + type: object + Security_Exceptions_API_ExceptionListItemEntryMatch: + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + type: object + Security_Exceptions_API_ExceptionListItemEntryMatchAny: + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - match_any + type: string + value: + items: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + minItems: 1 + type: array + required: + - type + - field + - value + - operator + type: object + Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: + properties: + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + operator: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator' + type: + enum: + - wildcard + type: string + value: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + type: object + Security_Exceptions_API_ExceptionListItemEntryNested: + properties: + entries: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem' + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string + required: + - type + - field + - entries + type: object + Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny' + - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists' + Security_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Exceptions_API_ExceptionListItemExpireTime: + description: The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions. + format: date-time + type: string + Security_Exceptions_API_ExceptionListItemHumanId: + description: Human readable string identifier, e.g. `trusted-linux-processes` + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemId: + description: Exception's identifier. + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Exceptions_API_ExceptionListItemName: + description: Exception list name. + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListItemTags: + items: + description: String array containing words and phrases to help categorize exception items. + format: nonempty + minLength: 1 + type: string + type: array + Security_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Exceptions_API_ExceptionListMeta: + additionalProperties: true + description: Placeholder for metadata about the list container. + type: object + Security_Exceptions_API_ExceptionListName: + description: The name of the exception list. + type: string + Security_Exceptions_API_ExceptionListOsType: + description: Use this field to specify the operating system. + enum: + - linux + - macos + - windows + type: string + Security_Exceptions_API_ExceptionListOsTypeArray: + description: Use this field to specify the operating system. Only enter one value. + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' + type: array + Security_Exceptions_API_ExceptionListTags: + description: String array containing words and phrases to help categorize exception containers. + items: + type: string + type: array + Security_Exceptions_API_ExceptionListType: + description: The type of exception list to be created. Different list types may denote where they can be utilized. + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_trusted_devices + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Exceptions_API_ExceptionListVersion: + description: The document version, automatically increasd on updates. + minimum: 1 + type: integer + Security_Exceptions_API_ExceptionListsImportBulkError: + properties: + error: + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + type: object + id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' + item_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId' + list_id: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' + required: + - error + type: object + Security_Exceptions_API_ExceptionListsImportBulkErrorArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError' + type: array + Security_Exceptions_API_ExceptionNamespaceType: + description: | + Determines whether the exception container is available in all Kibana spaces or just the space + in which it is created, where: + + - `single`: Only available in the Kibana space in which it is created. + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Exceptions_API_FindExceptionListItemsFilter: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + Security_Exceptions_API_FindExceptionListsFilter: + type: string + Security_Exceptions_API_ListId: + description: Value list's identifier. + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_ListType: + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: + + - `keyword`: Many ECS fields are Elasticsearch keywords + - `ip`: IP addresses + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Exceptions_API_NonEmptyString: + description: A string that does not contain only whitespace characters + format: nonempty + minLength: 1 + type: string + Security_Exceptions_API_PlatformErrorResponse: + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + type: object + Security_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Exceptions_API_UUID' + Security_Exceptions_API_SiemErrorResponse: + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + type: object + Security_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Exceptions_API_UpdateExceptionListItemComment: + properties: + comment: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' + required: + - comment + type: object + Security_Exceptions_API_UpdateExceptionListItemCommentArray: + items: + $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment' + type: array + Security_Lists_API_FindListItemsCursor: + description: Returns the items that come after the last item returned in the previous call (use the `cursor` value returned in the previous call). This parameter uses the `tie_breaker_id` field to ensure all items are sorted and returned correctly. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListItemsFilter: + type: string + Security_Lists_API_FindListsCursor: + format: nonempty + minLength: 1 + type: string + Security_Lists_API_FindListsFilter: + type: string + Security_Lists_API_List: + properties: + '@timestamp': + format: date-time + type: string + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + type: string + description: + $ref: '#/components/schemas/Security_Lists_API_ListDescription' + deserializer: + $ref: '#/components/schemas/Security_Lists_API_ListDeserializer' + id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + immutable: + type: boolean + meta: + $ref: '#/components/schemas/Security_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Lists_API_ListName' + serializer: + $ref: '#/components/schemas/Security_Lists_API_ListSerializer' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + type: string + version: + $ref: '#/components/schemas/Security_Lists_API_ListVersion' + required: + - id + - type + - name + - description + - immutable + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + type: object + Security_Lists_API_ListDescription: + description: Describes the value list. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListDeserializer: + description: | + Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions: + + - `{{{value}}}` - Single value item types, such as `ip`, `long`, `date`, `keyword`, and `text`. + - `{{{gte}}}-{{{lte}}}` - Range value item types, such as `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`. + - `{{{gte}}},{{{lte}}}` - Date range values. + type: string + Security_Lists_API_ListId: + description: Value list's identifier. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListItem: + properties: + '@timestamp': + format: date-time + type: string + _version: + $ref: '#/components/schemas/Security_Lists_API_ListVersionId' + created_at: + description: Autogenerated date of object creation. + format: date-time + type: string + created_by: + description: Autogenerated value - user that created object. + type: string + deserializer: + $ref: '#/components/schemas/Security_Lists_API_ListDeserializer' + id: + $ref: '#/components/schemas/Security_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' + serializer: + $ref: '#/components/schemas/Security_Lists_API_ListSerializer' + tie_breaker_id: + description: Field used in search to ensure all containers are sorted and returned correctly. + type: string + type: + $ref: '#/components/schemas/Security_Lists_API_ListType' + updated_at: + description: Autogenerated date of last object update. + format: date-time + type: string + updated_by: + description: Autogenerated value - user that last updated object. + type: string + value: + $ref: '#/components/schemas/Security_Lists_API_ListItemValue' + required: + - id + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + type: object + Security_Lists_API_ListItemId: + description: Value list item's identifier. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListItemMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list item. + type: object + Security_Lists_API_ListItemPrivileges: + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + type: object + Security_Lists_API_ListItemValue: + description: The value used to evaluate exceptions. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListMetadata: + additionalProperties: true + description: Placeholder for metadata about the value list. + type: object + Security_Lists_API_ListName: + description: Value list's name. + format: nonempty + minLength: 1 + type: string + Security_Lists_API_ListPrivileges: + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + type: object + Security_Lists_API_ListSerializer: + description: | + Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups: + + - `(?.+)` - Single value item types, such as ip, long, date, keyword, and text. + - `(?.+)-(?.+)|(?.+)` - Range value item types, such as `date_range`, `ip_range`, `double_range`, `float_range`, `integer_range`, and `long_range`. + type: string + Security_Lists_API_ListType: + description: | + Specifies the Elasticsearch data type of excludes the list container holds. Some common examples: + + - `keyword`: Many ECS fields are Elasticsearch keywords + - `ip`: IP addresses + - `ip_range`: Range of IP addresses (supports IPv4, IPv6, and CIDR notation) + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Lists_API_ListVersion: + description: The document version number. + minimum: 1 + type: integer + Security_Lists_API_ListVersionId: + description: | + The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version. + type: string + Security_Lists_API_PlatformErrorResponse: + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + type: object + Security_Lists_API_SiemErrorResponse: + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + type: object + Security_Osquery_API_ArrayQueries: + description: An array of queries to run. + items: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' + type: array + Security_Osquery_API_ArrayQueriesItem: + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + type: object + Security_Osquery_API_CreateLiveQueryRequestBody: + properties: + agent_all: + description: When `true`, the query runs on all agents. + type: boolean + agent_ids: + description: A list of agent IDs to run the query on. + items: + type: string + type: array + agent_platforms: + description: A list of agent platforms to run the query on. + items: + type: string + type: array + agent_policy_ids: + description: A list of agent policy IDs to run the query on. + items: + type: string + type: array + alert_ids: + description: A list of alert IDs associated with the live query. + items: + type: string + type: array + case_ids: + description: A list of case IDs associated with the live query. + items: + type: string + type: array + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + event_ids: + description: A list of event IDs associated with the live query. + items: + type: string + type: array + metadata: + description: Custom metadata object associated with the live query. + nullable: true + type: object + x-omitempty: true + pack_id: + $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + type: object + Security_Osquery_API_CreateLiveQueryResponse: + properties: {} + type: object + Security_Osquery_API_CreatePacksRequestBody: + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + type: object + Security_Osquery_API_CreatePacksResponse: + properties: {} + type: object + Security_Osquery_API_CreateSavedQueryRequestBody: + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + type: object + Security_Osquery_API_CreateSavedQueryResponse: + properties: {} + type: object + Security_Osquery_API_DefaultSuccessResponse: + properties: {} + type: object + Security_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' + description: Map osquery results columns or static values to Elastic Common Schema (ECS) fields + type: object + Security_Osquery_API_ECSMappingItem: + properties: + field: + description: The ECS field to map to. + type: string + value: + description: The value to map to the ECS field. + oneOf: + - type: string + - items: + type: string + type: array + type: object + Security_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' + nullable: true + x-omitempty: true + Security_Osquery_API_Enabled: + description: Enables the pack. + type: boolean + Security_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Enabled' + nullable: true + x-omitempty: true + Security_Osquery_API_FindLiveQueryDetailsResponse: + properties: {} + type: object + Security_Osquery_API_FindLiveQueryResponse: + properties: {} + type: object + Security_Osquery_API_FindPackResponse: + properties: {} + type: object + Security_Osquery_API_FindPacksResponse: + properties: {} + type: object + Security_Osquery_API_FindSavedQueryDetailResponse: + properties: {} + type: object + Security_Osquery_API_FindSavedQueryResponse: + properties: {} + type: object + Security_Osquery_API_GetLiveQueryResultsResponse: + description: The response for getting live query results. + properties: {} + type: object + Security_Osquery_API_Interval: + description: An interval, in seconds, on which to run the query. + type: string + Security_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Interval' + nullable: true + x-omitempty: true + Security_Osquery_API_KueryOrUndefined: + description: The kuery to filter the results by. + nullable: true + type: string + x-omitempty: true + Security_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' + description: An object of queries. + type: object + Security_Osquery_API_ObjectQueriesItem: + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_QueryId' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_Query' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + saved_query_id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + type: object + Security_Osquery_API_PackDescription: + description: The pack description. + type: string + Security_Osquery_API_PackDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackDescription' + nullable: true + x-omitempty: true + Security_Osquery_API_PackId: + description: The ID of the pack you want to run, retrieve, update, or delete. + type: string + Security_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PackId' + nullable: true + x-omitempty: true + Security_Osquery_API_PackName: + description: The pack name. + type: string + Security_Osquery_API_PageOrUndefined: + description: The page number to return. The default is 1. + nullable: true + type: integer + x-omitempty: true + Security_Osquery_API_PageSizeOrUndefined: + description: The number of results to return per page. The default is 20. + nullable: true + type: integer + x-omitempty: true + Security_Osquery_API_Platform: + description: Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, `linux,darwin`. + type: string + Security_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Platform' + nullable: true + x-omitempty: true + Security_Osquery_API_PolicyIds: + description: A list of agents policy IDs. + items: + type: string + type: array + Security_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' + nullable: true + x-omitempty: true + Security_Osquery_API_Query: + description: The SQL query you want to run. + type: string + Security_Osquery_API_QueryId: + description: The ID of the query. + type: string + Security_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Query' + nullable: true + x-omitempty: true + Security_Osquery_API_Removed: + description: Indicates whether the query is removed. + type: boolean + Security_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Removed' + nullable: true + x-omitempty: true + Security_Osquery_API_SavedQueryDescription: + description: The saved query description. + type: string + Security_Osquery_API_SavedQueryDescriptionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescription' + nullable: true + x-omitempty: true + Security_Osquery_API_SavedQueryId: + description: The ID of a saved query. + type: string + Security_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + nullable: true + x-omitempty: true + Security_Osquery_API_Shards: + additionalProperties: + type: number + description: An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts. + type: object + Security_Osquery_API_Snapshot: + description: Indicates whether the query is a snapshot. + type: boolean + Security_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Snapshot' + nullable: true + x-omitempty: true + Security_Osquery_API_SortOrUndefined: + default: createdAt + description: The field that is used to sort the results. + nullable: true + type: string + x-omitempty: true + Security_Osquery_API_SortOrderOrUndefined: + description: Specifies the sort order. + enum: + - asc + - desc + type: string + Security_Osquery_API_UpdatePacksRequestBody: + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_PackDescriptionOrUndefined' + enabled: + $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' + name: + $ref: '#/components/schemas/Security_Osquery_API_PackName' + policy_ids: + $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' + queries: + $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Osquery_API_Shards' + type: object + Security_Osquery_API_UpdatePacksResponse: + properties: {} + type: object + Security_Osquery_API_UpdateSavedQueryRequestBody: + properties: + description: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryDescriptionOrUndefined' + ecs_mapping: + $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' + id: + $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' + platform: + $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' + query: + $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' + removed: + $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' + snapshot: + $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' + version: + $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' + type: object + Security_Osquery_API_UpdateSavedQueryResponse: + properties: {} + type: object + Security_Osquery_API_Version: + description: Uses the Osquery versions greater than or equal to the specified version string. + type: string + Security_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Osquery_API_Version' + nullable: true + x-omitempty: true + Security_Timeline_API_AssociatedFilterType: + description: Filter notes based on their association with a document or saved object. + enum: + - all + - document_only + - saved_object_only + - document_and_saved_object + - orphan + type: string + Security_Timeline_API_BareNote: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_NoteCreatedAndUpdatedMetadata' + - properties: + eventId: + description: The `_id` of the associated event for this note. + nullable: true + type: string + x-omitempty: true + note: + description: The text of the note + nullable: true + type: string + x-omitempty: true + timelineId: + description: The `savedObjectId` of the Timeline that this note is associated with + type: string + required: + - timelineId + type: object + Security_Timeline_API_BarePinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata' + - properties: + eventId: + description: The `_id` of the associated event for this pinned event. + type: string + timelineId: + description: The `savedObjectId` of the timeline that this pinned event is associated with + type: string + required: + - eventId + - timelineId + type: object + Security_Timeline_API_ColumnHeaderResult: + properties: + aggregatable: + nullable: true + type: boolean + x-omitempty: true + category: + nullable: true + type: string + x-omitempty: true + columnHeaderType: + nullable: true + type: string + x-omitempty: true + description: + nullable: true + type: string + x-omitempty: true + id: + nullable: true + type: string + x-omitempty: true + indexes: + items: + type: string + nullable: true + type: array + x-omitempty: true + name: + nullable: true + type: string + x-omitempty: true + placeholder: + nullable: true + type: string + x-omitempty: true + searchable: + nullable: true + type: boolean + x-omitempty: true + type: + nullable: true + type: string + x-omitempty: true + type: object + Security_Timeline_API_DataProviderQueryMatch: + properties: + enabled: + nullable: true + type: boolean + x-omitempty: true + excluded: + nullable: true + type: boolean + x-omitempty: true + id: + nullable: true + type: string + x-omitempty: true + kqlQuery: + nullable: true + type: string + x-omitempty: true + name: + nullable: true + type: string + x-omitempty: true + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + x-omitempty: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + x-omitempty: true + type: object + Security_Timeline_API_DataProviderResult: + properties: + and: + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' + nullable: true + type: array + x-omitempty: true + enabled: + nullable: true + type: boolean + x-omitempty: true + excluded: + nullable: true + type: boolean + x-omitempty: true + id: + nullable: true + type: string + x-omitempty: true + kqlQuery: + nullable: true + type: string + x-omitempty: true + name: + nullable: true + type: string + x-omitempty: true + queryMatch: + $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' + nullable: true + x-omitempty: true + type: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' + nullable: true + x-omitempty: true + type: object + Security_Timeline_API_DataProviderType: + description: The type of data provider. + enum: + - default + - template + type: string + Security_Timeline_API_DocumentIds: + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_FavoriteTimelineResponse: + properties: + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + type: array + savedObjectId: + type: string + templateTimelineId: + nullable: true + type: string + x-omitempty: true + templateTimelineVersion: + nullable: true + type: number + x-omitempty: true + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + version: + type: string + required: + - savedObjectId + - version + type: object + Security_Timeline_API_FavoriteTimelineResult: + description: Indicates when and who marked a Timeline as a favorite. + properties: + favoriteDate: + nullable: true + type: number + x-omitempty: true + fullName: + nullable: true + type: string + x-omitempty: true + userName: + nullable: true + type: string + x-omitempty: true + type: object + Security_Timeline_API_FilterTimelineResult: + properties: + exists: + nullable: true + type: string + x-omitempty: true + match_all: + nullable: true + type: string + x-omitempty: true + meta: + nullable: true + properties: + alias: + nullable: true + type: string + x-omitempty: true + controlledBy: + nullable: true + type: string + x-omitempty: true + disabled: + nullable: true + type: boolean + x-omitempty: true + field: + nullable: true + type: string + x-omitempty: true + formattedValue: + nullable: true + type: string + x-omitempty: true + index: + nullable: true + type: string + x-omitempty: true + key: + nullable: true + type: string + x-omitempty: true + negate: + nullable: true + type: boolean + x-omitempty: true + params: + nullable: true + type: string + x-omitempty: true + type: + nullable: true + type: string + x-omitempty: true + value: + nullable: true + type: string + x-omitempty: true + type: object + x-omitempty: true + missing: + nullable: true + type: string + x-omitempty: true + query: + nullable: true + type: string + x-omitempty: true + range: + nullable: true + type: string + x-omitempty: true + script: + nullable: true + type: string + x-omitempty: true + type: object + Security_Timeline_API_GetNotesResult: + properties: + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + type: array + totalCount: + type: number + required: + - totalCount + - notes + type: object + Security_Timeline_API_ImportTimelineResult: + properties: + errors: + description: The list of failed Timeline imports + items: + properties: + error: + description: The error containing the reason why the timeline could not be imported + properties: + message: + description: The reason why the timeline could not be imported + type: string + status_code: + description: The HTTP status code of the error + type: number + type: object + id: + description: The ID of the timeline that failed to import + type: string + type: object + type: array + success: + description: Indicates whether any of the Timelines were successfully imports + type: boolean + success_count: + description: The amount of successfully imported/updated Timelines + type: number + timelines_installed: + description: The amount of successfully installed Timelines + type: number + timelines_updated: + description: The amount of successfully updated Timelines + type: number + type: object + Security_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - properties: + eventNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + x-omitempty: true + globalNotes: + items: + $ref: '#/components/schemas/Security_Timeline_API_BareNote' + nullable: true + type: array + x-omitempty: true + pinnedEventIds: + items: + type: string + nullable: true + type: array + x-omitempty: true + savedObjectId: + nullable: true + type: string + x-omitempty: true + version: + nullable: true + type: string + x-omitempty: true + required: + - savedObjectId + - version + - pinnedEventIds + - eventNotes + - globalNotes + type: object + Security_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BareNote' + - properties: + noteId: + description: The `savedObjectId` of the note + type: string + version: + description: The version of the note + type: string + required: + - noteId + - version + type: object + Security_Timeline_API_NoteCreatedAndUpdatedMetadata: + properties: + created: + description: The time the note was created, using a 13-digit Epoch timestamp. + nullable: true + type: number + x-omitempty: true + createdBy: + description: The user who created the note. + nullable: true + type: string + x-omitempty: true + updated: + description: The last time the note was updated, using a 13-digit Epoch timestamp + nullable: true + type: number + x-omitempty: true + updatedBy: + description: The user who last updated the note + nullable: true + type: string + x-omitempty: true + type: object + Security_Timeline_API_PersistPinnedEventResponse: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + - properties: + unpinned: + description: Indicates whether the event was successfully unpinned + type: boolean + required: + - unpinned + type: object + Security_Timeline_API_PersistTimelineResponse: + $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' + Security_Timeline_API_PinnedEvent: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' + - properties: + pinnedEventId: + description: The `savedObjectId` of this pinned event + type: string + version: + description: The version of this pinned event + type: string + required: + - pinnedEventId + - version + type: object + Security_Timeline_API_PinnedEventCreatedAndUpdatedMetadata: + properties: + created: + description: The time the pinned event was created, using a 13-digit Epoch timestamp. + nullable: true + type: number + x-omitempty: true + createdBy: + description: The user who created the pinned event. + nullable: true + type: string + x-omitempty: true + updated: + description: The last time the pinned event was updated, using a 13-digit Epoch timestamp + nullable: true + type: number + x-omitempty: true + updatedBy: + description: The user who last updated the pinned event + nullable: true + type: string + x-omitempty: true + type: object + Security_Timeline_API_QueryMatchResult: + properties: + displayField: + nullable: true + type: string + x-omitempty: true + displayValue: + nullable: true + type: string + x-omitempty: true + field: + nullable: true + type: string + x-omitempty: true + operator: + nullable: true + type: string + x-omitempty: true + value: + oneOf: + - nullable: true + type: string + x-omitempty: true + - items: + type: string + nullable: true + type: array + x-omitempty: true + type: object + Security_Timeline_API_ResolvedTimeline: + properties: + alias_purpose: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose' + alias_target_id: + type: string + outcome: + $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' + timeline: + $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject' + required: + - timeline + - outcome + type: object + Security_Timeline_API_ResponseNote: + properties: + note: + $ref: '#/components/schemas/Security_Timeline_API_Note' + required: + - note + type: object + Security_Timeline_API_RowRendererId: + description: Identifies the available row renderers + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Timeline_API_SavedObjectIds: + oneOf: + - items: + type: string + type: array + - type: string + Security_Timeline_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Timeline_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Timeline_API_SavedTimeline: + properties: + columns: + description: The Timeline's columns + items: + $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' + nullable: true + type: array + x-omitempty: true + created: + description: The time the Timeline was created, using a 13-digit Epoch timestamp. + nullable: true + type: number + x-omitempty: true + createdBy: + description: The user who created the Timeline. + nullable: true + type: string + x-omitempty: true + dataProviders: + description: Object containing query clauses + items: + $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' + nullable: true + type: array + x-omitempty: true + dataViewId: + description: ID of the Timeline's Data View + nullable: true + type: string + x-omitempty: true + dateRange: + description: The Timeline's search period. + nullable: true + properties: + end: + oneOf: + - nullable: true + type: string + x-omitempty: true + - nullable: true + type: number + x-omitempty: true + start: + oneOf: + - nullable: true + type: string + x-omitempty: true + - nullable: true + type: number + x-omitempty: true + type: object + x-omitempty: true + description: + description: The Timeline's description + nullable: true + type: string + x-omitempty: true + eqlOptions: + description: EQL query that is used in the correlation tab + nullable: true + properties: + eventCategoryField: + nullable: true + type: string + x-omitempty: true + query: + nullable: true + type: string + x-omitempty: true + size: + oneOf: + - nullable: true + type: string + x-omitempty: true + - nullable: true + type: number + x-omitempty: true + tiebreakerField: + nullable: true + type: string + x-omitempty: true + timestampField: + nullable: true + type: string + x-omitempty: true + type: object + x-omitempty: true + eventType: + deprecated: true + description: Event types displayed in the Timeline + nullable: true + type: string + x-omitempty: true + excludedRowRendererIds: + description: A list of row renderers that should not be used when in `Event renderers` mode + items: + $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' + nullable: true + type: array + x-omitempty: true + favorite: + items: + $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' + nullable: true + type: array + x-omitempty: true + filters: + description: A list of filters that should be applied to the query + items: + $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' + nullable: true + type: array + x-omitempty: true + indexNames: + description: A list of index names to use in the query (e.g. when the default data view has been modified) + items: + type: string + nullable: true + type: array + x-omitempty: true + kqlMode: + description: |- + Indicates whether the KQL bar filters the query results or searches for additional results, where: + * `filter`: filters query results + * `search`: displays additional search results + nullable: true + type: string + x-omitempty: true + kqlQuery: + $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult' + nullable: true + x-omitempty: true + savedQueryId: + description: The ID of the saved query that might be used in the Query tab + nullable: true + type: string + x-omitempty: true + savedSearchId: + description: The ID of the saved search that is used in the ES|QL tab + nullable: true + type: string + x-omitempty: true + sort: + $ref: '#/components/schemas/Security_Timeline_API_Sort' + nullable: true + x-omitempty: true + status: + $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' + nullable: true + x-omitempty: true + templateTimelineId: + description: A unique ID (UUID) for Timeline templates. For Timelines, the value is `null`. + nullable: true + type: string + x-omitempty: true + templateTimelineVersion: + description: Timeline template version number. For Timelines, the value is `null`. + nullable: true + type: number + x-omitempty: true + timelineType: + $ref: '#/components/schemas/Security_Timeline_API_TimelineType' + nullable: true + x-omitempty: true + title: + description: The Timeline's title. + nullable: true + type: string + x-omitempty: true + updated: + description: The last time the Timeline was updated, using a 13-digit Epoch timestamp + nullable: true + type: number + x-omitempty: true + updatedBy: + description: The user who last updated the Timeline + nullable: true + type: string + x-omitempty: true + type: object + Security_Timeline_API_SavedTimelineWithSavedObjectId: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - properties: + savedObjectId: + description: The `savedObjectId` of the Timeline or Timeline template + type: string + version: + description: The version of the Timeline or Timeline template + type: string + required: + - savedObjectId + - version + type: object + Security_Timeline_API_SerializedFilterQueryResult: + description: KQL bar query. + properties: + filterQuery: + nullable: true + properties: + kuery: + nullable: true + properties: + expression: + nullable: true + type: string + x-omitempty: true + kind: + nullable: true + type: string + x-omitempty: true + type: object + x-omitempty: true + serializedQuery: + nullable: true + type: string + x-omitempty: true + type: object + x-omitempty: true + type: object + Security_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Timeline_API_SortObject' + type: array + Security_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Timeline_API_SortObject: + description: Object indicating how rows are sorted in the Timeline's grid + properties: + columnId: + nullable: true + type: string + x-omitempty: true + columnType: + nullable: true + type: string + x-omitempty: true + sortDirection: + nullable: true + type: string + x-omitempty: true + type: object + Security_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId' + - properties: + eventIdToNoteIds: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + x-omitempty: true + noteIds: + description: A list of all the ids of notes that are associated to this Timeline. + items: + type: string + nullable: true + type: array + x-omitempty: true + notes: + description: A list of all the notes that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + x-omitempty: true + pinnedEventIds: + description: A list of all the ids of pinned events that are associated to this Timeline. + items: + type: string + nullable: true + type: array + x-omitempty: true + pinnedEventsSaveObject: + description: A list of all the pinned events that are associated to this Timeline. + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + x-omitempty: true + type: object + Security_Timeline_API_TimelineSavedToReturnObject: + allOf: + - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' + - properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + x-omitempty: true + noteIds: + items: + type: string + nullable: true + type: array + x-omitempty: true + notes: + items: + $ref: '#/components/schemas/Security_Timeline_API_Note' + nullable: true + type: array + x-omitempty: true + pinnedEventIds: + items: + type: string + nullable: true + type: array + x-omitempty: true + pinnedEventsSaveObject: + items: + $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' + nullable: true + type: array + x-omitempty: true + savedObjectId: + type: string + version: + type: string + required: + - savedObjectId + - version + type: object + Security_Timeline_API_TimelineStatus: + description: The status of the Timeline. + enum: + - active + - draft + - immutable + type: string + Security_Timeline_API_TimelineType: + description: The type of Timeline. + enum: + - default + - template + type: string + Short_URL_APIs_urlResponse: + properties: + accessCount: + type: integer + accessDate: + type: string + createDate: + type: string + id: + description: The identifier for the short URL. + type: string + locator: + properties: + id: + description: The identifier for the locator. + type: string + state: + description: The locator parameters. + type: object + version: + description: The version of Kibana when the short URL was created. + type: string + type: object + slug: + description: | + A random human-readable slug is automatically generated if the `humanReadableSlug` parameter is set to `true`. If it is set to `false`, a random short string is generated. + type: string + type: object + Synthetics_browserMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true + properties: + ignore_https_errors: + default: false + description: Ignore HTTPS errors. + type: boolean + inline_script: + description: The inline script. + type: string + playwright_options: + description: Playwright options. + type: object + screenshots: + default: "on" + description: The screenshot option. + enum: + - "on" + - "off" + - only-on-failure + type: string + synthetics_args: + description: Synthetics agent CLI arguments. + type: array + type: + description: The monitor type. + enum: + - browser + type: string + required: + - inline_script + - type + type: object + title: Browser monitor fields + Synthetics_commonMonitorFields: + properties: + alert: + description: | + The alert configuration. The default is `{ status: { enabled: true }, tls: { enabled: true } }`. + type: object + enabled: + default: true + description: Specify whether the monitor is enabled. + type: boolean + labels: + additionalProperties: + type: string + description: | + Key-value pairs of labels to associate with the monitor. Labels can be used for filtering and grouping monitors. + type: object + locations: + description: | + The location to deploy the monitor. + Monitors can be deployed in multiple locations so that you can detect differences in availability and response times across those locations. + To list available locations you can: + + - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. + - Go to *Synthetics > Management* and click *Create monitor*. Locations will be listed in *Locations*. + externalDocs: + url: https://github.com/elastic/synthetics/blob/main/src/locations/public-locations.ts + items: + type: string + type: array + name: + description: The monitor name. + type: string + namespace: + default: default + description: | + The namespace field should be lowercase and not contain spaces. The namespace must not include any of the following characters: `*`, `\`, `/`, `?`, `"`, `<`, `>`, `|`, whitespace, `,`, `#`, `:`, or `-`. + type: string + params: + description: The monitor parameters. + type: string + private_locations: + description: | + The private locations to which the monitors will be deployed. + These private locations refer to locations hosted and managed by you, whereas `locations` are hosted by Elastic. + You can specify a private location using the location's name. + To list available private locations you can: + + - Run the `elastic-synthetics locations` command with the deployment's Kibana URL. + - Go to *Synthetics > Settings* and click *Private locationsr*. Private locations will be listed in the table. + + > info + > You can provide `locations` or `private_locations` or both. At least one is required. + items: + type: string + type: array + retest_on_failure: + default: true + description: | + Turn retesting for when a monitor fails on or off. By default, monitors are automatically retested if the monitor goes from "up" to "down". If the result of the retest is also "down", an error will be created and if configured, an alert sent. The monitor will then resume running according to the defined schedule. Using `retest_on_failure` can reduce noise related to transient problems. + type: boolean + schedule: + description: | + The monitor's schedule in minutes. Supported values are `1`, `3`, `5`, `10`, `15`, `30`, `60`, `120`, and `240`. The default value is `3` minutes for HTTP, TCP, and ICMP monitors. The default value is `10` minutes for Browser monitors. + type: number + service.name: + description: The APM service name. + type: string + tags: + description: An array of tags. + items: + type: string + type: array + timeout: + default: 16 + description: | + The monitor timeout in seconds. The monitor will fail if it doesn't complete within this time. + type: number + required: + - name + title: Common monitor fields + type: object + Synthetics_getParameterResponse: + properties: + description: + description: | + The description of the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + type: string + id: + description: The unique identifier of the parameter. + type: string + key: + description: The key of the parameter. + type: string + namespaces: + description: | + The namespaces associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + items: + type: string + type: array + tags: + description: | + An array of tags associated with the parameter. It is included in the response if the user has read-only permissions to the Synthetics app. + items: + type: string + type: array + value: + description: "The value associated with the parameter. It will be included in the response if the user has write permissions. \n" + type: string + title: Get parameter response + type: object + Synthetics_getPrivateLocation: + additionalProperties: true + properties: + agentPolicyId: + description: The ID of the agent policy associated with the private location. + type: string + geo: + description: Geographic coordinates (WGS84) for the location. + properties: + lat: + description: The latitude of the location. + type: number + lon: + description: The longitude of the location. + type: number + required: + - lat + - lon + type: object + id: + description: The unique identifier of the private location. + type: string + isInvalid: + description: | + Indicates whether the location is invalid. If `true`, the location is invalid, which means the agent policy associated with the location is deleted. + type: boolean + label: + description: A label for the private location. + type: string + namespace: + description: The namespace of the location, which is the same as the namespace of the agent policy associated with the location. + type: string + title: Post a private location + type: object + Synthetics_httpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalproperties: true + properties: + check: + description: The check request settings. + properties: + request: + description: An optional request to send to the remote host. + properties: + body: + description: Optional request body content. + type: string + headers: + description: | + A dictionary of additional HTTP headers to send. By default, Synthetics will set the User-Agent header to identify itself. + type: object + method: + description: The HTTP method to use. + enum: + - HEAD + - GET + - POST + - OPTIONS + type: string + type: object + response: + additionalProperties: true + description: The expected response. + properties: + body: + type: object + headers: + description: A dictionary of expected HTTP headers. If the header is not found, the check fails. + type: object + type: object + type: object + ipv4: + default: true + description: If `true`, ping using the ipv4 protocol. + type: boolean + ipv6: + default: true + description: If `true`, ping using the ipv6 protocol. + type: boolean + max_redirects: + default: 0 + description: The maximum number of redirects to follow. + type: number + mode: + default: any + description: | + The mode of the monitor. If it is `all`, the monitor pings all resolvable IPs for a hostname. If it is `any`, the monitor pings only one IP address for a hostname. If you're using a DNS-load balancer and want to ping every IP address for the specified hostname, you should use `all`. + enum: + - all + - any + type: string + password: + description: | + The password for authenticating with the server. The credentials are passed with the request. + type: string + proxy_headers: + description: Additional headers to send to proxies during CONNECT requests. + type: object + proxy_url: + description: The URL of the proxy to use for this monitor. + type: string + response: + description: Controls the indexing of the HTTP response body contents to the `http.response.body.contents field`. + type: object + ssl: + description: | + The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. + type: object + type: + description: The monitor type. + enum: + - http + type: string + url: + description: The URL to monitor. + type: string + username: + description: | + The username for authenticating with the server. The credentials are passed with the request. + type: string + required: + - type + - url + type: object + title: HTTP monitor fields + Synthetics_icmpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true + properties: + host: + description: The host to ping. + type: string + type: + description: The monitor type. + enum: + - icmp + type: string + wait: + default: 1 + description: The wait time in seconds. + type: number + required: + - host + - type + type: object + title: ICMP monitor fields + Synthetics_parameterRequest: + properties: + description: + description: A description of the parameter. + type: string + key: + description: The key of the parameter. + type: string + share_across_spaces: + description: Specify whether the parameter should be shared across spaces. + type: boolean + tags: + description: An array of tags to categorize the parameter. + items: + type: string + type: array + value: + description: The value associated with the parameter. + type: string + required: + - key + - value + title: Parameter request + type: object + Synthetics_postParameterResponse: + properties: + description: + description: A description of the parameter. + type: string + id: + description: The unique identifier for the parameter. + type: string + key: + description: The parameter key. + type: string + share_across_spaces: + description: Indicates whether the parameter is shared across spaces. + type: boolean + tags: + description: An array of tags associated with the parameter. + items: + type: string + type: array + value: + description: The value associated with the parameter. + type: string + title: Post parameter response + type: object + Synthetics_tcpMonitorFields: + allOf: + - $ref: '#/components/schemas/Synthetics_commonMonitorFields' + - additionalProperties: true + properties: + host: + description: | + The host to monitor; it can be an IP address or a hostname. The host can include the port using a colon, for example "example.com:9200". + type: string + proxy_url: + description: | + The URL of the SOCKS5 proxy to use when connecting to the server. The value must be a URL with a scheme of `socks5://`. If the SOCKS5 proxy server requires client authentication, then a username and password can be embedded in the URL. When using a proxy, hostnames are resolved on the proxy server instead of on the client. You can change this behavior by setting the `proxy_use_local_resolver` option. + type: string + proxy_use_local_resolver: + default: false + description: | + Specify that hostnames are resolved locally instead of being resolved on the proxy server. If `false`, name resolution occurs on the proxy server. + type: boolean + ssl: + description: | + The TLS/SSL connection settings for use with the HTTPS endpoint. If you don't specify settings, the system defaults are used. + type: object + type: + description: The monitor type. + enum: + - tcp + type: string + required: + - host + - type + type: object + title: TCP monitor fields + Task_manager_health_APIs_configuration: + description: | + This object summarizes the current configuration of Task Manager. This includes dynamic configurations that change over time, such as `poll_interval` and `max_workers`, which can adjust in reaction to changing load on the system. + type: object + Task_manager_health_APIs_health_response: + properties: + id: + type: string + last_update: + type: string + stats: + properties: + capacity_estimation: + description: | + This object provides a rough estimate about the sufficiency of its capacity. These are estimates based on historical data and should not be used as predictions. + type: object + configuration: + $ref: '#/components/schemas/Task_manager_health_APIs_configuration' + runtime: + description: | + This object tracks runtime performance of Task Manager, tracking task drift, worker load, and stats broken down by type, including duration and run results. + type: object + workload: + $ref: '#/components/schemas/Task_manager_health_APIs_workload' + type: object + status: + type: string + timestamp: + type: string + title: Task health response properties + type: object + Task_manager_health_APIs_workload: + description: | + This object summarizes the work load across the cluster, including the tasks in the system, their types, and current status. + type: object + agent_policy: + additionalProperties: false + properties: + advanced_settings: + additionalProperties: false + properties: + agent_download_target_directory: + nullable: true + x-omitempty: true + agent_download_timeout: + nullable: true + x-omitempty: true + agent_limits_go_max_procs: + nullable: true + x-omitempty: true + agent_logging_files_interval: + nullable: true + x-omitempty: true + agent_logging_files_keepfiles: + nullable: true + x-omitempty: true + agent_logging_files_rotateeverybytes: + nullable: true + x-omitempty: true + agent_logging_level: + nullable: true + x-omitempty: true + agent_logging_metrics_period: + nullable: true + x-omitempty: true + agent_logging_to_files: + nullable: true + x-omitempty: true + agent_monitoring_runtime_experimental: + nullable: true + x-omitempty: true + type: object + agent_features: + items: + additionalProperties: false + properties: + enabled: + type: boolean + name: + type: string + required: + - name + - enabled + type: object + type: array + agentless: + additionalProperties: false + properties: + cloud_connectors: + additionalProperties: false + properties: + enabled: + type: boolean + target_csp: + type: string + required: + - enabled + type: object + resources: + additionalProperties: false + properties: + requests: + additionalProperties: false + properties: + cpu: + type: string + memory: + type: string + type: object + type: object + type: object + agents: + type: number + data_output_id: + nullable: true + type: string + x-omitempty: true + description: + type: string + download_source_id: + nullable: true + type: string + x-omitempty: true + fips_agents: + type: number + fleet_server_host_id: + nullable: true + type: string + x-omitempty: true + global_data_tags: + description: User defined data tags that are added to all of the inputs. The values can be strings or numbers. + items: + $ref: '#/components/schemas/agent_policy_global_data_tags_item' + type: array + has_fleet_server: + type: boolean + id: + type: string + inactivity_timeout: + default: 1209600 + minimum: 0 + type: number + is_default: + type: boolean + is_default_fleet_server: + type: boolean + is_managed: + type: boolean + is_preconfigured: + type: boolean + is_protected: + description: Indicates whether the agent policy has tamper protection enabled. Default false. + type: boolean + keep_monitoring_alive: + default: false + description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled + nullable: true + type: boolean + x-omitempty: true + monitoring_diagnostics: + additionalProperties: false + properties: + limit: + additionalProperties: false + properties: + burst: + type: number + interval: + type: string + type: object + uploader: + additionalProperties: false + properties: + init_dur: + type: string + max_dur: + type: string + max_retries: + type: number + type: object + type: object + monitoring_enabled: + items: + enum: + - logs + - metrics + - traces + type: string + type: array + monitoring_http: + additionalProperties: false + properties: + buffer: + additionalProperties: false + properties: + enabled: + default: false + type: boolean + type: object + enabled: + type: boolean + host: + type: string + port: + maximum: 65353 + minimum: 0 + type: number + type: object + monitoring_output_id: + nullable: true + type: string + x-omitempty: true + monitoring_pprof_enabled: + type: boolean + name: + minLength: 1 + type: string + namespace: + minLength: 1 + type: string + overrides: + additionalProperties: {} + description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + type: object + x-omitempty: true + package_policies: + anyOf: + - items: + type: string + type: array + - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter + items: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + nullable: true + type: array + x-omitempty: true + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + x-omitempty: true + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + properties: + privileges: + additionalProperties: true + properties: + cluster: + items: + type: string + type: array + type: object + type: object + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + anyOf: + - items: + additionalProperties: false + properties: + compiled_input: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + policy_template: + type: string + streams: + items: + additionalProperties: false + properties: + compiled_stream: {} + config: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + data_stream: + additionalProperties: false + properties: + dataset: + type: string + elasticsearch: + additionalProperties: false + properties: + dynamic_dataset: + type: boolean + dynamic_namespace: + type: boolean + privileges: + additionalProperties: false + properties: + indices: + items: + type: string + type: array + type: object + type: object + type: + type: string + required: + - dataset + - type + type: object + enabled: + type: boolean + id: + type: string + keep_enabled: + type: boolean + release: + enum: + - ga + - beta + - experimental + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - enabled + - data_stream + - compiled_stream + type: object + type: array + type: + type: string + vars: + additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + required: + - type + - enabled + - streams + - compiled_input + type: object + type: array + - additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + additionalProperties: false + properties: + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + x-omitempty: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + x-omitempty: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + type: object + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + description: Package policy inputs. + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + x-omitempty: true + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + properties: + inputs: + additionalProperties: {} + type: object + type: object + x-omitempty: true + package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + properties: + data_stream: + type: string + features: + additionalProperties: false + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + type: object + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + x-omitempty: true + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + type: array + spaceIds: + items: + type: string + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + x-omitempty: true + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + x-omitempty: true + updated_at: + type: string + updated_by: + type: string + vars: + anyOf: + - additionalProperties: + additionalProperties: false + properties: + frozen: + type: boolean + type: + type: string + value: {} + required: + - value + type: object + description: Package variable (see integration documentation for more information) + type: object + - additionalProperties: + anyOf: + - type: boolean + - type: string + - type: number + - items: + type: string + type: array + - items: + type: number + type: array + - additionalProperties: false + properties: + id: + type: string + isSecretRef: + type: boolean + required: + - id + - isSecretRef + type: object + nullable: true + x-omitempty: true + description: Input/stream level variable. Refer to the integration documentation for more information. + type: object + x-oas-optional: true + description: Package level variable. + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + type: object + type: array + required_versions: + items: + additionalProperties: false + properties: + percentage: + description: Target percentage of agents to auto upgrade + maximum: 100 + minimum: 0 + type: number + version: + description: Target version for automatic agent upgrade + type: string + required: + - version + - percentage + type: object + nullable: true + type: array + x-omitempty: true + revision: + type: number + schema_version: + type: string + space_ids: + items: + type: string + type: array + status: + enum: + - active + - inactive + type: string + supports_agentless: + default: false + description: Indicates whether the agent policy supports agentless integrations. + nullable: true + type: boolean + x-omitempty: true + unenroll_timeout: + minimum: 0 + type: number + unprivileged_agents: + type: number + updated_at: + type: string + updated_by: + type: string + version: + type: string + required: + - id + - name + - namespace + - is_managed + - is_protected + - status + - updated_at + - updated_by + - revision + type: object + agent_policy_global_data_tags_item: + additionalProperties: false + properties: + name: + type: string + value: + anyOf: + - type: string + - type: number + required: + - name + - value + type: object + aggfield: + description: | + The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`. + type: string + aggtype: + default: count + description: The type of aggregation to perform. + enum: + - avg + - count + - max + - min + - sum + type: string + auth_type: + description: | + The type of authentication to use: basic, SSL, or none. + enum: + - webhook-authentication-basic + - webhook-authentication-ssl + nullable: true + title: Authentication type + type: string + x-omitempty: true + bedrock_config: + description: Defines properties for connectors when type is `.bedrock`. + properties: + apiUrl: + description: The Amazon Bedrock request URL. + type: string + defaultModel: + default: us.anthropic.claude-sonnet-4-5-20250929-v1:0 + description: | + The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models. + type: string + required: + - apiUrl + title: Connector request properties for an Amazon Bedrock connector + type: object + bedrock_secrets: + description: Defines secrets for connectors when type is `.bedrock`. + properties: + accessKey: + description: The AWS access key for authentication. + type: string + secret: + description: The AWS secret for authentication. + type: string + required: + - accessKey + - secret + title: Connector secrets properties for an Amazon Bedrock connector + type: object + ca: + description: | + A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types. + title: Certificate authority + type: string + cases_webhook_config: + description: Defines properties for connectors when type is `.cases-webhook`. + properties: + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + createCommentJson: + description: | + A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + type: string + createCommentMethod: + default: put + description: | + The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`. + enum: + - patch + - post + - put + type: string + createCommentUrl: + description: | + The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts. + type: string + createIncidentJson: + description: | + A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + type: string + createIncidentMethod: + default: post + description: | + The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`. + enum: + - patch + - post + - put + type: string + createIncidentResponseKey: + description: The JSON key in the create external case response that contains the case ID. + type: string + createIncidentUrl: + description: | + The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + getIncidentResponseExternalTitleKey: + description: The JSON key in get external case response that contains the case title. + type: string + getIncidentUrl: + description: | + The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass. + type: string + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: + description: | + A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods. + type: string + updateIncidentJson: + description: | + The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review. + type: string + updateIncidentMethod: + default: put + description: | + The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`. + enum: + - patch + - post + - put + type: string + updateIncidentUrl: + description: | + The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + verificationMode: + $ref: '#/components/schemas/verification_mode' + viewIncidentUrl: + description: | + The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL. + type: string + required: + - createIncidentJson + - createIncidentResponseKey + - createIncidentUrl + - getIncidentResponseExternalTitleKey + - getIncidentUrl + - updateIncidentJson + - updateIncidentUrl + - viewIncidentUrl + title: Connector request properties for Webhook - Case Management connector + type: object + cases_webhook_secrets: + properties: + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + password: + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required. + type: string + pfx: + $ref: '#/components/schemas/pfx' + user: + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + type: string + title: Connector secrets properties for Webhook - Case Management connector + type: object + cert_type: + description: | + If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format. + enum: + - ssl-crt-key + - ssl-pfx + title: Certificate type + type: string + connector_response: + additionalProperties: false + properties: + config: + additionalProperties: {} + type: object + connector_type_id: + description: The connector type identifier. + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + description: Indicates whether the connector is deprecated. + type: boolean + is_missing_secrets: + description: Indicates whether the connector is missing secrets. + type: boolean + is_preconfigured: + description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ' + type: boolean + is_system_action: + description: Indicates whether the connector is used for system actions. + type: boolean + name: + description: ' The name of the rule.' + type: string + required: + - id + - name + - connector_type_id + - is_preconfigured + - is_deprecated + - is_system_action + type: object + create_connector_config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/genai_openai_other_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + create_connector_secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/defender_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + create_param_response: + oneOf: + - items: + $ref: '#/components/schemas/Synthetics_postParameterResponse' + type: array + - $ref: '#/components/schemas/Synthetics_postParameterResponse' + crowdstrike_config: + description: Defines config properties for connectors when type is `.crowdstrike`. + properties: + url: + description: | + The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + required: + - url + title: Connector request config properties for a Crowdstrike connector + type: object + crowdstrike_secrets: + description: Defines secrets for connectors when type is `.crowdstrike`. + properties: + clientId: + description: The CrowdStrike API client identifier. + type: string + clientSecret: + description: The CrowdStrike API client secret to authenticate the `clientId`. + type: string + required: + - clientId + - clientSecret + title: Connector secrets properties for a Crowdstrike connector + type: object + crt: + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file. + title: Certificate + type: string + d3security_config: + description: Defines properties for connectors when type is `.d3security`. + properties: + url: + description: | + The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + required: + - url + title: Connector request properties for a D3 Security connector + type: object + d3security_secrets: + description: Defines secrets for connectors when type is `.d3security`. + properties: + token: + description: The D3 Security token. + type: string + required: + - token + title: Connector secrets properties for a D3 Security connector + type: object + defender_config: + description: Defines properties for connectors when type is `.microsoft_defender_endpoint`. + properties: + apiUrl: + description: | + The URL of the Microsoft Defender for Endpoint API. If you are using the `xpack.actions.allowedHosts` setting, make sure the hostname is added to the allowed hosts. + type: string + clientId: + description: The application (client) identifier for your app in the Azure portal. + type: string + oAuthScope: + description: The OAuth scopes or permission sets for the Microsoft Defender for Endpoint API. + type: string + oAuthServerUrl: + description: The OAuth server URL where authentication is sent and received for the Microsoft Defender for Endpoint API. + type: string + tenantId: + description: The tenant identifier for your app in the Azure portal. + type: string + required: + - apiUrl + - projectKey + title: Connector request properties for a Microsoft Defender for Endpoint connector + type: object + defender_secrets: + description: Defines secrets for connectors when type is `..microsoft_defender_endpoint`. + properties: + clientSecret: + description: The client secret for your app in the Azure portal. + type: string + required: + - clientSecret + title: Connector secrets properties for a Microsoft Defender for Endpoint connector + type: object + email_config: + description: Defines properties for connectors when type is `.email`. + properties: + clientId: + description: | + The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + nullable: true + type: string + x-omitempty: true + from: + description: | + The from address for all emails sent by the connector. It must be specified in `user@host-name` format. + type: string + hasAuth: + default: true + description: | + Specifies whether a user and password are required inside the secrets configuration. + type: boolean + host: + description: | + The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + type: string + oauthTokenUrl: + nullable: true + type: string + x-omitempty: true + port: + description: | + The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined. + type: integer + secure: + description: | + Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. + type: boolean + service: + description: | + The name of the email service. + enum: + - elastic_cloud + - exchange_server + - gmail + - other + - outlook365 + - ses + type: string + tenantId: + description: | + The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required. + nullable: true + type: string + x-omitempty: true + required: + - from + title: Connector request properties for an email connector + type: object + email_secrets: + description: Defines secrets for connectors when type is `.email`. + properties: + clientSecret: + description: | + The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required. + type: string + password: + description: | + The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + type: string + user: + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required. + type: string + title: Connector secrets properties for an email connector + type: object + enrollment_api_key: + additionalProperties: false + properties: + active: + description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents. + type: boolean + api_key: + description: The enrollment API key (token) used for enrolling Elastic Agents. + type: string + api_key_id: + description: The ID of the API key in the Security API. + type: string + created_at: + type: string + hidden: + type: boolean + id: + type: string + name: + description: The name of the enrollment API key. + type: string + policy_id: + description: The ID of the agent policy the Elastic Agent will be enrolled in. + type: string + required: + - id + - api_key_id + - api_key + - active + - created_at + type: object + excludehitsfrompreviousrun: + description: | + Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified. + type: boolean + filter: + description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package. + properties: + $state: + type: object + meta: + properties: + alias: + nullable: true + type: string + x-omitempty: true + controlledBy: + type: string + disabled: + type: boolean + field: + type: string + group: + type: string + index: + type: string + isMultiIndex: + type: boolean + key: + type: string + negate: + type: boolean + params: + type: object + type: + type: string + value: + type: string + type: object + query: + type: object + type: object + gemini_config: + description: Defines properties for connectors when type is `.gemini`. + properties: + apiUrl: + description: The Google Gemini request URL. + type: string + defaultModel: + default: gemini-2.5-pro + description: The generative artificial intelligence model for Google Gemini to use. + type: string + gcpProjectID: + description: The Google ProjectID that has Vertex AI endpoint enabled. + type: string + gcpRegion: + description: The GCP region where the Vertex AI endpoint enabled. + type: string + required: + - apiUrl + - gcpRegion + - gcpProjectID + title: Connector request properties for an Google Gemini connector + type: object + gemini_secrets: + description: Defines secrets for connectors when type is `.gemini`. + properties: + credentialsJson: + description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it. + type: string + required: + - credentialsJson + title: Connector secrets properties for a Google Gemini connector + type: object + genai_azure_config: + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`. + properties: + apiProvider: + description: The OpenAI API provider. + enum: + - Azure OpenAI + type: string + apiUrl: + description: The OpenAI API endpoint. + type: string + required: + - apiProvider + - apiUrl + title: Connector request properties for an OpenAI connector that uses Azure OpenAI + type: object + genai_openai_config: + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`. + properties: + apiProvider: + description: The OpenAI API provider. + enum: + - OpenAI + type: string + apiUrl: + description: The OpenAI API endpoint. + type: string + defaultModel: + description: The default model to use for requests. + type: string + required: + - apiProvider + - apiUrl + title: Connector request properties for an OpenAI connector + type: object + genai_openai_other_config: + description: | + Defines properties for connectors when type is `.gen-ai` and the API provider is `Other` (OpenAI-compatible service), including optional PKI authentication. + properties: + apiProvider: + description: The OpenAI API provider. + enum: + - Other + type: string + apiUrl: + description: The OpenAI-compatible API endpoint. + type: string + caData: + description: PEM-encoded CA certificate content. + minLength: 1 + type: string + certificateData: + description: PEM-encoded certificate content. + minLength: 1 + type: string + defaultModel: + description: The default model to use for requests. + type: string + headers: + additionalProperties: + type: string + description: Custom headers to include in requests. + type: object + privateKeyData: + description: PEM-encoded private key content. + minLength: 1 + type: string + verificationMode: + default: full + description: SSL verification mode for PKI authentication. + enum: + - full + - certificate + - none + type: string + required: + - apiProvider + - apiUrl + - defaultModel + title: Connector request properties for an OpenAI connector with Other provider + type: object + genai_secrets: + description: | + Defines secrets for connectors when type is `.gen-ai`. Supports both API key authentication (OpenAI, Azure OpenAI, and `Other`) and PKI authentication (`Other` provider only). PKI fields must be base64-encoded PEM content. + properties: + apiKey: + description: | + The API key for authentication. For OpenAI and Azure OpenAI providers, it is required. For the `Other` provider, it is required if you do not use PKI authentication. With PKI, you can also optionally include an API key if the OpenAI-compatible service supports or requires one. + type: string + caData: + description: | + Base64-encoded PEM CA certificate content for PKI authentication (Other provider only). Optional. + minLength: 1 + type: string + certificateData: + description: | + Base64-encoded PEM certificate content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + type: string + privateKeyData: + description: | + Base64-encoded PEM private key content for PKI authentication (Other provider only). Required for PKI. + minLength: 1 + type: string + required: [] + title: Connector secrets properties for an OpenAI connector + type: object + get_data_views_response_item: + properties: + id: + type: string + name: + type: string + namespaces: + items: + type: string + type: array + title: + type: string + typeMeta: + type: object + type: object + groupby: + default: all + description: | + Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked. + enum: + - all + - top + type: string + has_auth: + default: true + description: If true, a username and password for login type authentication must be provided. + title: Has authentication + type: boolean + index_config: + description: Defines properties for connectors when type is `.index`. + properties: + executionTimeField: + default: null + description: A field that indicates when the document was indexed. + nullable: true + type: string + x-omitempty: true + index: + description: The Elasticsearch index to be written to. + type: string + refresh: + default: false + description: | + The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs. + type: boolean + required: + - index + title: Connector request properties for an index connector + type: object + jira_config: + description: Defines properties for connectors when type is `.jira`. + properties: + apiUrl: + description: The Jira instance URL. + type: string + projectKey: + description: The Jira project key. + type: string + required: + - apiUrl + - projectKey + title: Connector request properties for a Jira connector + type: object + jira_secrets: + description: Defines secrets for connectors when type is `.jira`. + properties: + apiToken: + description: The Jira API authentication token for HTTP basic authentication. + type: string + email: + description: The account email for HTTP Basic authentication. + type: string + required: + - apiToken + - email + title: Connector secrets properties for a Jira connector + type: object + key: + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file. + title: Certificate key + type: string + new_output_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + type: array + ca_sha256: + nullable: true + type: string + x-omitempty: true + ca_trusted_fingerprint: + nullable: true + type: string + x-omitempty: true + config_yaml: + nullable: true + type: string + x-omitempty: true + hosts: + items: + format: uri + type: string + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + shipper: + $ref: '#/components/schemas/new_output_shipper' + ssl: + $ref: '#/components/schemas/new_output_ssl' + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + x-omitempty: true + required: + - name + - type + - hosts + type: object + new_output_kafka: + additionalProperties: false + properties: + allow_edit: + items: + type: string + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + x-omitempty: true + ca_trusted_fingerprint: + nullable: true + type: string + x-omitempty: true + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + type: integer + config_yaml: + nullable: true + type: string + x-omitempty: true + connection_type: + type: string + hash: + additionalProperties: false + properties: + hash: + type: string + random: + type: boolean + type: object + headers: + items: + additionalProperties: false + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + hosts: + items: + type: string + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + random: + additionalProperties: false + properties: + group_events: + type: number + type: object + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: false + properties: + group_events: + type: number + type: object + sasl: + additionalProperties: false + nullable: true + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 + type: string + type: object + x-omitempty: true + secrets: + additionalProperties: false + properties: + password: + anyOf: + - additionalProperties: false + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + required: + - key + type: object + type: object + shipper: + $ref: '#/components/schemas/new_output_shipper' + ssl: + $ref: '#/components/schemas/new_output_ssl' + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + type: string + version: + type: string + required: + - name + - type + - hosts + - auth_type + type: object + new_output_logstash: + additionalProperties: false + properties: + allow_edit: + items: + type: string + type: array + ca_sha256: + nullable: true + type: string + x-omitempty: true + ca_trusted_fingerprint: + nullable: true + type: string + x-omitempty: true + config_yaml: + nullable: true + type: string + x-omitempty: true + hosts: + items: + type: string + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + shipper: + $ref: '#/components/schemas/new_output_shipper' + ssl: + $ref: '#/components/schemas/new_output_ssl' + type: + enum: + - logstash + type: string + required: + - name + - type + - hosts + type: object + new_output_remote_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + type: array + ca_sha256: + nullable: true + type: string + x-omitempty: true + ca_trusted_fingerprint: + nullable: true + type: string + x-omitempty: true + config_yaml: + nullable: true + type: string + x-omitempty: true + hosts: + items: + format: uri + type: string + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + x-omitempty: true + kibana_url: + nullable: true + type: string + x-omitempty: true + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: false + properties: + service_token: + anyOf: + - additionalProperties: false + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + service_token: + nullable: true + type: string + x-omitempty: true + shipper: + $ref: '#/components/schemas/new_output_shipper' + ssl: + $ref: '#/components/schemas/new_output_ssl' + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + x-omitempty: true + required: + - name + - type + - hosts + type: object + new_output_shipper: + additionalProperties: false + nullable: true + properties: + compression_level: + nullable: true + type: number + x-omitempty: true + disk_queue_compression_enabled: + nullable: true + type: boolean + x-omitempty: true + disk_queue_enabled: + default: false + nullable: true + type: boolean + x-omitempty: true + disk_queue_encryption_enabled: + nullable: true + type: boolean + x-omitempty: true + disk_queue_max_size: + nullable: true + type: number + x-omitempty: true + disk_queue_path: + nullable: true + type: string + x-omitempty: true + loadbalance: + nullable: true + type: boolean + x-omitempty: true + max_batch_bytes: + nullable: true + type: number + x-omitempty: true + mem_queue_events: + nullable: true + type: number + x-omitempty: true + queue_flush_timeout: + nullable: true + type: number + x-omitempty: true + required: + - disk_queue_path + - disk_queue_max_size + - disk_queue_encryption_enabled + - disk_queue_compression_enabled + - compression_level + - loadbalance + - mem_queue_events + - queue_flush_timeout + - max_batch_bytes + type: object + x-omitempty: true + new_output_ssl: + additionalProperties: false + nullable: true + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + verification_mode: + enum: + - full + - none + - certificate + - strict + type: string + type: object + x-omitempty: true + new_output_union: + anyOf: + - $ref: '#/components/schemas/new_output_elasticsearch' + - $ref: '#/components/schemas/new_output_remote_elasticsearch' + - $ref: '#/components/schemas/new_output_logstash' + - $ref: '#/components/schemas/new_output_kafka' + opsgenie_config: + description: Defines properties for connectors when type is `.opsgenie`. + properties: + apiUrl: + description: | + The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + required: + - apiUrl + title: Connector request properties for an Opsgenie connector + type: object + opsgenie_secrets: + description: Defines secrets for connectors when type is `.opsgenie`. + properties: + apiKey: + description: The Opsgenie API authentication key for HTTP Basic authentication. + type: string + required: + - apiKey + title: Connector secrets properties for an Opsgenie connector + type: object + output_elasticsearch: + additionalProperties: true + properties: + allow_edit: + items: + type: string + type: array + ca_sha256: + nullable: true + type: string + x-omitempty: true + ca_trusted_fingerprint: + nullable: true + type: string + x-omitempty: true + config_yaml: + nullable: true + type: string + x-omitempty: true + hosts: + items: + format: uri + type: string + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: true + properties: + ssl: + additionalProperties: true + properties: + key: + anyOf: + - additionalProperties: true + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + shipper: + $ref: '#/components/schemas/output_shipper' + ssl: + $ref: '#/components/schemas/output_ssl' + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + x-omitempty: true + required: + - name + - type + - hosts + type: object + output_kafka: + additionalProperties: true + properties: + allow_edit: + items: + type: string + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + x-omitempty: true + ca_trusted_fingerprint: + nullable: true + type: string + x-omitempty: true + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + type: integer + config_yaml: + nullable: true + type: string + x-omitempty: true + connection_type: + type: string + hash: + additionalProperties: true + properties: + hash: + type: string + random: + type: boolean + type: object + headers: + items: + additionalProperties: true + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + hosts: + items: + type: string + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + random: + additionalProperties: true + properties: + group_events: + type: number + type: object + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: true + properties: + group_events: + type: number + type: object + sasl: + additionalProperties: true + nullable: true + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 + type: string + type: object + x-omitempty: true + secrets: + additionalProperties: true + properties: + password: + anyOf: + - additionalProperties: true + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + ssl: + additionalProperties: true + properties: + key: + anyOf: + - additionalProperties: true + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + required: + - key + type: object + type: object + shipper: + $ref: '#/components/schemas/output_shipper' + ssl: + $ref: '#/components/schemas/output_ssl' + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + type: string + version: + type: string + required: + - name + - type + - hosts + - auth_type + type: object + output_logstash: + additionalProperties: true + properties: + allow_edit: + items: + type: string + type: array + ca_sha256: + nullable: true + type: string + x-omitempty: true + ca_trusted_fingerprint: + nullable: true + type: string + x-omitempty: true + config_yaml: + nullable: true + type: string + x-omitempty: true + hosts: + items: + type: string + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: true + properties: + ssl: + additionalProperties: true + properties: + key: + anyOf: + - additionalProperties: true + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + shipper: + $ref: '#/components/schemas/output_shipper' + ssl: + $ref: '#/components/schemas/output_ssl' + type: + enum: + - logstash + type: string + required: + - name + - type + - hosts + type: object + output_remote_elasticsearch: + additionalProperties: true + properties: + allow_edit: + items: + type: string + type: array + ca_sha256: + nullable: true + type: string + x-omitempty: true + ca_trusted_fingerprint: + nullable: true + type: string + x-omitempty: true + config_yaml: + nullable: true + type: string + x-omitempty: true + hosts: + items: + format: uri + type: string + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + x-omitempty: true + kibana_url: + nullable: true + type: string + x-omitempty: true + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: true + properties: + service_token: + anyOf: + - additionalProperties: true + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + ssl: + additionalProperties: true + properties: + key: + anyOf: + - additionalProperties: true + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + service_token: + nullable: true + type: string + x-omitempty: true + shipper: + $ref: '#/components/schemas/output_shipper' + ssl: + $ref: '#/components/schemas/output_ssl' + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + x-omitempty: true + required: + - name + - type + - hosts + type: object + output_shipper: + additionalProperties: true + nullable: true + properties: + compression_level: + nullable: true + type: number + x-omitempty: true + disk_queue_compression_enabled: + nullable: true + type: boolean + x-omitempty: true + disk_queue_enabled: + default: false + nullable: true + type: boolean + x-omitempty: true + disk_queue_encryption_enabled: + nullable: true + type: boolean + x-omitempty: true + disk_queue_max_size: + nullable: true + type: number + x-omitempty: true + disk_queue_path: + nullable: true + type: string + x-omitempty: true + loadbalance: + nullable: true + type: boolean + x-omitempty: true + max_batch_bytes: + nullable: true + type: number + x-omitempty: true + mem_queue_events: + nullable: true + type: number + x-omitempty: true + queue_flush_timeout: + nullable: true + type: number + x-omitempty: true + required: + - disk_queue_path + - disk_queue_max_size + - disk_queue_encryption_enabled + - disk_queue_compression_enabled + - compression_level + - loadbalance + - mem_queue_events + - queue_flush_timeout + - max_batch_bytes + type: object + x-omitempty: true + output_ssl: + additionalProperties: true + nullable: true + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + verification_mode: + enum: + - full + - none + - certificate + - strict + type: string + type: object + x-omitempty: true + output_union: + anyOf: + - $ref: '#/components/schemas/output_elasticsearch' + - $ref: '#/components/schemas/output_remote_elasticsearch' + - $ref: '#/components/schemas/output_logstash' + - $ref: '#/components/schemas/output_kafka' + discriminator: + mapping: + elasticsearch: '#/components/schemas/output_elasticsearch' + kafka: '#/components/schemas/output_kafka' + logstash: '#/components/schemas/output_logstash' + remote_elasticsearch: '#/components/schemas/output_remote_elasticsearch' + propertyName: type + package_info: + additionalProperties: true + properties: + agent: + additionalProperties: false + properties: + privileges: + additionalProperties: false + properties: + root: + type: boolean + type: object + type: object + asset_tags: + items: + additionalProperties: false + properties: + asset_ids: + items: + type: string + type: array + asset_types: + items: + type: string + type: array + text: + type: string + required: + - text + type: object + type: array + assets: + additionalProperties: {} + type: object + categories: + items: + type: string + type: array + conditions: + additionalProperties: true + properties: + elastic: + additionalProperties: true + properties: + capabilities: + items: + type: string + type: array + subscription: + type: string + type: object + kibana: + additionalProperties: true + properties: + version: + type: string + type: object + type: object + data_streams: + items: + additionalProperties: {} + type: object + type: array + description: + type: string + discovery: + additionalProperties: true + properties: + datasets: + items: + additionalProperties: true + properties: + name: + type: string + required: + - name + type: object + type: array + fields: + items: + additionalProperties: true + properties: + name: + type: string + required: + - name + type: object + type: array + type: object + download: + type: string + elasticsearch: + additionalProperties: {} + type: object + format_version: + type: string + icons: + items: + additionalProperties: true + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + type: object + type: array + installationInfo: + additionalProperties: true + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + type: object + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + properties: + data_stream: + type: string + features: + additionalProperties: true + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + type: string + version: + type: string + required: + - id + - type + type: object + type: array + installed_kibana: + items: + additionalProperties: true + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + type: object + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + properties: + error: + type: string + name: + type: string + started_at: + type: string + type: object + latest_install_failed_attempts: + items: + additionalProperties: true + properties: + created_at: + type: string + error: + additionalProperties: true + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + type: object + target_version: + type: string + required: + - created_at + - target_version + - error + type: object + type: array + name: + type: string + namespaces: + items: + type: string + type: array + previous_version: + nullable: true + type: string + x-omitempty: true + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + x-omitempty: true + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + type: object + internal: + type: boolean + keepPoliciesUpToDate: + type: boolean + latestVersion: + type: string + license: + type: string + licensePath: + type: string + name: + type: string + notice: + type: string + owner: + additionalProperties: true + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + type: object + path: + type: string + policy_templates: + items: + additionalProperties: {} + type: object + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + screenshots: + items: + additionalProperties: false + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + type: object + type: array + signature_path: + type: string + source: + additionalProperties: true + properties: + license: + type: string + required: + - license + type: object + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + vars: + items: + additionalProperties: {} + type: object + type: array + version: + type: string + required: + - name + - version + - title + - assets + type: object + package_list_item: + additionalProperties: true + properties: + categories: + items: + type: string + type: array + conditions: + additionalProperties: true + properties: + elastic: + additionalProperties: true + properties: + capabilities: + items: + type: string + type: array + subscription: + type: string + type: object + kibana: + additionalProperties: true + properties: + version: + type: string + type: object + type: object + data_streams: + items: + additionalProperties: {} + type: object + type: array + description: + type: string + discovery: + additionalProperties: true + properties: + datasets: + items: + additionalProperties: true + properties: + name: + type: string + required: + - name + type: object + type: array + fields: + items: + additionalProperties: true + properties: + name: + type: string + required: + - name + type: object + type: array + type: object + download: + type: string + format_version: + type: string + icons: + items: + additionalProperties: true + properties: + dark_mode: + type: boolean + path: + type: string + size: + type: string + src: + type: string + title: + type: string + type: + type: string + required: + - src + type: object + type: array + id: + type: string + installationInfo: + additionalProperties: true + properties: + additional_spaces_installed_kibana: + additionalProperties: + items: + additionalProperties: true + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + type: object + type: array + type: object + created_at: + type: string + experimental_data_stream_features: + items: + additionalProperties: true + properties: + data_stream: + type: string + features: + additionalProperties: true + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + install_format_schema_version: + type: string + install_source: + enum: + - registry + - upload + - bundled + - custom + type: string + install_status: + enum: + - installed + - installing + - install_failed + type: string + installed_es: + items: + additionalProperties: true + properties: + deferred: + type: boolean + id: + type: string + type: + enum: + - index + - index_template + - component_template + - ingest_pipeline + - ilm_policy + - data_stream_ilm_policy + - transform + - ml_model + - knowledge_base + type: string + version: + type: string + required: + - id + - type + type: object + type: array + installed_kibana: + items: + additionalProperties: true + properties: + deferred: + type: boolean + id: + type: string + originId: + type: string + type: + anyOf: + - enum: + - dashboard + - lens + - visualization + - search + - index-pattern + - map + - ml-module + - security-rule + - csp-rule-template + - osquery-pack-asset + - osquery-saved-query + - tag + type: string + - type: string + required: + - id + - type + type: object + type: array + installed_kibana_space_id: + type: string + is_rollback_ttl_expired: + type: boolean + latest_executed_state: + additionalProperties: true + properties: + error: + type: string + name: + type: string + started_at: + type: string + type: object + latest_install_failed_attempts: + items: + additionalProperties: true + properties: + created_at: + type: string + error: + additionalProperties: true + properties: + message: + type: string + name: + type: string + stack: + type: string + required: + - name + - message + type: object + target_version: + type: string + required: + - created_at + - target_version + - error + type: object + type: array + name: + type: string + namespaces: + items: + type: string + type: array + previous_version: + nullable: true + type: string + x-omitempty: true + rolled_back: + type: boolean + type: + type: string + updated_at: + type: string + verification_key_id: + nullable: true + type: string + x-omitempty: true + verification_status: + enum: + - unverified + - verified + - unknown + type: string + version: + type: string + required: + - type + - installed_kibana + - installed_es + - name + - version + - install_status + - install_source + - verification_status + type: object + integration: + type: string + internal: + type: boolean + latestVersion: + type: string + name: + type: string + owner: + additionalProperties: true + properties: + github: + type: string + type: + enum: + - elastic + - partner + - community + type: string + type: object + path: + type: string + policy_templates: + items: + additionalProperties: {} + type: object + type: array + readme: + type: string + release: + enum: + - ga + - beta + - experimental + type: string + signature_path: + type: string + source: + additionalProperties: true + properties: + license: + type: string + required: + - license + type: object + status: + type: string + title: + type: string + type: + anyOf: + - enum: + - integration + type: string + - enum: + - input + type: string + - enum: + - content + type: string + - type: string + vars: + items: + additionalProperties: {} + type: object + type: array + version: + type: string + required: + - name + - version + - title + - id + type: object + package_policy: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + nullable: true + type: array + x-omitempty: true + agents: + type: number + cloud_connector_id: + description: ID of the cloud connector associated with this package policy. + nullable: true + type: string + x-omitempty: true + created_at: + type: string + created_by: + type: string + description: + description: Package policy description + type: string + elasticsearch: + additionalProperties: true + properties: + privileges: + additionalProperties: true + properties: + cluster: + items: + type: string + type: array + type: object + type: object + enabled: + type: boolean + id: + description: Package policy unique identifier. + type: string + inputs: + additionalProperties: + $ref: '#/components/schemas/package_policy_input' + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + x-oas-optional: true + is_managed: + type: boolean + name: + description: Unique name for the package policy. + type: string + namespace: + description: The package policy namespace. Leave blank to inherit the agent policy's namespace. + type: string + output_id: + nullable: true + type: string + x-omitempty: true + overrides: + additionalProperties: false + description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure. + nullable: true + properties: + inputs: + additionalProperties: {} + type: object + type: object + x-omitempty: true + package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + properties: + data_stream: + type: string + features: + additionalProperties: false + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + type: object + policy_id: + deprecated: true + description: ID of the agent policy which the package policy will be added to. + nullable: true + type: string + x-omitempty: true + policy_ids: + items: + description: IDs of the agent policies which that package policy will be added to. + type: string + type: array + revision: + description: Package policy revision. + type: number + secret_references: + items: + $ref: '#/components/schemas/package_policy_secret_ref' + type: array + spaceIds: + items: + type: string + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + x-omitempty: true + supports_cloud_connector: + default: false + description: Indicates whether the package policy supports cloud connectors. + nullable: true + type: boolean + x-omitempty: true + updated_at: + type: string + updated_by: + type: string + vars: + type: object + version: + description: Package policy ES version. + type: string + required: + - name + - enabled + - inputs + - id + - revision + - updated_at + - updated_by + - created_at + - created_by + type: object + package_policy_input: + additionalProperties: false + properties: + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + $ref: '#/components/schemas/package_policy_input_stream' + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + type: object + type: object + package_policy_input_stream: + additionalProperties: false + properties: + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + vars: + type: object + type: object + package_policy_request: + additionalProperties: false + properties: + additional_datastreams_permissions: + description: Additional datastream permissions, that will be added to the agent policy. + items: + type: string + nullable: true + type: array + x-omitempty: true + description: + description: Policy description. + type: string + force: + description: Force package policy creation even if the package is not verified, or if the agent policy is managed. + type: boolean + id: + description: Policy unique identifier. + type: string + inputs: + additionalProperties: + $ref: '#/components/schemas/package_policy_request_input' + description: Package policy inputs. Refer to the integration documentation to know which inputs are available. + type: object + name: + description: Unique name for the policy. + type: string + namespace: + description: Policy namespace. When not specified, it inherits the agent policy namespace. + type: string + output_id: + nullable: true + type: string + x-omitempty: true + package: + $ref: '#/components/schemas/package_policy_request_package' + policy_id: + deprecated: true + description: Deprecated. Use policy_ids instead. + nullable: true + type: string + x-omitempty: true + policy_ids: + description: IDs of the agent policies which that package policy will be added to. + items: + type: string + type: array + supports_agentless: + default: false + description: Indicates whether the package policy belongs to an agentless agent policy. + nullable: true + type: boolean + x-omitempty: true + vars: + type: object + required: + - name + - package + type: object + package_policy_request_input: + additionalProperties: false + properties: + enabled: + description: Enable or disable that input. Defaults to `true` (enabled). + type: boolean + streams: + additionalProperties: + $ref: '#/components/schemas/package_policy_request_input_stream' + description: Input streams. Refer to the integration documentation to know which streams are available. + type: object + vars: + type: object + type: object + package_policy_request_input_stream: + additionalProperties: false + properties: + enabled: + description: Enable or disable that stream. Defaults to `true` (enabled). + type: boolean + vars: + type: object + type: object + package_policy_request_package: + additionalProperties: false + properties: + experimental_data_stream_features: + items: + additionalProperties: false + properties: + data_stream: + type: string + features: + additionalProperties: false + properties: + doc_value_only_numeric: + type: boolean + doc_value_only_other: + type: boolean + synthetic_source: + type: boolean + tsdb: + type: boolean + type: object + required: + - data_stream + - features + type: object + type: array + fips_compatible: + type: boolean + name: + description: Package name + type: string + requires_root: + type: boolean + title: + type: string + version: + description: Package version + type: string + required: + - name + - version + type: object + package_policy_secret_ref: + additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + pagerduty_config: + description: Defines properties for connectors when type is `.pagerduty`. + properties: + apiUrl: + description: The PagerDuty event URL. + nullable: true + type: string + x-omitempty: true + title: Connector request properties for a PagerDuty connector + type: object + pagerduty_secrets: + description: Defines secrets for connectors when type is `.pagerduty`. + properties: + routingKey: + description: | + A 32 character PagerDuty Integration Key for an integration on a service. + type: string + required: + - routingKey + title: Connector secrets properties for a PagerDuty connector + type: object + params_es_query_dsl_rule: + description: | + An Elasticsearch query rule can run a query defined in Elasticsearch Query DSL and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`. + properties: + aggField: + $ref: '#/components/schemas/aggfield' + aggType: + $ref: '#/components/schemas/aggtype' + esQuery: + description: The query definition, which uses Elasticsearch Query DSL. + type: string + excludeHitsFromPreviousRun: + $ref: '#/components/schemas/excludehitsfrompreviousrun' + groupBy: + $ref: '#/components/schemas/groupby' + index: + description: The indices to query. + oneOf: + - items: + type: string + type: array + - type: string + searchType: + default: esQuery + description: The type of query, in this case a query that uses Elasticsearch Query DSL. + enum: + - esQuery + type: string + size: + $ref: '#/components/schemas/size' + termField: + $ref: '#/components/schemas/termfield' + termSize: + $ref: '#/components/schemas/termsize' + threshold: + $ref: '#/components/schemas/threshold' + thresholdComparator: + $ref: '#/components/schemas/thresholdcomparator' + timeField: + $ref: '#/components/schemas/timefield' + timeWindowSize: + $ref: '#/components/schemas/timewindowsize' + timeWindowUnit: + $ref: '#/components/schemas/timewindowunit' + required: + - esQuery + - index + - threshold + - thresholdComparator + - timeField + - timeWindowSize + - timeWindowUnit + title: Elasticsearch DSL query rule params + type: object + params_es_query_esql_rule: + description: | + An Elasticsearch query rule can run an ES|QL query and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`. + properties: + aggField: + $ref: '#/components/schemas/aggfield' + aggType: + $ref: '#/components/schemas/aggtype' + esqlQuery: + properties: + esql: + description: The query definition, which uses Elasticsearch Query Language. + type: string + required: + - esql + type: object + excludeHitsFromPreviousRun: + $ref: '#/components/schemas/excludehitsfrompreviousrun' + groupBy: + $ref: '#/components/schemas/groupby' + searchType: + description: The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL). + enum: + - esqlQuery + type: string + size: + description: | + When `searchType` is `esqlQuery`, this property is required but it does not affect the rule behavior. + type: integer + termSize: + $ref: '#/components/schemas/termsize' + threshold: + description: | + The threshold value that is used with the `thresholdComparator`. When `searchType` is `esqlQuery`, this property is required and must be set to zero. + items: + maximum: 0 + minimum: 0 + type: integer + type: array + thresholdComparator: + description: | + The comparison function for the threshold. When `searchType` is `esqlQuery`, this property is required and must be set to ">". Since the `threshold` value must be `0`, the result is that an alert occurs whenever the query returns results. + enum: + - '>' + type: string + timeField: + $ref: '#/components/schemas/timefield' + timeWindowSize: + $ref: '#/components/schemas/timewindowsize' + timeWindowUnit: + $ref: '#/components/schemas/timewindowunit' + required: + - esqlQuery + - searchType + - size + - threshold + - thresholdComparator + - timeWindowSize + - timeWindowUnit + title: Elasticsearch ES|QL query rule params + type: object + params_es_query_kql_rule: + description: | + An Elasticsearch query rule can run a query defined in KQL or Lucene and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`. + properties: + aggField: + $ref: '#/components/schemas/aggfield' + aggType: + $ref: '#/components/schemas/aggtype' + excludeHitsFromPreviousRun: + $ref: '#/components/schemas/excludehitsfrompreviousrun' + groupBy: + $ref: '#/components/schemas/groupby' + searchConfiguration: + description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch. + properties: + filter: + items: + $ref: '#/components/schemas/filter' + type: array + index: + description: The indices to query. + oneOf: + - type: string + - items: + type: string + type: array + query: + properties: + language: + type: string + query: + type: string + type: object + type: object + searchType: + description: The type of query, in this case a text-based query that uses KQL or Lucene. + enum: + - searchSource + type: string + size: + $ref: '#/components/schemas/size' + termField: + $ref: '#/components/schemas/termfield' + termSize: + $ref: '#/components/schemas/termsize' + threshold: + $ref: '#/components/schemas/threshold' + thresholdComparator: + $ref: '#/components/schemas/thresholdcomparator' + timeField: + $ref: '#/components/schemas/timefield' + timeWindowSize: + $ref: '#/components/schemas/timewindowsize' + timeWindowUnit: + $ref: '#/components/schemas/timewindowunit' + required: + - searchType + - size + - threshold + - thresholdComparator + - timeWindowSize + - timeWindowUnit + title: Elasticsearch KQL query rule params + type: object + params_index_threshold_rule: + description: An index threshold rule runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met. These parameters are appropriate when `rule_type_id` is `.index-threshold`. + properties: + aggField: + $ref: '#/components/schemas/aggfield' + aggType: + $ref: '#/components/schemas/aggtype' + filterKuery: + description: A KQL expression thats limits the scope of alerts. + type: string + groupBy: + $ref: '#/components/schemas/groupby' + index: + description: The indices to query. + items: + type: string + type: array + termField: + $ref: '#/components/schemas/termfield' + termSize: + $ref: '#/components/schemas/termsize' + threshold: + $ref: '#/components/schemas/threshold' + thresholdComparator: + $ref: '#/components/schemas/thresholdcomparator' + timeField: + $ref: '#/components/schemas/timefield' + timeWindowSize: + $ref: '#/components/schemas/timewindowsize' + timeWindowUnit: + $ref: '#/components/schemas/timewindowunit' + required: + - index + - threshold + - thresholdComparator + - timeField + - timeWindowSize + - timeWindowUnit + title: Index threshold rule params + type: object + params_property_apm_anomaly: + properties: + anomalySeverityType: + description: | + The severity of anomalies that will generate alerts: critical, major, minor, or warning. + enum: + - critical + - major + - minor + - warning + type: string + environment: + description: Filter the rule to apply to a specific environment. + type: string + serviceName: + description: Filter the rule to apply to a specific service name. + type: string + transactionType: + description: Filter the rule to apply to a specific transaction type. + type: string + windowSize: + description: | + The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: | + The type of units for the time window. For example: minutes, hours, or days. + enum: + - m + - h + - d + type: string + required: + - windowSize + - windowUnit + - environment + - anomalySeverityType + params_property_apm_error_count: + properties: + environment: + description: Filter the errors coming from your application to apply the rule to a specific environment. + type: string + errorGroupingKey: + description: | + Filter the errors coming from your application to apply the rule to a specific error grouping key, which is a hash of the stack trace and other properties. + type: string + groupBy: + default: + - service.name + - service.environment + description: | + Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + items: + enum: + - service.name + - service.environment + - transaction.name + - error.grouping_key + type: string + type: array + uniqueItems: true + serviceName: + description: Filter the errors coming from your application to apply the rule to a specific service. + type: string + threshold: + description: The error count threshold. + type: number + windowSize: + description: | + The time frame in which the errors must occur (in `windowUnit` units). Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: | + The type of units for the time window: minutes, hours, or days. + enum: + - m + - h + - d + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + params_property_apm_transaction_duration: + properties: + aggregationType: + description: The type of aggregation to perform. + enum: + - avg + - 95th + - 99th + type: string + environment: + description: Filter the rule to apply to a specific environment. + type: string + groupBy: + default: + - service.name + - service.environment + - transaction.type + description: | + Perform a composite aggregation against the selected fields. When any of these groups match the selected rule conditions, an alert is triggered per group. + items: + enum: + - service.name + - service.environment + - transaction.type + - transaction.name + type: string + type: array + uniqueItems: true + serviceName: + description: Filter the rule to apply to a specific service. + type: string + threshold: + description: The latency threshold value. + type: number + transactionName: + description: Filter the rule to apply to a specific transaction name. + type: string + transactionType: + description: Filter the rule to apply to a specific transaction type. + type: string + windowSize: + description: | + The size of the time window (in `windowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + windowUnit: + description: | + The type of units for the time window. For example: minutes, hours, or days. + enum: + - m + - h + - d + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + - aggregationType + params_property_apm_transaction_error_rate: + properties: + environment: + description: The environment from APM + type: string + groupBy: + default: + - service.name + - service.environment + - transaction.type + items: + enum: + - service.name + - service.environment + - transaction.type + - transaction.name + type: string + type: array + uniqueItems: true + serviceName: + description: The service name from APM + type: string + threshold: + description: The error rate threshold value + type: number + transactionName: + description: The transaction name from APM + type: string + transactionType: + description: The transaction type from APM + type: string + windowSize: + description: The window size + type: number + windowUnit: + description: The window size unit + enum: + - m + - h + - d + type: string + required: + - windowSize + - windowUnit + - threshold + - environment + params_property_infra_inventory: + properties: + alertOnNoData: + type: boolean + criteria: + items: + properties: + comparator: + enum: + - < + - <= + - '>' + - '>=' + - between + - outside + type: string + customMetric: + properties: + aggregation: + enum: + - avg + - max + - min + - rate + type: string + field: + type: string + id: + type: string + label: + type: string + type: + enum: + - custom + type: string + type: object + metric: + enum: + - count + - cpu + - diskLatency + - load + - memory + - memoryTotal + - tx + - rx + - logRate + - diskIOReadBytes + - diskIOWriteBytes + - s3TotalRequests + - s3NumberOfObjects + - s3BucketSize + - s3DownloadBytes + - s3UploadBytes + - rdsConnections + - rdsQueriesExecuted + - rdsActiveTransactions + - rdsLatency + - sqsMessagesVisible + - sqsMessagesDelayed + - sqsMessagesSent + - sqsMessagesEmpty + - sqsOldestMessage + - custom + type: string + sourceId: + type: string + threshold: + items: + type: number + type: array + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + warningComparator: + enum: + - < + - <= + - '>' + - '>=' + - between + - outside + type: string + warningThreshold: + items: + type: number + type: array + type: object + type: array + filterQuery: + type: string + filterQueryText: + type: string + nodeType: + enum: + - host + - pod + - container + - awsEC2 + - awsS3 + - awsSQS + - awsRDS + type: string + sourceId: + type: string + params_property_infra_metric_threshold: + properties: + alertOnGroupDisappear: + description: | + If true, an alert occurs if a group that previously reported metrics does not report them again over the expected time period. This check is not recommended for dynamically scaling infrastructures that might rapidly start and stop nodes automatically. + type: boolean + alertOnNoData: + description: If true, an alert occurs if the metrics do not report any data over the expected period or if the query fails. + type: boolean + criteria: + items: + oneOf: + - properties: + aggType: + enum: + - avg + - max + - min + - cardinality + - rate + - count + - sum + - p95 + - p99 + - custom + type: string + comparator: + description: | + The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "outside". + enum: + - < + - <= + - '>' + - '>=' + - between + - outside + type: string + metric: + type: string + threshold: + description: | + The threshold value that is used with the `comparator`. If the `comparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + timeSize: + description: | + The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: | + The type of units for the time window: seconds, minutes, hours, or days. + enum: + - s + - m + - h + - d + type: string + warningComparator: + enum: + - < + - <= + - '>' + - '>=' + - between + - outside + type: string + warningThreshold: + description: | + The threshold value that is used with the `warningComparator`. If the `warningComparator` is `between`, you must specify the boundary values. + items: + type: number + type: array + title: non count criterion + type: object + - properties: + aggType: + enum: + - count + type: string + comparator: + enum: + - < + - <= + - '>' + - '>=' + - between + - outside + type: string + threshold: + items: + type: number + type: array + timeSize: + description: | + The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: | + The type of units for the time window: seconds, minutes, hours, or days. + enum: + - s + - m + - h + - d + type: string + warningComparator: + enum: + - < + - <= + - '>' + - '>=' + - between + - outside + type: string + warningThreshold: + items: + type: number + type: array + title: count criterion + type: object + - properties: + aggType: + enum: + - custom + type: string + comparator: + enum: + - < + - <= + - '>' + - '>=' + - between + - outside + type: string + customMetric: + items: + oneOf: + - properties: + aggType: + description: "An aggregation to gather data for the rule. For example, find the average, highest or lowest value of a numeric field. Or use a cardinality aggregation to find the approximate number of unique values in a field. \n" + enum: + - avg + - sum + - max + - min + - cardinality + type: string + field: + type: string + name: + type: string + type: object + - properties: + aggType: + enum: + - count + type: string + filter: + type: string + name: + type: string + type: object + type: array + equation: + type: string + label: + type: string + threshold: + items: + type: number + type: array + timeSize: + description: | + The size of the time window (in `timeUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: number + timeUnit: + description: | + The type of units for the time window: seconds, minutes, hours, or days. + enum: + - s + - m + - h + - d + type: string + warningComparator: + enum: + - < + - <= + - '>' + - '>=' + - between + - outside + type: string + warningThreshold: + items: + type: number + type: array + title: custom criterion + type: object + type: array + filterQuery: + description: | + A query that limits the scope of the rule. The rule evaluates only metric data that matches the query. + type: string + groupBy: + description: | + Create an alert for every unique value of the specified fields. For example, you can create a rule per host or every mount point of each host. + IMPORTANT: If you include the same field in both the `filterQuery` and `groupBy`, you might receive fewer results than you expect. For example, if you filter by `cloud.region: us-east`, grouping by `cloud.region` will have no effect because the filter query can match only one region. + oneOf: + - type: string + - items: + type: string + type: array + sourceId: + type: string + params_property_log_threshold: + oneOf: + - properties: + count: + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + type: object + criteria: + items: + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + oneOf: + - type: number + - type: string + type: object + type: array + groupBy: + items: + type: string + type: array + logView: + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + type: object + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - count + - timeSize + - timeUnit + - logView + title: Count + type: object + - properties: + count: + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + value: + type: number + type: object + criteria: + items: + items: + properties: + comparator: + enum: + - more than + - more than or equals + - less than + - less than or equals + - equals + - does not equal + - matches + - does not match + - matches phrase + - does not match phrase + type: string + field: + type: string + value: + oneOf: + - type: number + - type: string + type: object + maxItems: 2 + minItems: 2 + type: array + type: array + groupBy: + items: + type: string + type: array + logView: + properties: + logViewId: + type: string + type: + enum: + - log-view-reference + type: string + type: object + timeSize: + type: number + timeUnit: + enum: + - s + - m + - h + - d + type: string + required: + - count + - timeSize + - timeUnit + - logView + title: Ratio + type: object + params_property_slo_burn_rate: + properties: + burnRateThreshold: + description: The burn rate threshold used to trigger the alert + type: number + longWindow: + description: The duration of the long window used to compute the burn rate + properties: + unit: + description: The duration unit + type: string + value: + description: The duration value + type: number + type: object + maxBurnRateThreshold: + description: The maximum burn rate threshold value defined by the SLO error budget + type: number + shortWindow: + description: The duration of the short window used to compute the burn rate + properties: + unit: + description: The duration unit + type: string + value: + description: The duration value + type: number + type: object + sloId: + description: The SLO identifier used by the rule + type: string + params_property_synthetics_monitor_status: + properties: + availability: + properties: + range: + type: number + rangeUnit: + type: string + threshold: + type: string + type: object + filters: + oneOf: + - type: string + - deprecated: true + properties: + monitor.type: + items: + type: string + type: array + observer.geo.name: + items: + type: string + type: array + tags: + items: + type: string + type: array + url.port: + items: + type: string + type: array + type: object + isAutoGenerated: + type: boolean + locations: + deprecated: true + items: + type: string + type: array + numTimes: + type: number + search: + type: string + shouldCheckAvailability: + type: boolean + shouldCheckStatus: + type: boolean + timerange: + deprecated: true + properties: + from: + type: string + to: + type: string + type: object + timerangeCount: + type: number + timerangeUnit: + type: string + version: + type: number + required: + - numTimes + - shouldCheckStatus + - shouldCheckAvailability + params_property_synthetics_uptime_tls: + properties: + certAgeThreshold: + type: number + certExpirationThreshold: + type: number + search: + type: string + pfx: + description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. + title: Personal information exchange + type: string + resilient_config: + description: Defines properties for connectors when type is `.resilient`. + properties: + apiUrl: + description: The IBM Resilient instance URL. + type: string + orgId: + description: The IBM Resilient organization ID. + type: string + required: + - apiUrl + - orgId + title: Connector request properties for a IBM Resilient connector + type: object + resilient_secrets: + description: Defines secrets for connectors when type is `.resilient`. + properties: + apiKeyId: + description: The authentication key ID for HTTP Basic authentication. + type: string + apiKeySecret: + description: The authentication key secret for HTTP Basic authentication. + type: string + required: + - apiKeyId + - apiKeySecret + title: Connector secrets properties for IBM Resilient connector + type: object + run_acknowledge_resolve_pagerduty: + description: Test an action that acknowledges or resolves a PagerDuty alert. + properties: + dedupKey: + description: The deduplication key for the PagerDuty alert. + maxLength: 255 + type: string + eventAction: + description: The type of event. + enum: + - acknowledge + - resolve + type: string + required: + - dedupKey + - eventAction + title: PagerDuty connector parameters + type: object + run_addevent: + description: The `addEvent` subaction for ServiceNow ITOM connectors. + properties: + subAction: + description: The action to test. + enum: + - addEvent + type: string + subActionParams: + description: The set of configuration properties for the action. + properties: + additional_info: + description: Additional information about the event. + type: string + description: + description: The details about the event. + type: string + event_class: + description: A specific instance of the source. + type: string + message_key: + description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`. + type: string + metric_name: + description: The name of the metric. + type: string + node: + description: The host that the event was triggered for. + type: string + resource: + description: The name of the resource. + type: string + severity: + description: The severity of the event. + type: string + source: + description: The name of the event source type. + type: string + time_of_event: + description: The time of the event. + type: string + type: + description: The type of event. + type: string + type: object + required: + - subAction + title: The addEvent subaction + type: object + run_closealert: + description: The `closeAlert` subaction for Opsgenie connectors. + properties: + subAction: + description: The action to test. + enum: + - closeAlert + type: string + subActionParams: + properties: + alias: + description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert. + type: string + note: + description: Additional information for the alert. + type: string + source: + description: The display name for the source of the alert. + type: string + user: + description: The display name for the owner. + type: string + required: + - alias + type: object + required: + - subAction + - subActionParams + title: The closeAlert subaction + type: object + run_closeincident: + description: The `closeIncident` subaction for ServiceNow ITSM connectors. + properties: + subAction: + description: The action to test. + enum: + - closeIncident + type: string + subActionParams: + properties: + incident: + anyOf: + - required: + - correlation_id + - required: + - externalId + properties: + correlation_id: + default: '{{rule.id}}:{{alert.id}}' + description: | + An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID. + maxLength: 100 + nullable: true + type: string + x-omitempty: true + externalId: + description: The unique identifier (`incidentId`) for the incident in ServiceNow. + nullable: true + type: string + x-omitempty: true + type: object + required: + - incident + type: object + required: + - subAction + - subActionParams + title: The closeIncident subaction + type: object + run_createalert: + description: The `createAlert` subaction for Opsgenie and TheHive connectors. + properties: + subAction: + description: The action to test. + enum: + - createAlert + type: string + subActionParams: + properties: + actions: + description: The custom actions available to the alert in Opsgenie connectors. + items: + type: string + type: array + alias: + description: The unique identifier used for alert deduplication in Opsgenie. + type: string + description: + description: A description that provides detailed information about the alert. + type: string + details: + additionalProperties: true + description: The custom properties of the alert in Opsgenie connectors. + type: object + entity: + description: The domain of the alert in Opsgenie connectors. For example, the application or server name. + type: string + message: + description: The alert message in Opsgenie connectors. + type: string + note: + description: Additional information for the alert in Opsgenie connectors. + type: string + priority: + description: The priority level for the alert in Opsgenie connectors. + enum: + - P1 + - P2 + - P3 + - P4 + - P5 + type: string + responders: + description: | + The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required. + items: + properties: + id: + description: The identifier for the entity. + type: string + name: + description: The name of the entity. + type: string + type: + description: The type of responders, in this case `escalation`. + enum: + - escalation + - schedule + - team + - user + type: string + username: + description: A valid email address for the user. + type: string + type: object + type: array + severity: + description: | + The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + maximum: 4 + minimum: 1 + type: integer + source: + description: The display name for the source of the alert in Opsgenie and TheHive connectors. + type: string + sourceRef: + description: A source reference for the alert in TheHive connectors. + type: string + tags: + description: The tags for the alert in Opsgenie and TheHive connectors. + items: + type: string + type: array + title: + description: | + A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base. + type: string + tlp: + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + maximum: 4 + minimum: 0 + type: integer + type: + description: The type of alert in TheHive connectors. + type: string + user: + description: The display name for the owner. + type: string + visibleTo: + description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required. + items: + properties: + id: + description: The identifier for the entity. + type: string + name: + description: The name of the entity. + type: string + type: + description: Valid values are `team` and `user`. + enum: + - team + - user + type: string + username: + description: The user name. This property is required only when the `type` is `user`. + type: string + required: + - type + type: object + type: array + type: object + required: + - subAction + - subActionParams + title: The createAlert subaction + type: object + run_documents: + description: Test an action that indexes a document into Elasticsearch. + properties: + documents: + description: The documents in JSON format for index connectors. + items: + additionalProperties: true + type: object + type: array + required: + - documents + title: Index connector parameters + type: object + run_fieldsbyissuetype: + description: The `fieldsByIssueType` subaction for Jira connectors. + properties: + subAction: + description: The action to test. + enum: + - fieldsByIssueType + type: string + subActionParams: + properties: + id: + description: The Jira issue type identifier. + type: string + required: + - id + type: object + required: + - subAction + - subActionParams + title: The fieldsByIssueType subaction + type: object + run_getagentdetails: + description: The `getAgentDetails` subaction for CrowdStrike connectors. + properties: + subAction: + description: The action to test. + enum: + - getAgentDetails + type: string + subActionParams: + description: The set of configuration properties for the action. + properties: + ids: + description: An array of CrowdStrike agent identifiers. + items: + type: string + type: array + required: + - ids + type: object + required: + - subAction + - subActionParams + title: The getAgentDetails subaction + type: object + run_getagents: + description: The `getAgents` subaction for SentinelOne connectors. + properties: + subAction: + description: The action to test. + enum: + - getAgents + type: string + required: + - subAction + title: The getAgents subaction + type: object + run_getchoices: + description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors. + properties: + subAction: + description: The action to test. + enum: + - getChoices + type: string + subActionParams: + description: The set of configuration properties for the action. + properties: + fields: + description: An array of fields. + items: + type: string + type: array + required: + - fields + type: object + required: + - subAction + - subActionParams + title: The getChoices subaction + type: object + run_getfields: + description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. + properties: + subAction: + description: The action to test. + enum: + - getFields + type: string + required: + - subAction + title: The getFields subaction + type: object + run_getincident: + description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors. + properties: + subAction: + description: The action to test. + enum: + - getIncident + type: string + subActionParams: + properties: + externalId: + description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. + type: string + required: + - externalId + type: object + required: + - subAction + - subActionParams + title: The getIncident subaction + type: object + run_issue: + description: The `issue` subaction for Jira connectors. + properties: + subAction: + description: The action to test. + enum: + - issue + type: string + subActionParams: + properties: + id: + description: The Jira issue identifier. + type: string + required: + - id + type: object + required: + - subAction + title: The issue subaction + type: object + run_issues: + description: The `issues` subaction for Jira connectors. + properties: + subAction: + description: The action to test. + enum: + - issues + type: string + subActionParams: + properties: + title: + description: The title of the Jira issue. + type: string + required: + - title + type: object + required: + - subAction + - subActionParams + title: The issues subaction + type: object + run_issuetypes: + description: The `issueTypes` subaction for Jira connectors. + properties: + subAction: + description: The action to test. + enum: + - issueTypes + type: string + required: + - subAction + title: The issueTypes subaction + type: object + run_message_email: + description: | + Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`. + properties: + bcc: + description: | + A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format + items: + type: string + type: array + cc: + description: "A list of \"carbon copy\" email addresses. Addresses can be specified in `user@host-name` format or in name `` format \n" + items: + type: string + type: array + message: + description: The email message text. Markdown format is supported. + type: string + subject: + description: The subject line of the email. + type: string + to: + description: | + A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format. + items: + type: string + type: array + required: + - message + - subject + title: Email connector parameters + type: object + run_message_serverlog: + description: Test an action that writes an entry to the Kibana server log. + properties: + level: + default: info + description: The log level of the message for server log connectors. + enum: + - debug + - error + - fatal + - info + - trace + - warn + type: string + message: + description: The message for server log connectors. + type: string + required: + - message + title: Server log connector parameters + type: object + run_message_slack: + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`. + properties: + message: + description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting. + type: string + required: + - message + title: Slack connector parameters + type: object + run_postmessage: + description: | + Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`. + properties: + subAction: + description: The action to test. + enum: + - postMessage + type: string + subActionParams: + description: The set of configuration properties for the action. + properties: + channelIds: + description: | + The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration. + items: + type: string + maxItems: 1 + type: array + channels: + deprecated: true + description: | + The name of a channel that your Slack app has access to. + items: + type: string + maxItems: 1 + type: array + text: + description: | + The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages. + minLength: 1 + type: string + type: object + required: + - subAction + - subActionParams + title: The postMessage subaction + type: object + run_pushtoservice: + description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + properties: + subAction: + description: The action to test. + enum: + - pushToService + type: string + subActionParams: + description: The set of configuration properties for the action. + properties: + comments: + description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive. + items: + properties: + comment: + description: A comment related to the incident. For example, describe how to troubleshoot the issue. + type: string + commentId: + description: A unique identifier for the comment. + type: integer + type: object + type: array + incident: + description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident. + properties: + additional_fields: + description: | + Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format. + maxLength: 20 + nullable: true + type: string + x-omitempty: true + alertId: + description: The alert identifier for Swimlane connectors. + type: string + caseId: + description: The case identifier for the incident for Swimlane connectors. + type: string + caseName: + description: The case name for the incident for Swimlane connectors. + type: string + category: + description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + type: string + correlation_display: + description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors. + type: string + correlation_id: + description: | + The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. + type: string + description: + description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors. + type: string + dest_ip: + description: | + A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - items: + type: string + type: array + externalId: + description: | + The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created. + type: string + id: + description: The external case identifier for Webhook - Case Management connectors. + type: string + impact: + description: The impact of the incident for ServiceNow ITSM connectors. + type: string + issueType: + description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`. + type: integer + labels: + description: | + The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces. + items: + type: string + type: array + malware_hash: + description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident. + oneOf: + - type: string + - items: + type: string + type: array + malware_url: + description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident. + oneOf: + - type: string + - items: + type: string + type: array + type: string + otherFields: + additionalProperties: true + description: | + Custom field identifiers and their values for Jira connectors. + maxProperties: 20 + type: object + parent: + description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues. + type: string + priority: + description: The priority of the incident in Jira and ServiceNow SecOps connectors. + type: string + ruleName: + description: The rule name for Swimlane connectors. + type: string + severity: + description: | + The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium). + type: integer + short_description: + description: | + A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base. + type: string + source_ip: + description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident. + oneOf: + - type: string + - items: + type: string + type: array + status: + description: The status of the incident for Webhook - Case Management connectors. + type: string + subcategory: + description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. + type: string + summary: + description: A summary of the incident for Jira connectors. + type: string + tags: + description: A list of tags for TheHive and Webhook - Case Management connectors. + items: + type: string + type: array + title: + description: | + A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base. + type: string + tlp: + default: 2 + description: | + The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red). + maximum: 4 + minimum: 0 + type: integer + urgency: + description: The urgency of the incident for ServiceNow ITSM connectors. + type: string + type: object + type: object + required: + - subAction + - subActionParams + title: The pushToService subaction + type: object + run_trigger_pagerduty: + description: Test an action that triggers a PagerDuty alert. + properties: + class: + description: The class or type of the event. + type: string + component: + description: The component of the source machine that is responsible for the event. + type: string + customDetails: + description: Additional details to add to the event. + type: object + dedupKey: + description: | + All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution. + maxLength: 255 + type: string + eventAction: + description: The type of event. + enum: + - trigger + type: string + group: + description: The logical grouping of components of a service. + type: string + links: + description: A list of links to add to the event. + items: + properties: + href: + description: The URL for the link. + type: string + text: + description: A plain text description of the purpose of the link. + type: string + type: object + type: array + severity: + default: info + description: The severity of the event on the affected system. + enum: + - critical + - error + - info + - warning + type: string + source: + description: | + The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action. + type: string + summary: + description: A summery of the event. + maxLength: 1024 + type: string + timestamp: + description: An ISO-8601 timestamp that indicates when the event was detected or generated. + format: date-time + type: string + required: + - eventAction + title: PagerDuty connector parameters + type: object + run_validchannelid: + description: | + Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`. + properties: + subAction: + description: The action to test. + enum: + - validChannelId + type: string + subActionParams: + properties: + channelId: + description: The Slack channel identifier. + type: string + required: + - channelId + type: object + required: + - subAction + - subActionParams + title: The validChannelId subaction + type: object + sentinelone_config: + description: Defines properties for connectors when type is `.sentinelone`. + properties: + url: + description: | + The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + required: + - url + title: Connector request properties for a SentinelOne connector + type: object + sentinelone_secrets: + description: Defines secrets for connectors when type is `.sentinelone`. + properties: + token: + description: The A SentinelOne API token. + type: string + required: + - token + title: Connector secrets properties for a SentinelOne connector + type: object + server_host: + additionalProperties: false + properties: + host_urls: + items: + type: string + minItems: 1 + type: array + id: + type: string + is_default: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + default: false + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + agent_key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + es_key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + key: + anyOf: + - additionalProperties: false + properties: + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + ssl: + additionalProperties: false + nullable: true + properties: + agent_certificate: + type: string + agent_certificate_authorities: + items: + type: string + type: array + agent_key: + type: string + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + client_auth: + enum: + - optional + - required + - none + type: string + es_certificate: + type: string + es_certificate_authorities: + items: + type: string + type: array + es_key: + type: string + key: + type: string + type: object + x-omitempty: true + required: + - name + - host_urls + - id + type: object + servicenow_config: + description: Defines properties for connectors when type is `.servicenow`. + properties: + apiUrl: + description: The ServiceNow instance URL. + type: string + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + default: false + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + type: string + usesTableApi: + default: true + description: | + Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow. + type: boolean + required: + - apiUrl + title: Connector request properties for a ServiceNow ITSM connector + type: object + servicenow_itom_config: + description: Defines properties for connectors when type is `.servicenow-itom`. + properties: + apiUrl: + description: The ServiceNow instance URL. + type: string + clientId: + description: | + The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + isOAuth: + default: false + description: | + The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth). + type: boolean + jwtKeyId: + description: | + The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: | + The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`. + type: string + required: + - apiUrl + title: Connector request properties for a ServiceNow ITOM connector + type: object + servicenow_secrets: + description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`. + properties: + clientSecret: + description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`. + type: string + password: + description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`. + type: string + privateKey: + description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`. + type: string + privateKeyPassword: + description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key. + type: string + username: + description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`. + type: string + title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors + type: object + size: + description: | + The number of documents to pass to the configured actions when the threshold condition is met. + type: integer + slack_api_config: + description: Defines properties for connectors when type is `.slack_api`. + properties: + allowedChannels: + description: A list of valid Slack channels. + items: + maxItems: 25 + properties: + id: + description: The Slack channel ID. + minLength: 1 + type: string + name: + description: The Slack channel name. + minLength: 1 + type: string + required: + - id + - name + type: object + type: array + title: Connector request properties for a Slack connector + type: object + slack_api_secrets: + description: Defines secrets for connectors when type is `.slack`. + properties: + token: + description: Slack bot user OAuth token. + type: string + required: + - token + title: Connector secrets properties for a Web API Slack connector + type: object + swimlane_config: + description: Defines properties for connectors when type is `.swimlane`. + properties: + apiUrl: + description: The Swimlane instance URL. + type: string + appId: + description: The Swimlane application ID. + type: string + connectorType: + description: The type of connector. Valid values are `all`, `alerts`, and `cases`. + enum: + - all + - alerts + - cases + type: string + mappings: + description: The field mapping. + properties: + alertIdConfig: + description: Mapping for the alert ID. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Alert identifier mapping + type: object + caseIdConfig: + description: Mapping for the case ID. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Case identifier mapping + type: object + caseNameConfig: + description: Mapping for the case name. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Case name mapping + type: object + commentsConfig: + description: Mapping for the case comments. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Case comment mapping + type: object + descriptionConfig: + description: Mapping for the case description. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Case description mapping + type: object + ruleNameConfig: + description: Mapping for the name of the alert's rule. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Rule name mapping + type: object + severityConfig: + description: Mapping for the severity. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Severity mapping + type: object + title: Connector mappings properties for a Swimlane connector + type: object + required: + - apiUrl + - appId + - connectorType + title: Connector request properties for a Swimlane connector + type: object + swimlane_secrets: + description: Defines secrets for connectors when type is `.swimlane`. + properties: + apiToken: + description: Swimlane API authentication token. + type: string + title: Connector secrets properties for a Swimlane connector + type: object + teams_secrets: + description: Defines secrets for connectors when type is `.teams`. + properties: + webhookUrl: + description: | + The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + required: + - webhookUrl + title: Connector secrets properties for a Microsoft Teams connector + type: object + termfield: + description: | + The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`. + oneOf: + - type: string + - items: + type: string + maxItems: 4 + type: array + termsize: + description: | + This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields. + type: integer + thehive_config: + description: Defines configuration properties for connectors when type is `.thehive`. + properties: + organisation: + description: | + The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key. + type: string + url: + description: | + The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + required: + - url + title: Connector request properties for a TheHive connector + type: object + thehive_secrets: + description: Defines secrets for connectors when type is `.thehive`. + properties: + apiKey: + description: The API key for authentication in TheHive. + type: string + required: + - apiKey + title: Connector secrets properties for a TheHive connector + type: object + threshold: + description: | + The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values. + items: + type: integer + type: array + thresholdcomparator: + description: The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between". + enum: + - '>' + - '>=' + - < + - <= + - between + - notBetween + type: string + timefield: + description: The field that is used to calculate the time window. + type: string + timewindowsize: + description: | + The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection. + type: integer + timewindowunit: + description: | + The type of units for the time window: seconds, minutes, hours, or days. + enum: + - s + - m + - h + - d + type: string + tines_config: + description: Defines properties for connectors when type is `.tines`. + properties: + url: + description: | + The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts. + type: string + required: + - url + title: Connector request properties for a Tines connector + type: object + tines_secrets: + description: Defines secrets for connectors when type is `.tines`. + properties: + email: + description: The email used to sign in to Tines. + type: string + token: + description: The Tines API token. + type: string + required: + - email + - token + title: Connector secrets properties for a Tines connector + type: object + torq_config: + description: Defines properties for connectors when type is `.torq`. + properties: + webhookIntegrationUrl: + description: The endpoint URL of the Elastic Security integration in Torq. + type: string + required: + - webhookIntegrationUrl + title: Connector request properties for a Torq connector + type: object + torq_secrets: + description: Defines secrets for connectors when type is `.torq`. + properties: + token: + description: The secret of the webhook authentication header. + type: string + required: + - token + title: Connector secrets properties for a Torq connector + type: object + update_connector_config: + additionalProperties: {} + default: {} + description: The connector configuration details. + oneOf: + - $ref: '#/components/schemas/bedrock_config' + - $ref: '#/components/schemas/crowdstrike_config' + - $ref: '#/components/schemas/d3security_config' + - $ref: '#/components/schemas/email_config' + - $ref: '#/components/schemas/gemini_config' + - $ref: '#/components/schemas/resilient_config' + - $ref: '#/components/schemas/index_config' + - $ref: '#/components/schemas/jira_config' + - $ref: '#/components/schemas/defender_config' + - $ref: '#/components/schemas/genai_azure_config' + - $ref: '#/components/schemas/genai_openai_config' + - $ref: '#/components/schemas/opsgenie_config' + - $ref: '#/components/schemas/pagerduty_config' + - $ref: '#/components/schemas/sentinelone_config' + - $ref: '#/components/schemas/servicenow_config' + - $ref: '#/components/schemas/servicenow_itom_config' + - $ref: '#/components/schemas/slack_api_config' + - $ref: '#/components/schemas/swimlane_config' + - $ref: '#/components/schemas/thehive_config' + - $ref: '#/components/schemas/tines_config' + - $ref: '#/components/schemas/torq_config' + - $ref: '#/components/schemas/webhook_config' + - $ref: '#/components/schemas/cases_webhook_config' + - $ref: '#/components/schemas/xmatters_config' + update_connector_secrets: + additionalProperties: {} + default: {} + oneOf: + - $ref: '#/components/schemas/bedrock_secrets' + - $ref: '#/components/schemas/crowdstrike_secrets' + - $ref: '#/components/schemas/d3security_secrets' + - $ref: '#/components/schemas/email_secrets' + - $ref: '#/components/schemas/gemini_secrets' + - $ref: '#/components/schemas/resilient_secrets' + - $ref: '#/components/schemas/jira_secrets' + - $ref: '#/components/schemas/teams_secrets' + - $ref: '#/components/schemas/genai_secrets' + - $ref: '#/components/schemas/opsgenie_secrets' + - $ref: '#/components/schemas/pagerduty_secrets' + - $ref: '#/components/schemas/sentinelone_secrets' + - $ref: '#/components/schemas/servicenow_secrets' + - $ref: '#/components/schemas/slack_api_secrets' + - $ref: '#/components/schemas/swimlane_secrets' + - $ref: '#/components/schemas/thehive_secrets' + - $ref: '#/components/schemas/tines_secrets' + - $ref: '#/components/schemas/torq_secrets' + - $ref: '#/components/schemas/webhook_secrets' + - $ref: '#/components/schemas/cases_webhook_secrets' + - $ref: '#/components/schemas/xmatters_secrets' + update_output_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + type: array + ca_sha256: + nullable: true + type: string + x-omitempty: true + ca_trusted_fingerprint: + nullable: true + type: string + x-omitempty: true + config_yaml: + nullable: true + type: string + x-omitempty: true + hosts: + items: + format: uri + type: string + minItems: 1 + type: array + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + shipper: + $ref: '#/components/schemas/update_output_shipper' + ssl: + $ref: '#/components/schemas/update_output_ssl' + type: + enum: + - elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + x-omitempty: true + type: object + update_output_kafka: + additionalProperties: false + properties: + allow_edit: + items: + type: string + type: array + auth_type: + enum: + - none + - user_pass + - ssl + - kerberos + type: string + broker_timeout: + type: number + ca_sha256: + nullable: true + type: string + x-omitempty: true + ca_trusted_fingerprint: + nullable: true + type: string + x-omitempty: true + client_id: + type: string + compression: + enum: + - gzip + - snappy + - lz4 + - none + type: string + compression_level: + type: integer + config_yaml: + nullable: true + type: string + x-omitempty: true + connection_type: + type: string + hash: + additionalProperties: false + properties: + hash: + type: string + random: + type: boolean + type: object + headers: + items: + additionalProperties: false + properties: + key: + type: string + value: + type: string + required: + - key + - value + type: object + type: array + hosts: + items: + type: string + minItems: 1 + type: array + is_default: + default: false + type: boolean + is_default_monitoring: + default: false + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + key: + type: string + name: + type: string + partition: + enum: + - random + - round_robin + - hash + type: string + password: + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + random: + additionalProperties: false + properties: + group_events: + type: number + type: object + required_acks: + enum: + - 1 + - 0 + - -1 + type: integer + round_robin: + additionalProperties: false + properties: + group_events: + type: number + type: object + sasl: + additionalProperties: false + nullable: true + properties: + mechanism: + enum: + - PLAIN + - SCRAM-SHA-256 + - SCRAM-SHA-512 + type: string + type: object + x-omitempty: true + secrets: + additionalProperties: false + properties: + password: + anyOf: + - additionalProperties: false + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + required: + - key + type: object + type: object + shipper: + $ref: '#/components/schemas/update_output_shipper' + ssl: + $ref: '#/components/schemas/update_output_ssl' + timeout: + type: number + topic: + type: string + type: + enum: + - kafka + type: string + username: + type: string + version: + type: string + required: + - name + type: object + update_output_logstash: + additionalProperties: false + properties: + allow_edit: + items: + type: string + type: array + ca_sha256: + nullable: true + type: string + x-omitempty: true + ca_trusted_fingerprint: + nullable: true + type: string + x-omitempty: true + config_yaml: + nullable: true + type: string + x-omitempty: true + hosts: + items: + type: string + minItems: 1 + type: array + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + name: + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: false + properties: + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + shipper: + $ref: '#/components/schemas/update_output_shipper' + ssl: + $ref: '#/components/schemas/update_output_ssl' + type: + enum: + - logstash + type: string + type: object + update_output_remote_elasticsearch: + additionalProperties: false + properties: + allow_edit: + items: + type: string + type: array + ca_sha256: + nullable: true + type: string + x-omitempty: true + ca_trusted_fingerprint: + nullable: true + type: string + x-omitempty: true + config_yaml: + nullable: true + type: string + x-omitempty: true + hosts: + items: + format: uri + type: string + minItems: 1 + type: array + is_default: + type: boolean + is_default_monitoring: + type: boolean + is_internal: + type: boolean + is_preconfigured: + type: boolean + kibana_api_key: + nullable: true + type: string + x-omitempty: true + kibana_url: + nullable: true + type: string + x-omitempty: true + name: + type: string + preset: + enum: + - balanced + - custom + - throughput + - scale + - latency + type: string + proxy_id: + nullable: true + type: string + x-omitempty: true + secrets: + additionalProperties: false + properties: + service_token: + anyOf: + - additionalProperties: false + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + ssl: + additionalProperties: false + properties: + key: + anyOf: + - additionalProperties: false + properties: + hash: + type: string + id: + type: string + required: + - id + type: object + - type: string + type: object + type: object + service_token: + nullable: true + type: string + x-omitempty: true + shipper: + $ref: '#/components/schemas/update_output_shipper' + ssl: + $ref: '#/components/schemas/update_output_ssl' + sync_integrations: + type: boolean + sync_uninstalled_integrations: + type: boolean + type: + enum: + - remote_elasticsearch + type: string + write_to_logs_streams: + nullable: true + type: boolean + x-omitempty: true + type: object + update_output_shipper: + additionalProperties: false + nullable: true + properties: + compression_level: + nullable: true + type: number + x-omitempty: true + disk_queue_compression_enabled: + nullable: true + type: boolean + x-omitempty: true + disk_queue_enabled: + default: false + nullable: true + type: boolean + x-omitempty: true + disk_queue_encryption_enabled: + nullable: true + type: boolean + x-omitempty: true + disk_queue_max_size: + nullable: true + type: number + x-omitempty: true + disk_queue_path: + nullable: true + type: string + x-omitempty: true + loadbalance: + nullable: true + type: boolean + x-omitempty: true + max_batch_bytes: + nullable: true + type: number + x-omitempty: true + mem_queue_events: + nullable: true + type: number + x-omitempty: true + queue_flush_timeout: + nullable: true + type: number + x-omitempty: true + required: + - disk_queue_path + - disk_queue_max_size + - disk_queue_encryption_enabled + - disk_queue_compression_enabled + - compression_level + - loadbalance + - mem_queue_events + - queue_flush_timeout + - max_batch_bytes + type: object + x-omitempty: true + update_output_ssl: + additionalProperties: false + nullable: true + properties: + certificate: + type: string + certificate_authorities: + items: + type: string + type: array + key: + type: string + verification_mode: + enum: + - full + - none + - certificate + - strict + type: string + type: object + x-omitempty: true + update_output_union: + anyOf: + - $ref: '#/components/schemas/update_output_elasticsearch' + - $ref: '#/components/schemas/update_output_remote_elasticsearch' + - $ref: '#/components/schemas/update_output_logstash' + - $ref: '#/components/schemas/update_output_kafka' + verification_mode: + default: full + description: | + Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation. + enum: + - certificate + - full + - none + title: Verification mode + type: string + webhook_config: + description: Defines properties for connectors when type is `.webhook`. + properties: + authType: + $ref: '#/components/schemas/auth_type' + ca: + $ref: '#/components/schemas/ca' + certType: + $ref: '#/components/schemas/cert_type' + hasAuth: + $ref: '#/components/schemas/has_auth' + headers: + description: A set of key-value pairs sent as headers with the request. + nullable: true + type: object + x-omitempty: true + method: + default: post + description: | + The HTTP request method, either `post` or `put`. + enum: + - post + - put + type: string + url: + description: | + The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. + type: string + verificationMode: + $ref: '#/components/schemas/verification_mode' + title: Connector request properties for a Webhook connector + type: object + webhook_secrets: + description: Defines secrets for connectors when type is `.webhook`. + properties: + crt: + $ref: '#/components/schemas/crt' + key: + $ref: '#/components/schemas/key' + password: + description: | + The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + type: string + pfx: + $ref: '#/components/schemas/pfx' + user: + description: | + The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required. + type: string + title: Connector secrets properties for a Webhook connector + type: object + xmatters_config: + description: Defines properties for connectors when type is `.xmatters`. + properties: + configUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`. + nullable: true + type: string + x-omitempty: true + usesBasic: + default: true + description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`). + type: boolean + title: Connector request properties for an xMatters connector + type: object + xmatters_secrets: + description: Defines secrets for connectors when type is `.xmatters`. + properties: + password: + description: | + A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + type: string + secretsUrl: + description: | + The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`. + type: string + user: + description: | + A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`. + type: string + title: Connector secrets properties for an xMatters connector + type: object + securitySchemes: + apiKeyAuth: + description: | + These APIs use key-based authentication. You must create an API key and use the encoded value in the request header. For example: `Authorization: ApiKey base64AccessApiKey` + in: header + name: Authorization + type: apiKey + basicAuth: + scheme: basic + type: http +security: + - apiKeyAuth: [] + - basicAuth: [] +info: + contact: + name: Kibana Team + description: | + The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. + The API calls are stateless. + Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the + request. + API requests return JSON output, which is a format that is machine-readable and works well for automation. + + To interact with Kibana APIs, use the following operations: + + - GET: Fetches the information. + - PATCH: Applies partial modifications to the existing information. + - POST: Adds new information. + - PUT: Updates the existing information. + - DELETE: Removes the information. + + You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**. + For example: + + ``` + GET kbn:/api/data_views + ``` + + For more information about the console, refer to [Run API requests](https://www.elastic.co/docs/explore-analyze/query-filter/tools/console). + + NOTE: Access to internal Kibana API endpoints will be restricted in Kibana version 9.0. Please move any integrations to publicly documented APIs. + + ## Documentation source and versions + + This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository. + It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/). + + This documentation contains work-in-progress information for future Elastic Stack releases. + title: Kibana APIs + version: "" + x-doc-license: + name: Attribution-NonCommercial-NoDerivatives 4.0 International + url: https://creativecommons.org/licenses/by-nc-nd/4.0/ + x-feedbackLink: + label: Feedback + url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+