From 513a9c67f355289ee7ceddc5481d45e98208ff31 Mon Sep 17 00:00:00 2001
From: Kevin Delemme
Date: Fri, 13 Dec 2024 08:40:03 -0500
Subject: [PATCH] [8.x] feat(slo): allow configuration of advanced settings
from UI (#200822) (#203575)
# Backport
This will backport the following commits from `main` to `8.x`:
- [feat(slo): allow configuration of advanced settings from UI
(#200822)](https://github.com/elastic/kibana/pull/200822)
### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)
---
oas_docs/output/kibana.serverless.yaml | 51869 ++++++++++++++++
oas_docs/output/kibana.yaml | 10 +-
.../packages/kbn-slo-schema/src/schema/slo.ts | 18 +-
.../slo/docs/openapi/slo/bundled.json | 11 +-
.../slo/docs/openapi/slo/bundled.yaml | 10 +-
.../slo/components/schemas/settings.yaml | 10 +-
.../slo/docs/openapi/slo/entrypoint.yaml | 14 -
.../slo/public/data/slo/slo.ts | 1 +
.../slo/public/locators/slo_edit.test.ts | 13 +-
.../slo/public/locators/slo_edit.ts | 27 +-
.../components/overview/overview.tsx | 22 +-
.../advanced_settings/advanced_settings.tsx | 174 +
.../advanced_settings/sync_field_selector.tsx | 84 +
...ailability_indicator_type_form.stories.tsx | 4 +-
.../apm_availability_indicator_type_form.tsx | 22 +-
.../apm_common/field_selector.stories.tsx | 4 +-
.../apm_common/field_selector.tsx | 4 +-
.../get_group_by_cardinality_filters.test.ts | 0
.../get_group_by_cardinality_filters.ts | 0
.../apm_common/use_apm_default_values.ts | 4 +-
...pm_latency_indicator_type_form.stories.tsx | 4 +-
.../apm_latency_indicator_type_form.tsx | 20 +-
.../index_and_timestamp_field.tsx | 13 +-
.../custom_common/index_selection.stories.tsx | 4 +-
.../custom_common/index_selection.tsx | 85 +-
.../custom_common/use_adhoc_data_views.ts | 24 +-
...custom_kql_indicator_type_form.stories.tsx | 4 +-
.../custom_kql_indicator_type_form.tsx | 12 +-
.../custom_metric_type_form.stories.tsx | 4 +-
.../custom_metric/custom_metric_type_form.tsx | 12 +-
.../custom_metric/metric_indicator.tsx | 257 +-
.../histogram/histogram_indicator.tsx | 6 +-
.../histogram_indicator_type_form.tsx | 12 +-
..._availability_indicator_type_form.test.tsx | 0
...etics_availability_indicator_type_form.tsx | 18 +-
.../synthetics_common/field_selector.tsx | 6 +-
.../timeslice_metric/metric_indicator.tsx | 100 +-
.../timeslice_metric/metric_input.tsx | 6 +-
.../timeslice_metric_indicator.tsx | 16 +-
.../slo_edit/components/slo_edit_form.tsx | 105 +-
.../slo_edit_form_description_section.tsx | 218 +-
.../slo_edit_form_indicator_section.tsx | 23 +-
.../slo_edit_form_objective_section.tsx | 409 +-
.../slo/public/pages/slo_edit/constants.ts | 21 +-
.../process_slo_form_values.test.ts.snap | 129 +
.../slo_edit/helpers/format_filters.test.ts | 2 +-
.../helpers/process_slo_form_values.test.ts | 18 +-
.../helpers/process_slo_form_values.ts | 41 +-
.../slo_edit/hooks/use_parse_url_state.ts | 4 +-
.../hooks/use_section_form_validation.ts | 4 +-
.../slo_edit/hooks/use_unregister_fields.ts | 2 +-
.../shared_flyout/slo_add_form_flyout.tsx | 29 +-
.../public/pages/slo_edit/slo_edit.test.tsx | 7 +-
.../slo/public/pages/slo_edit/slo_edit.tsx | 2 +-
.../slo/public/pages/slo_edit/types.ts | 3 +
.../public/utils/slo/remote_slo_urls.test.ts | 4 +-
.../slo/server/services/create_slo.ts | 20 +-
.../slo/server/services/slo_repository.ts | 9 +-
.../transform_generator.test.ts.snap | 8 +
.../apm_transaction_duration.ts | 2 +-
.../apm_transaction_error_rate.ts | 2 +-
.../transform_generator.test.ts | 43 +
.../transform_generator.ts | 3 +-
.../slo/server/services/update_slo.ts | 15 +-
.../monitors_page/hooks/use_create_slo.ts | 4 -
65 files changed, 53188 insertions(+), 843 deletions(-)
create mode 100644 oas_docs/output/kibana.serverless.yaml
create mode 100644 x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/advanced_settings/advanced_settings.tsx
create mode 100644 x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/advanced_settings/sync_field_selector.tsx
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/apm_availability/apm_availability_indicator_type_form.stories.tsx (84%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/apm_availability/apm_availability_indicator_type_form.tsx (88%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/apm_common/field_selector.stories.tsx (87%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/apm_common/field_selector.tsx (97%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/apm_common/get_group_by_cardinality_filters.test.ts (100%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/apm_common/get_group_by_cardinality_filters.ts (100%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/apm_common/use_apm_default_values.ts (91%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/apm_latency/apm_latency_indicator_type_form.stories.tsx (84%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/apm_latency/apm_latency_indicator_type_form.tsx (91%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/custom_common/index_and_timestamp_field.tsx (83%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/custom_common/index_selection.stories.tsx (84%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/custom_common/index_selection.tsx (63%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/custom_common/use_adhoc_data_views.ts (79%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/custom_kql/custom_kql_indicator_type_form.stories.tsx (84%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/custom_kql/custom_kql_indicator_type_form.tsx (91%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/custom_metric/custom_metric_type_form.stories.tsx (89%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/custom_metric/custom_metric_type_form.tsx (91%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/custom_metric/metric_indicator.tsx (60%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/histogram/histogram_indicator.tsx (98%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/histogram/histogram_indicator_type_form.tsx (91%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/synthetics_availability/synthetics_availability_indicator_type_form.test.tsx (100%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/synthetics_availability/synthetics_availability_indicator_type_form.tsx (93%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/synthetics_common/field_selector.tsx (96%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/timeslice_metric/metric_indicator.tsx (80%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/timeslice_metric/metric_input.tsx (97%)
rename x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/{ => indicator_section}/timeslice_metric/timeslice_metric_indicator.tsx (88%)
diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml
new file mode 100644
index 0000000000000..b605ab09de62f
--- /dev/null
+++ b/oas_docs/output/kibana.serverless.yaml
@@ -0,0 +1,51869 @@
+openapi: 3.0.3
+info:
+ contact:
+ name: Kibana Team
+ description: |
+ The Kibana REST APIs for Elastic serverless enable you to manage resources
+ such as connectors, data views, and saved objects. The API calls are
+ stateless. Each request that you make happens in isolation from other calls
+ and must include all of the necessary information for Kibana to fulfill the
+ request. API requests return JSON output, which is a format that is
+ machine-readable and works well for automation.
+
+ To interact with Kibana APIs, use the following operations:
+
+ - GET: Fetches the information.
+ - POST: Adds new information.
+ - PUT: Updates the existing information.
+ - DELETE: Removes the information.
+
+ You can prepend any Kibana API endpoint with `kbn:` and run the request in
+ **Dev Tools → Console**. For example:
+
+ ```
+ GET kbn:/api/data_views
+ ```
+
+ ## Documentation source and versions
+
+ This documentation is derived from the `main` branch of the [kibana](https://github.com/elastic/kibana) repository.
+ It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 International](https://creativecommons.org/licenses/by-nc-nd/4.0/).
+ title: Kibana Serverless APIs
+ version: 1.0.2
+ x-doc-license:
+ name: Attribution-NonCommercial-NoDerivatives 4.0 International
+ url: https://creativecommons.org/licenses/by-nc-nd/4.0/
+ x-feedbackLink:
+ label: Feedback
+ url: https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+
+servers:
+ - url: https://{kibana_url}
+ variables:
+ kibana_url:
+ default:
+security:
+ - apiKeyAuth: []
+tags:
+ - name: alerting
+ description: |
+ Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.
+ externalDocs:
+ description: Alerting documentation
+ url: https://www.elastic.co/docs/current/serverless/rules
+ x-displayName: Alerting
+ - description: |
+ Adjust APM agent configuration without need to redeploy your application.
+ name: APM agent configuration
+ - description: |
+ Configure APM agent keys to authorize requests from APM agents to the APM Server.
+ name: APM agent keys
+ - description: |
+ Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.
+ name: APM annotations
+ - description: Create APM fleet server schema.
+ name: APM server schema
+ - description: Configure APM source maps.
+ name: APM sourcemaps
+ - name: connectors
+ description: |
+ Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.
+ externalDocs:
+ description: Connector documentation
+ url: https://www.elastic.co/docs/current/serverless/action-connectors
+ x-displayName: Connectors
+ - name: Data streams
+ - description: Data view APIs enable you to manage data views, formerly known as Kibana index patterns.
+ name: data views
+ x-displayName: Data views
+ - name: Elastic Agent actions
+ - name: Elastic Agent binary download sources
+ - name: Elastic Agent policies
+ - name: Elastic Agent status
+ - name: Elastic Agents
+ - name: Elastic Package Manager (EPM)
+ - name: Fleet enrollment API keys
+ - name: Fleet internals
+ - name: Fleet outputs
+ - name: Fleet package policies
+ - name: Fleet proxies
+ - name: Fleet Server hosts
+ - name: Fleet service tokens
+ - name: Fleet uninstall tokens
+ - name: Message Signing Service
+ - description: Machine learning
+ name: ml
+ x-displayName: Machine learning
+ - name: roles
+ x-displayName: Roles
+ description: Manage the roles that grant Elasticsearch and Kibana privileges.
+ externalDocs:
+ description: Kibana role management
+ url: https://www.elastic.co/guide/en/kibana/master/kibana-role-management.html
+ - description: |
+ Export sets of saved objects that you want to import into Kibana, resolve import errors, and rotate an encryption key for encrypted saved objects with the saved objects APIs.
+
+ To manage a specific type of saved object, use the corresponding APIs.
+ For example, use:
+
+ [Data views](../group/endpoint-data-views)
+
+ Warning: Do not write documents directly to the `.kibana` index. When you write directly to the `.kibana` index, the data becomes corrupted and permanently breaks future Kibana versions.
+ name: saved objects
+ x-displayName: Saved objects
+ - description: Manage and interact with Security Assistant resources.
+ name: Security AI Assistant API
+ x-displayName: Security AI assistant
+ - description: You can create rules that automatically turn events and external alerts sent to Elastic Security into detection alerts. These alerts are displayed on the Detections page.
+ name: Security Detections API
+ x-displayName: Security detections
+ - description: Endpoint Exceptions API allows you to manage detection rule endpoint exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.
+ name: Security Endpoint Exceptions API
+ x-displayName: Security endpoint exceptions
+ - description: Interact with and manage endpoints running the Elastic Defend integration.
+ name: Security Endpoint Management API
+ x-displayName: Security endpoint management
+ - description: ''
+ name: Security Entity Analytics API
+ x-displayName: Security entity analytics
+ - description: Exceptions API allows you to manage detection rule exceptions to prevent a rule from generating an alert from incoming events even when the rule's other criteria are met.
+ name: Security Exceptions API
+ x-displayName: Security exceptions
+ - description: Lists API allows you to manage lists of keywords, IPs or IP ranges items.
+ name: Security Lists API
+ x-displayName: Security lists
+ - description: Run live queries, manage packs and saved queries.
+ name: Security Osquery API
+ x-displayName: Security Osquery
+ - description: You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file.
+ name: Security Timeline API
+ x-displayName: Security timeline
+ - description: SLO APIs enable you to define, manage and track service-level objectives
+ name: slo
+ x-displayName: Service level objectives
+ - name: spaces
+ x-displayName: Spaces
+ description: Manage your Kibana spaces.
+ - name: system
+ x-displayName: System
+ description: |
+ Get information about the system status, resource usage, and installed plugins.
+paths:
+ /api/actions/connector_types:
+ get:
+ description: You do not need any Kibana feature privileges to run this API.
+ operationId: get-actions-connector-types
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).
+ in: query
+ name: feature_id
+ required: false
+ schema:
+ type: string
+ responses:
+ '200':
+ description: Indicates a successful call.
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ getConnectorTypesServerlessResponse:
+ $ref: '#/components/examples/get_connector_types_generativeai_response'
+ summary: Get connector types
+ tags:
+ - connectors
+ x-beta: true
+ /api/actions/connector/{id}:
+ delete:
+ description: 'WARNING: When you delete a connector, it cannot be recovered.'
+ operationId: delete-actions-connector-id
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: An identifier for the connector.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Indicates a successful call.
+ summary: Delete a connector
+ tags:
+ - connectors
+ x-beta: true
+ get:
+ operationId: get-actions-connector-id
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: An identifier for the connector.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ config:
+ additionalProperties: {}
+ type: object
+ connector_type_id:
+ description: The connector type identifier.
+ type: string
+ id:
+ description: The identifier for the connector.
+ type: string
+ is_deprecated:
+ description: Indicates whether the connector is deprecated.
+ type: boolean
+ is_missing_secrets:
+ description: Indicates whether the connector is missing secrets.
+ type: boolean
+ is_preconfigured:
+ description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. '
+ type: boolean
+ is_system_action:
+ description: Indicates whether the connector is used for system actions.
+ type: boolean
+ name:
+ description: ' The name of the rule.'
+ type: string
+ required:
+ - id
+ - name
+ - connector_type_id
+ - is_preconfigured
+ - is_deprecated
+ - is_system_action
+ examples:
+ getConnectorResponse:
+ $ref: '#/components/examples/get_connector_response'
+ description: Indicates a successful call.
+ summary: Get connector information
+ tags:
+ - connectors
+ x-beta: true
+ post:
+ operationId: post-actions-connector-id
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: An identifier for the connector.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ connector_type_id:
+ description: The type of connector.
+ type: string
+ name:
+ description: The display name for the connector.
+ type: string
+ config:
+ additionalProperties: {}
+ default: {}
+ description: The connector configuration details.
+ oneOf:
+ - $ref: '#/components/schemas/bedrock_config'
+ - $ref: '#/components/schemas/crowdstrike_config'
+ - $ref: '#/components/schemas/d3security_config'
+ - $ref: '#/components/schemas/email_config'
+ - $ref: '#/components/schemas/gemini_config'
+ - $ref: '#/components/schemas/resilient_config'
+ - $ref: '#/components/schemas/index_config'
+ - $ref: '#/components/schemas/jira_config'
+ - $ref: '#/components/schemas/genai_azure_config'
+ - $ref: '#/components/schemas/genai_openai_config'
+ - $ref: '#/components/schemas/opsgenie_config'
+ - $ref: '#/components/schemas/pagerduty_config'
+ - $ref: '#/components/schemas/sentinelone_config'
+ - $ref: '#/components/schemas/servicenow_config'
+ - $ref: '#/components/schemas/servicenow_itom_config'
+ - $ref: '#/components/schemas/slack_api_config'
+ - $ref: '#/components/schemas/swimlane_config'
+ - $ref: '#/components/schemas/thehive_config'
+ - $ref: '#/components/schemas/tines_config'
+ - $ref: '#/components/schemas/torq_config'
+ - $ref: '#/components/schemas/webhook_config'
+ - $ref: '#/components/schemas/cases_webhook_config'
+ - $ref: '#/components/schemas/xmatters_config'
+ secrets:
+ additionalProperties: {}
+ default: {}
+ oneOf:
+ - $ref: '#/components/schemas/bedrock_secrets'
+ - $ref: '#/components/schemas/crowdstrike_secrets'
+ - $ref: '#/components/schemas/d3security_secrets'
+ - $ref: '#/components/schemas/email_secrets'
+ - $ref: '#/components/schemas/gemini_secrets'
+ - $ref: '#/components/schemas/resilient_secrets'
+ - $ref: '#/components/schemas/jira_secrets'
+ - $ref: '#/components/schemas/teams_secrets'
+ - $ref: '#/components/schemas/genai_secrets'
+ - $ref: '#/components/schemas/opsgenie_secrets'
+ - $ref: '#/components/schemas/pagerduty_secrets'
+ - $ref: '#/components/schemas/sentinelone_secrets'
+ - $ref: '#/components/schemas/servicenow_secrets'
+ - $ref: '#/components/schemas/slack_api_secrets'
+ - $ref: '#/components/schemas/swimlane_secrets'
+ - $ref: '#/components/schemas/thehive_secrets'
+ - $ref: '#/components/schemas/tines_secrets'
+ - $ref: '#/components/schemas/torq_secrets'
+ - $ref: '#/components/schemas/webhook_secrets'
+ - $ref: '#/components/schemas/cases_webhook_secrets'
+ - $ref: '#/components/schemas/xmatters_secrets'
+ required:
+ - name
+ - connector_type_id
+ examples:
+ createEmailConnectorRequest:
+ $ref: '#/components/examples/create_email_connector_request'
+ createIndexConnectorRequest:
+ $ref: '#/components/examples/create_index_connector_request'
+ createWebhookConnectorRequest:
+ $ref: '#/components/examples/create_webhook_connector_request'
+ createXmattersConnectorRequest:
+ $ref: '#/components/examples/create_xmatters_connector_request'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ config:
+ additionalProperties: {}
+ type: object
+ connector_type_id:
+ description: The connector type identifier.
+ type: string
+ id:
+ description: The identifier for the connector.
+ type: string
+ is_deprecated:
+ description: Indicates whether the connector is deprecated.
+ type: boolean
+ is_missing_secrets:
+ description: Indicates whether the connector is missing secrets.
+ type: boolean
+ is_preconfigured:
+ description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. '
+ type: boolean
+ is_system_action:
+ description: Indicates whether the connector is used for system actions.
+ type: boolean
+ name:
+ description: ' The name of the rule.'
+ type: string
+ required:
+ - id
+ - name
+ - connector_type_id
+ - is_preconfigured
+ - is_deprecated
+ - is_system_action
+ examples:
+ createEmailConnectorResponse:
+ $ref: '#/components/examples/create_email_connector_response'
+ createIndexConnectorResponse:
+ $ref: '#/components/examples/create_index_connector_response'
+ createWebhookConnectorResponse:
+ $ref: '#/components/examples/create_webhook_connector_response'
+ createXmattersConnectorResponse:
+ $ref: '#/components/examples/get_connector_response'
+ description: Indicates a successful call.
+ summary: Create a connector
+ tags:
+ - connectors
+ x-beta: true
+ put:
+ operationId: put-actions-connector-id
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: An identifier for the connector.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ description: The display name for the connector.
+ type: string
+ config:
+ additionalProperties: {}
+ default: {}
+ description: The connector configuration details.
+ oneOf:
+ - $ref: '#/components/schemas/bedrock_config'
+ - $ref: '#/components/schemas/crowdstrike_config'
+ - $ref: '#/components/schemas/d3security_config'
+ - $ref: '#/components/schemas/email_config'
+ - $ref: '#/components/schemas/gemini_config'
+ - $ref: '#/components/schemas/resilient_config'
+ - $ref: '#/components/schemas/index_config'
+ - $ref: '#/components/schemas/jira_config'
+ - $ref: '#/components/schemas/genai_azure_config'
+ - $ref: '#/components/schemas/genai_openai_config'
+ - $ref: '#/components/schemas/opsgenie_config'
+ - $ref: '#/components/schemas/pagerduty_config'
+ - $ref: '#/components/schemas/sentinelone_config'
+ - $ref: '#/components/schemas/servicenow_config'
+ - $ref: '#/components/schemas/servicenow_itom_config'
+ - $ref: '#/components/schemas/slack_api_config'
+ - $ref: '#/components/schemas/swimlane_config'
+ - $ref: '#/components/schemas/thehive_config'
+ - $ref: '#/components/schemas/tines_config'
+ - $ref: '#/components/schemas/torq_config'
+ - $ref: '#/components/schemas/webhook_config'
+ - $ref: '#/components/schemas/cases_webhook_config'
+ - $ref: '#/components/schemas/xmatters_config'
+ secrets:
+ additionalProperties: {}
+ default: {}
+ oneOf:
+ - $ref: '#/components/schemas/bedrock_secrets'
+ - $ref: '#/components/schemas/crowdstrike_secrets'
+ - $ref: '#/components/schemas/d3security_secrets'
+ - $ref: '#/components/schemas/email_secrets'
+ - $ref: '#/components/schemas/gemini_secrets'
+ - $ref: '#/components/schemas/resilient_secrets'
+ - $ref: '#/components/schemas/jira_secrets'
+ - $ref: '#/components/schemas/teams_secrets'
+ - $ref: '#/components/schemas/genai_secrets'
+ - $ref: '#/components/schemas/opsgenie_secrets'
+ - $ref: '#/components/schemas/pagerduty_secrets'
+ - $ref: '#/components/schemas/sentinelone_secrets'
+ - $ref: '#/components/schemas/servicenow_secrets'
+ - $ref: '#/components/schemas/slack_api_secrets'
+ - $ref: '#/components/schemas/swimlane_secrets'
+ - $ref: '#/components/schemas/thehive_secrets'
+ - $ref: '#/components/schemas/tines_secrets'
+ - $ref: '#/components/schemas/torq_secrets'
+ - $ref: '#/components/schemas/webhook_secrets'
+ - $ref: '#/components/schemas/cases_webhook_secrets'
+ - $ref: '#/components/schemas/xmatters_secrets'
+ required:
+ - name
+ examples:
+ updateIndexConnectorRequest:
+ $ref: '#/components/examples/update_index_connector_request'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ config:
+ additionalProperties: {}
+ type: object
+ connector_type_id:
+ description: The connector type identifier.
+ type: string
+ id:
+ description: The identifier for the connector.
+ type: string
+ is_deprecated:
+ description: Indicates whether the connector is deprecated.
+ type: boolean
+ is_missing_secrets:
+ description: Indicates whether the connector is missing secrets.
+ type: boolean
+ is_preconfigured:
+ description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. '
+ type: boolean
+ is_system_action:
+ description: Indicates whether the connector is used for system actions.
+ type: boolean
+ name:
+ description: ' The name of the rule.'
+ type: string
+ required:
+ - id
+ - name
+ - connector_type_id
+ - is_preconfigured
+ - is_deprecated
+ - is_system_action
+ description: Indicates a successful call.
+ summary: Update a connector
+ tags:
+ - connectors
+ x-beta: true
+ /api/actions/connector/{id}/_execute:
+ post:
+ description: You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.
+ operationId: post-actions-connector-id-execute
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: An identifier for the connector.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ params:
+ additionalProperties: {}
+ oneOf:
+ - $ref: '#/components/schemas/run_acknowledge_resolve_pagerduty'
+ - $ref: '#/components/schemas/run_documents'
+ - $ref: '#/components/schemas/run_message_email'
+ - $ref: '#/components/schemas/run_message_serverlog'
+ - $ref: '#/components/schemas/run_message_slack'
+ - $ref: '#/components/schemas/run_trigger_pagerduty'
+ - $ref: '#/components/schemas/run_addevent'
+ - $ref: '#/components/schemas/run_closealert'
+ - $ref: '#/components/schemas/run_closeincident'
+ - $ref: '#/components/schemas/run_createalert'
+ - $ref: '#/components/schemas/run_fieldsbyissuetype'
+ - $ref: '#/components/schemas/run_getchoices'
+ - $ref: '#/components/schemas/run_getfields'
+ - $ref: '#/components/schemas/run_getincident'
+ - $ref: '#/components/schemas/run_issue'
+ - $ref: '#/components/schemas/run_issues'
+ - $ref: '#/components/schemas/run_issuetypes'
+ - $ref: '#/components/schemas/run_postmessage'
+ - $ref: '#/components/schemas/run_pushtoservice'
+ - $ref: '#/components/schemas/run_validchannelid'
+ required:
+ - params
+ examples:
+ runIndexConnectorRequest:
+ $ref: '#/components/examples/run_index_connector_request'
+ runJiraConnectorRequest:
+ $ref: '#/components/examples/run_jira_connector_request'
+ runServerLogConnectorRequest:
+ $ref: '#/components/examples/run_servicenow_itom_connector_request'
+ runSlackConnectorRequest:
+ $ref: '#/components/examples/run_slack_api_connector_request'
+ runSwimlaneConnectorRequest:
+ $ref: '#/components/examples/run_swimlane_connector_request'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ config:
+ additionalProperties: {}
+ type: object
+ connector_type_id:
+ description: The connector type identifier.
+ type: string
+ id:
+ description: The identifier for the connector.
+ type: string
+ is_deprecated:
+ description: Indicates whether the connector is deprecated.
+ type: boolean
+ is_missing_secrets:
+ description: Indicates whether the connector is missing secrets.
+ type: boolean
+ is_preconfigured:
+ description: 'Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. '
+ type: boolean
+ is_system_action:
+ description: Indicates whether the connector is used for system actions.
+ type: boolean
+ name:
+ description: ' The name of the rule.'
+ type: string
+ required:
+ - id
+ - name
+ - connector_type_id
+ - is_preconfigured
+ - is_deprecated
+ - is_system_action
+ examples:
+ runIndexConnectorResponse:
+ $ref: '#/components/examples/run_index_connector_response'
+ runJiraConnectorResponse:
+ $ref: '#/components/examples/run_jira_connector_response'
+ runServerLogConnectorResponse:
+ $ref: '#/components/examples/run_server_log_connector_response'
+ runServiceNowITOMConnectorResponse:
+ $ref: '#/components/examples/run_servicenow_itom_connector_response'
+ runSlackConnectorResponse:
+ $ref: '#/components/examples/run_slack_api_connector_response'
+ runSwimlaneConnectorResponse:
+ $ref: '#/components/examples/run_swimlane_connector_response'
+ description: Indicates a successful call.
+ summary: Run a connector
+ tags:
+ - connectors
+ x-beta: true
+ /api/actions/connectors:
+ get:
+ operationId: get-actions-connectors
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ responses:
+ '200':
+ description: Indicates a successful call.
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ getConnectorsResponse:
+ $ref: '#/components/examples/get_connectors_response'
+ summary: Get all connectors
+ tags:
+ - connectors
+ x-beta: true
+ /api/alerting/rule/{id}:
+ delete:
+ operationId: delete-alerting-rule-id
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The identifier for the rule.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Indicates a successful call.
+ '400':
+ description: Indicates an invalid schema or parameters.
+ '403':
+ description: Indicates that this call is forbidden.
+ '404':
+ description: Indicates a rule with the given ID does not exist.
+ summary: Delete a rule
+ tags:
+ - alerting
+ x-beta: true
+ get:
+ operationId: get-alerting-rule-id
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: The identifier for the rule.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actions:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ alerts_filter:
+ additionalProperties: false
+ description: Defines a period that limits whether the action runs.
+ type: object
+ properties:
+ query:
+ additionalProperties: false
+ type: object
+ properties:
+ dsl:
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
+ type: string
+ filters:
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ $state:
+ additionalProperties: false
+ type: object
+ properties:
+ store:
+ description: A filter can be either specific to an application context or applied globally.
+ enum:
+ - appState
+ - globalState
+ type: string
+ required:
+ - store
+ meta:
+ additionalProperties: {}
+ type: object
+ query:
+ additionalProperties: {}
+ type: object
+ required:
+ - meta
+ type: array
+ kql:
+ description: A filter written in Kibana Query Language (KQL).
+ type: string
+ required:
+ - kql
+ - filters
+ timeframe:
+ additionalProperties: false
+ type: object
+ properties:
+ days:
+ description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
+ items:
+ enum:
+ - 1
+ - 2
+ - 3
+ - 4
+ - 5
+ - 6
+ - 7
+ type: integer
+ type: array
+ hours:
+ additionalProperties: false
+ type: object
+ properties:
+ end:
+ description: The end of the time frame in 24-hour notation (`hh:mm`).
+ type: string
+ start:
+ description: The start of the time frame in 24-hour notation (`hh:mm`).
+ type: string
+ required:
+ - start
+ - end
+ timezone:
+ description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
+ type: string
+ required:
+ - days
+ - hours
+ - timezone
+ connector_type_id:
+ description: The type of connector. This property appears in responses but cannot be set in requests.
+ type: string
+ frequency:
+ additionalProperties: false
+ type: object
+ properties:
+ notify_when:
+ description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ enum:
+ - onActionGroupChange
+ - onActiveAlert
+ - onThrottleInterval
+ type: string
+ summary:
+ description: Indicates whether the action is a summary.
+ type: boolean
+ throttle:
+ description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ nullable: true
+ type: string
+ required:
+ - summary
+ - notify_when
+ - throttle
+ group:
+ description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
+ type: string
+ id:
+ description: The identifier for the connector saved object.
+ type: string
+ params:
+ additionalProperties: {}
+ description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
+ type: object
+ use_alert_data_for_template:
+ description: Indicates whether to use alert data as a template.
+ type: boolean
+ uuid:
+ description: A universally unique identifier (UUID) for the action.
+ type: string
+ required:
+ - id
+ - connector_type_id
+ - params
+ type: array
+ active_snoozes:
+ items:
+ description: List of active snoozes for the rule.
+ type: string
+ type: array
+ alert_delay:
+ additionalProperties: false
+ description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
+ type: object
+ properties:
+ active:
+ description: The number of consecutive runs that must meet the rule conditions.
+ type: number
+ required:
+ - active
+ api_key_created_by_user:
+ description: Indicates whether the API key that is associated with the rule was created by the user.
+ nullable: true
+ type: boolean
+ api_key_owner:
+ description: The owner of the API key that is associated with the rule and used to run background tasks.
+ nullable: true
+ type: string
+ consumer:
+ description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
+ type: string
+ created_at:
+ description: The date and time that the rule was created.
+ type: string
+ created_by:
+ description: The identifier for the user that created the rule.
+ nullable: true
+ type: string
+ enabled:
+ description: Indicates whether you want to run the rule on an interval basis after it is created.
+ type: boolean
+ execution_status:
+ additionalProperties: false
+ type: object
+ properties:
+ error:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ description: Error message.
+ type: string
+ reason:
+ description: Reason for error.
+ enum:
+ - read
+ - decrypt
+ - execute
+ - unknown
+ - license
+ - timeout
+ - disabled
+ - validate
+ type: string
+ required:
+ - reason
+ - message
+ last_duration:
+ description: Duration of last execution of the rule.
+ type: number
+ last_execution_date:
+ description: The date and time when rule was executed last.
+ type: string
+ status:
+ description: Status of rule execution.
+ enum:
+ - ok
+ - active
+ - error
+ - warning
+ - pending
+ - unknown
+ type: string
+ warning:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ description: Warning message.
+ type: string
+ reason:
+ description: Reason for warning.
+ enum:
+ - maxExecutableActions
+ - maxAlerts
+ - maxQueuedActions
+ - ruleExecution
+ type: string
+ required:
+ - reason
+ - message
+ required:
+ - status
+ - last_execution_date
+ flapping:
+ additionalProperties: false
+ description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
+ nullable: true
+ type: object
+ properties:
+ look_back_window:
+ description: The minimum number of runs in which the threshold must be met.
+ maximum: 20
+ minimum: 2
+ type: number
+ status_change_threshold:
+ description: The minimum number of times an alert must switch states in the look back window.
+ maximum: 20
+ minimum: 2
+ type: number
+ required:
+ - look_back_window
+ - status_change_threshold
+ id:
+ description: The identifier for the rule.
+ type: string
+ is_snoozed_until:
+ description: The date when the rule will no longer be snoozed.
+ nullable: true
+ type: string
+ last_run:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ alerts_count:
+ additionalProperties: false
+ type: object
+ properties:
+ active:
+ description: Number of active alerts during last run.
+ nullable: true
+ type: number
+ ignored:
+ description: Number of ignored alerts during last run.
+ nullable: true
+ type: number
+ new:
+ description: Number of new alerts during last run.
+ nullable: true
+ type: number
+ recovered:
+ description: Number of recovered alerts during last run.
+ nullable: true
+ type: number
+ outcome:
+ description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
+ enum:
+ - succeeded
+ - warning
+ - failed
+ type: string
+ outcome_msg:
+ items:
+ description: Outcome message generated during last rule run.
+ type: string
+ nullable: true
+ type: array
+ outcome_order:
+ description: Order of the outcome.
+ type: number
+ warning:
+ description: Warning of last rule execution.
+ enum:
+ - read
+ - decrypt
+ - execute
+ - unknown
+ - license
+ - timeout
+ - disabled
+ - validate
+ - maxExecutableActions
+ - maxAlerts
+ - maxQueuedActions
+ - ruleExecution
+ nullable: true
+ type: string
+ required:
+ - outcome
+ - alerts_count
+ mapped_params:
+ additionalProperties: {}
+ type: object
+ monitoring:
+ additionalProperties: false
+ description: Monitoring details of the rule.
+ type: object
+ properties:
+ run:
+ additionalProperties: false
+ description: Rule run details.
+ type: object
+ properties:
+ calculated_metrics:
+ additionalProperties: false
+ description: Calculation of different percentiles and success ratio.
+ type: object
+ properties:
+ p50:
+ type: number
+ p95:
+ type: number
+ p99:
+ type: number
+ success_ratio:
+ type: number
+ required:
+ - success_ratio
+ history:
+ description: History of the rule run.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ duration:
+ description: Duration of the rule run.
+ type: number
+ outcome:
+ description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
+ enum:
+ - succeeded
+ - warning
+ - failed
+ type: string
+ success:
+ description: Indicates whether the rule run was successful.
+ type: boolean
+ timestamp:
+ description: Time of rule run.
+ type: number
+ required:
+ - success
+ - timestamp
+ type: array
+ last_run:
+ additionalProperties: false
+ type: object
+ properties:
+ metrics:
+ additionalProperties: false
+ type: object
+ properties:
+ duration:
+ description: Duration of most recent rule run.
+ type: number
+ gap_duration_s:
+ description: Duration in seconds of rule run gap.
+ nullable: true
+ type: number
+ total_alerts_created:
+ description: Total number of alerts created during last rule run.
+ nullable: true
+ type: number
+ total_alerts_detected:
+ description: Total number of alerts detected during last rule run.
+ nullable: true
+ type: number
+ total_indexing_duration_ms:
+ description: Total time spent indexing documents during last rule run in milliseconds.
+ nullable: true
+ type: number
+ total_search_duration_ms:
+ description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
+ nullable: true
+ type: number
+ timestamp:
+ description: Time of the most recent rule run.
+ type: string
+ required:
+ - timestamp
+ - metrics
+ required:
+ - history
+ - calculated_metrics
+ - last_run
+ required:
+ - run
+ mute_all:
+ description: Indicates whether all alerts are muted.
+ type: boolean
+ muted_alert_ids:
+ items:
+ description: 'List of identifiers of muted alerts. '
+ type: string
+ type: array
+ name:
+ description: ' The name of the rule.'
+ type: string
+ next_run:
+ description: Date and time of the next run of the rule.
+ nullable: true
+ type: string
+ notify_when:
+ description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ enum:
+ - onActionGroupChange
+ - onActiveAlert
+ - onThrottleInterval
+ nullable: true
+ type: string
+ params:
+ additionalProperties: {}
+ description: The parameters for the rule.
+ type: object
+ revision:
+ description: The rule revision number.
+ type: number
+ rule_type_id:
+ description: The rule type identifier.
+ type: string
+ running:
+ description: Indicates whether the rule is running.
+ nullable: true
+ type: boolean
+ schedule:
+ additionalProperties: false
+ type: object
+ properties:
+ interval:
+ description: The interval is specified in seconds, minutes, hours, or days.
+ type: string
+ required:
+ - interval
+ scheduled_task_id:
+ description: Identifier of the scheduled task.
+ type: string
+ snooze_schedule:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ duration:
+ description: Duration of the rule snooze schedule.
+ type: number
+ id:
+ description: Identifier of the rule snooze schedule.
+ type: string
+ rRule:
+ additionalProperties: false
+ type: object
+ properties:
+ byhour:
+ items:
+ description: Indicates hours of the day to recur.
+ type: number
+ nullable: true
+ type: array
+ byminute:
+ items:
+ description: Indicates minutes of the hour to recur.
+ type: number
+ nullable: true
+ type: array
+ bymonth:
+ items:
+ description: Indicates months of the year that this rule should recur.
+ type: number
+ nullable: true
+ type: array
+ bymonthday:
+ items:
+ description: Indicates the days of the month to recur.
+ type: number
+ nullable: true
+ type: array
+ bysecond:
+ items:
+ description: Indicates seconds of the day to recur.
+ type: number
+ nullable: true
+ type: array
+ bysetpos:
+ items:
+ description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.
+ type: number
+ nullable: true
+ type: array
+ byweekday:
+ items:
+ anyOf:
+ - type: string
+ - type: number
+ description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination.
+ nullable: true
+ type: array
+ byweekno:
+ items:
+ description: Indicates number of the week hours to recur.
+ type: number
+ nullable: true
+ type: array
+ byyearday:
+ items:
+ description: Indicates the days of the year that this rule should recur.
+ type: number
+ nullable: true
+ type: array
+ count:
+ description: Number of times the rule should recur until it stops.
+ type: number
+ dtstart:
+ description: Rule start date in Coordinated Universal Time (UTC).
+ type: string
+ freq:
+ description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
+ enum:
+ - 0
+ - 1
+ - 2
+ - 3
+ - 4
+ - 5
+ - 6
+ type: integer
+ interval:
+ description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
+ type: number
+ tzid:
+ description: Indicates timezone abbreviation.
+ type: string
+ until:
+ description: Recur the rule until this date.
+ type: string
+ wkst:
+ description: Indicates the start of week, defaults to Monday.
+ enum:
+ - MO
+ - TU
+ - WE
+ - TH
+ - FR
+ - SA
+ - SU
+ type: string
+ required:
+ - dtstart
+ - tzid
+ skipRecurrences:
+ items:
+ description: Skips recurrence of rule on this date.
+ type: string
+ type: array
+ required:
+ - duration
+ - rRule
+ type: array
+ tags:
+ items:
+ description: The tags for the rule.
+ type: string
+ type: array
+ throttle:
+ deprecated: true
+ description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ nullable: true
+ type: string
+ updated_at:
+ description: The date and time that the rule was updated most recently.
+ type: string
+ updated_by:
+ description: The identifier for the user that updated this rule most recently.
+ nullable: true
+ type: string
+ view_in_app_relative_url:
+ description: Relative URL to view rule in the app.
+ nullable: true
+ type: string
+ required:
+ - id
+ - enabled
+ - name
+ - tags
+ - rule_type_id
+ - consumer
+ - schedule
+ - actions
+ - params
+ - created_by
+ - updated_by
+ - created_at
+ - updated_at
+ - api_key_owner
+ - mute_all
+ - muted_alert_ids
+ - execution_status
+ - revision
+ description: Indicates a successful call.
+ '400':
+ description: Indicates an invalid schema or parameters.
+ '403':
+ description: Indicates that this call is forbidden.
+ '404':
+ description: Indicates a rule with the given ID does not exist.
+ summary: Get rule details
+ tags:
+ - alerting
+ x-beta: true
+ post:
+ operationId: post-alerting-rule-id
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The identifier for the rule. If it is omitted, an ID is randomly generated.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actions:
+ default: []
+ items:
+ additionalProperties: false
+ description: An action that runs under defined conditions.
+ type: object
+ properties:
+ alerts_filter:
+ additionalProperties: false
+ description: Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.
+ type: object
+ properties:
+ query:
+ additionalProperties: false
+ type: object
+ properties:
+ dsl:
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
+ type: string
+ filters:
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ $state:
+ additionalProperties: false
+ type: object
+ properties:
+ store:
+ description: A filter can be either specific to an application context or applied globally.
+ enum:
+ - appState
+ - globalState
+ type: string
+ required:
+ - store
+ meta:
+ additionalProperties: {}
+ type: object
+ query:
+ additionalProperties: {}
+ type: object
+ required:
+ - meta
+ type: array
+ kql:
+ description: A filter written in Kibana Query Language (KQL).
+ type: string
+ required:
+ - kql
+ - filters
+ timeframe:
+ additionalProperties: false
+ description: Defines a period that limits whether the action runs.
+ type: object
+ properties:
+ days:
+ description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
+ items:
+ enum:
+ - 1
+ - 2
+ - 3
+ - 4
+ - 5
+ - 6
+ - 7
+ type: integer
+ type: array
+ hours:
+ additionalProperties: false
+ description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
+ type: object
+ properties:
+ end:
+ description: The end of the time frame in 24-hour notation (`hh:mm`).
+ type: string
+ start:
+ description: The start of the time frame in 24-hour notation (`hh:mm`).
+ type: string
+ required:
+ - start
+ - end
+ timezone:
+ description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
+ type: string
+ required:
+ - days
+ - hours
+ - timezone
+ frequency:
+ additionalProperties: false
+ type: object
+ properties:
+ notify_when:
+ description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ enum:
+ - onActionGroupChange
+ - onActiveAlert
+ - onThrottleInterval
+ type: string
+ summary:
+ description: Indicates whether the action is a summary.
+ type: boolean
+ throttle:
+ description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ nullable: true
+ type: string
+ required:
+ - summary
+ - notify_when
+ - throttle
+ group:
+ description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
+ type: string
+ id:
+ description: The identifier for the connector saved object.
+ type: string
+ params:
+ additionalProperties: {}
+ default: {}
+ description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
+ type: object
+ use_alert_data_for_template:
+ description: Indicates whether to use alert data as a template.
+ type: boolean
+ uuid:
+ description: A universally unique identifier (UUID) for the action.
+ type: string
+ required:
+ - id
+ type: array
+ alert_delay:
+ additionalProperties: false
+ description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
+ type: object
+ properties:
+ active:
+ description: The number of consecutive runs that must meet the rule conditions.
+ type: number
+ required:
+ - active
+ consumer:
+ description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
+ type: string
+ enabled:
+ default: true
+ description: Indicates whether you want to run the rule on an interval basis after it is created.
+ type: boolean
+ flapping:
+ additionalProperties: false
+ description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
+ nullable: true
+ type: object
+ properties:
+ look_back_window:
+ description: The minimum number of runs in which the threshold must be met.
+ maximum: 20
+ minimum: 2
+ type: number
+ status_change_threshold:
+ description: The minimum number of times an alert must switch states in the look back window.
+ maximum: 20
+ minimum: 2
+ type: number
+ required:
+ - look_back_window
+ - status_change_threshold
+ name:
+ description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
+ type: string
+ notify_when:
+ description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ enum:
+ - onActionGroupChange
+ - onActiveAlert
+ - onThrottleInterval
+ nullable: true
+ type: string
+ rule_type_id:
+ description: The rule type identifier.
+ type: string
+ schedule:
+ additionalProperties: false
+ description: The check interval, which specifies how frequently the rule conditions are checked.
+ type: object
+ properties:
+ interval:
+ description: The interval is specified in seconds, minutes, hours, or days.
+ type: string
+ required:
+ - interval
+ tags:
+ default: []
+ description: The tags for the rule.
+ items:
+ type: string
+ type: array
+ throttle:
+ description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ nullable: true
+ type: string
+ params:
+ additionalProperties: {}
+ default: {}
+ description: The parameters for the rule.
+ anyOf:
+ - $ref: '#/components/schemas/params_property_apm_anomaly'
+ - $ref: '#/components/schemas/params_property_apm_error_count'
+ - $ref: '#/components/schemas/params_property_apm_transaction_duration'
+ - $ref: '#/components/schemas/params_property_apm_transaction_error_rate'
+ - $ref: '#/components/schemas/params_es_query_dsl_rule'
+ - $ref: '#/components/schemas/params_es_query_esql_rule'
+ - $ref: '#/components/schemas/params_es_query_kql_rule'
+ - $ref: '#/components/schemas/params_index_threshold_rule'
+ - $ref: '#/components/schemas/params_property_infra_inventory'
+ - $ref: '#/components/schemas/params_property_log_threshold'
+ - $ref: '#/components/schemas/params_property_infra_metric_threshold'
+ - $ref: '#/components/schemas/params_property_slo_burn_rate'
+ - $ref: '#/components/schemas/params_property_synthetics_uptime_tls'
+ - $ref: '#/components/schemas/params_property_synthetics_monitor_status'
+ required:
+ - name
+ - rule_type_id
+ - consumer
+ - schedule
+ examples:
+ createEsQueryEsqlRuleRequest:
+ $ref: '#/components/examples/create_es_query_esql_rule_request'
+ createEsQueryRuleRequest:
+ $ref: '#/components/examples/create_es_query_rule_request'
+ createEsQueryKqlRuleRequest:
+ $ref: '#/components/examples/create_es_query_kql_rule_request'
+ createIndexThresholdRuleRequest:
+ $ref: '#/components/examples/create_index_threshold_rule_request'
+ createTrackingContainmentRuleRequest:
+ $ref: '#/components/examples/create_tracking_containment_rule_request'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actions:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ alerts_filter:
+ additionalProperties: false
+ description: Defines a period that limits whether the action runs.
+ type: object
+ properties:
+ query:
+ additionalProperties: false
+ type: object
+ properties:
+ dsl:
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
+ type: string
+ filters:
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ $state:
+ additionalProperties: false
+ type: object
+ properties:
+ store:
+ description: A filter can be either specific to an application context or applied globally.
+ enum:
+ - appState
+ - globalState
+ type: string
+ required:
+ - store
+ meta:
+ additionalProperties: {}
+ type: object
+ query:
+ additionalProperties: {}
+ type: object
+ required:
+ - meta
+ type: array
+ kql:
+ description: A filter written in Kibana Query Language (KQL).
+ type: string
+ required:
+ - kql
+ - filters
+ timeframe:
+ additionalProperties: false
+ type: object
+ properties:
+ days:
+ description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
+ items:
+ enum:
+ - 1
+ - 2
+ - 3
+ - 4
+ - 5
+ - 6
+ - 7
+ type: integer
+ type: array
+ hours:
+ additionalProperties: false
+ type: object
+ properties:
+ end:
+ description: The end of the time frame in 24-hour notation (`hh:mm`).
+ type: string
+ start:
+ description: The start of the time frame in 24-hour notation (`hh:mm`).
+ type: string
+ required:
+ - start
+ - end
+ timezone:
+ description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
+ type: string
+ required:
+ - days
+ - hours
+ - timezone
+ connector_type_id:
+ description: The type of connector. This property appears in responses but cannot be set in requests.
+ type: string
+ frequency:
+ additionalProperties: false
+ type: object
+ properties:
+ notify_when:
+ description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ enum:
+ - onActionGroupChange
+ - onActiveAlert
+ - onThrottleInterval
+ type: string
+ summary:
+ description: Indicates whether the action is a summary.
+ type: boolean
+ throttle:
+ description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ nullable: true
+ type: string
+ required:
+ - summary
+ - notify_when
+ - throttle
+ group:
+ description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
+ type: string
+ id:
+ description: The identifier for the connector saved object.
+ type: string
+ params:
+ additionalProperties: {}
+ description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
+ type: object
+ use_alert_data_for_template:
+ description: Indicates whether to use alert data as a template.
+ type: boolean
+ uuid:
+ description: A universally unique identifier (UUID) for the action.
+ type: string
+ required:
+ - id
+ - connector_type_id
+ - params
+ type: array
+ active_snoozes:
+ items:
+ description: List of active snoozes for the rule.
+ type: string
+ type: array
+ alert_delay:
+ additionalProperties: false
+ description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
+ type: object
+ properties:
+ active:
+ description: The number of consecutive runs that must meet the rule conditions.
+ type: number
+ required:
+ - active
+ api_key_created_by_user:
+ description: Indicates whether the API key that is associated with the rule was created by the user.
+ nullable: true
+ type: boolean
+ api_key_owner:
+ description: The owner of the API key that is associated with the rule and used to run background tasks.
+ nullable: true
+ type: string
+ consumer:
+ description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
+ type: string
+ created_at:
+ description: The date and time that the rule was created.
+ type: string
+ created_by:
+ description: The identifier for the user that created the rule.
+ nullable: true
+ type: string
+ enabled:
+ description: Indicates whether you want to run the rule on an interval basis after it is created.
+ type: boolean
+ execution_status:
+ additionalProperties: false
+ type: object
+ properties:
+ error:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ description: Error message.
+ type: string
+ reason:
+ description: Reason for error.
+ enum:
+ - read
+ - decrypt
+ - execute
+ - unknown
+ - license
+ - timeout
+ - disabled
+ - validate
+ type: string
+ required:
+ - reason
+ - message
+ last_duration:
+ description: Duration of last execution of the rule.
+ type: number
+ last_execution_date:
+ description: The date and time when rule was executed last.
+ type: string
+ status:
+ description: Status of rule execution.
+ enum:
+ - ok
+ - active
+ - error
+ - warning
+ - pending
+ - unknown
+ type: string
+ warning:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ description: Warning message.
+ type: string
+ reason:
+ description: Reason for warning.
+ enum:
+ - maxExecutableActions
+ - maxAlerts
+ - maxQueuedActions
+ - ruleExecution
+ type: string
+ required:
+ - reason
+ - message
+ required:
+ - status
+ - last_execution_date
+ flapping:
+ additionalProperties: false
+ description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
+ nullable: true
+ type: object
+ properties:
+ look_back_window:
+ description: The minimum number of runs in which the threshold must be met.
+ maximum: 20
+ minimum: 2
+ type: number
+ status_change_threshold:
+ description: The minimum number of times an alert must switch states in the look back window.
+ maximum: 20
+ minimum: 2
+ type: number
+ required:
+ - look_back_window
+ - status_change_threshold
+ id:
+ description: The identifier for the rule.
+ type: string
+ is_snoozed_until:
+ description: The date when the rule will no longer be snoozed.
+ nullable: true
+ type: string
+ last_run:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ alerts_count:
+ additionalProperties: false
+ type: object
+ properties:
+ active:
+ description: Number of active alerts during last run.
+ nullable: true
+ type: number
+ ignored:
+ description: Number of ignored alerts during last run.
+ nullable: true
+ type: number
+ new:
+ description: Number of new alerts during last run.
+ nullable: true
+ type: number
+ recovered:
+ description: Number of recovered alerts during last run.
+ nullable: true
+ type: number
+ outcome:
+ description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
+ enum:
+ - succeeded
+ - warning
+ - failed
+ type: string
+ outcome_msg:
+ items:
+ description: Outcome message generated during last rule run.
+ type: string
+ nullable: true
+ type: array
+ outcome_order:
+ description: Order of the outcome.
+ type: number
+ warning:
+ description: Warning of last rule execution.
+ enum:
+ - read
+ - decrypt
+ - execute
+ - unknown
+ - license
+ - timeout
+ - disabled
+ - validate
+ - maxExecutableActions
+ - maxAlerts
+ - maxQueuedActions
+ - ruleExecution
+ nullable: true
+ type: string
+ required:
+ - outcome
+ - alerts_count
+ mapped_params:
+ additionalProperties: {}
+ type: object
+ monitoring:
+ additionalProperties: false
+ description: Monitoring details of the rule.
+ type: object
+ properties:
+ run:
+ additionalProperties: false
+ description: Rule run details.
+ type: object
+ properties:
+ calculated_metrics:
+ additionalProperties: false
+ description: Calculation of different percentiles and success ratio.
+ type: object
+ properties:
+ p50:
+ type: number
+ p95:
+ type: number
+ p99:
+ type: number
+ success_ratio:
+ type: number
+ required:
+ - success_ratio
+ history:
+ description: History of the rule run.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ duration:
+ description: Duration of the rule run.
+ type: number
+ outcome:
+ description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
+ enum:
+ - succeeded
+ - warning
+ - failed
+ type: string
+ success:
+ description: Indicates whether the rule run was successful.
+ type: boolean
+ timestamp:
+ description: Time of rule run.
+ type: number
+ required:
+ - success
+ - timestamp
+ type: array
+ last_run:
+ additionalProperties: false
+ type: object
+ properties:
+ metrics:
+ additionalProperties: false
+ type: object
+ properties:
+ duration:
+ description: Duration of most recent rule run.
+ type: number
+ gap_duration_s:
+ description: Duration in seconds of rule run gap.
+ nullable: true
+ type: number
+ total_alerts_created:
+ description: Total number of alerts created during last rule run.
+ nullable: true
+ type: number
+ total_alerts_detected:
+ description: Total number of alerts detected during last rule run.
+ nullable: true
+ type: number
+ total_indexing_duration_ms:
+ description: Total time spent indexing documents during last rule run in milliseconds.
+ nullable: true
+ type: number
+ total_search_duration_ms:
+ description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
+ nullable: true
+ type: number
+ timestamp:
+ description: Time of the most recent rule run.
+ type: string
+ required:
+ - timestamp
+ - metrics
+ required:
+ - history
+ - calculated_metrics
+ - last_run
+ required:
+ - run
+ mute_all:
+ description: Indicates whether all alerts are muted.
+ type: boolean
+ muted_alert_ids:
+ items:
+ description: 'List of identifiers of muted alerts. '
+ type: string
+ type: array
+ name:
+ description: ' The name of the rule.'
+ type: string
+ next_run:
+ description: Date and time of the next run of the rule.
+ nullable: true
+ type: string
+ notify_when:
+ description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ enum:
+ - onActionGroupChange
+ - onActiveAlert
+ - onThrottleInterval
+ nullable: true
+ type: string
+ params:
+ additionalProperties: {}
+ description: The parameters for the rule.
+ type: object
+ revision:
+ description: The rule revision number.
+ type: number
+ rule_type_id:
+ description: The rule type identifier.
+ type: string
+ running:
+ description: Indicates whether the rule is running.
+ nullable: true
+ type: boolean
+ schedule:
+ additionalProperties: false
+ type: object
+ properties:
+ interval:
+ description: The interval is specified in seconds, minutes, hours, or days.
+ type: string
+ required:
+ - interval
+ scheduled_task_id:
+ description: Identifier of the scheduled task.
+ type: string
+ snooze_schedule:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ duration:
+ description: Duration of the rule snooze schedule.
+ type: number
+ id:
+ description: Identifier of the rule snooze schedule.
+ type: string
+ rRule:
+ additionalProperties: false
+ type: object
+ properties:
+ byhour:
+ items:
+ description: Indicates hours of the day to recur.
+ type: number
+ nullable: true
+ type: array
+ byminute:
+ items:
+ description: Indicates minutes of the hour to recur.
+ type: number
+ nullable: true
+ type: array
+ bymonth:
+ items:
+ description: Indicates months of the year that this rule should recur.
+ type: number
+ nullable: true
+ type: array
+ bymonthday:
+ items:
+ description: Indicates the days of the month to recur.
+ type: number
+ nullable: true
+ type: array
+ bysecond:
+ items:
+ description: Indicates seconds of the day to recur.
+ type: number
+ nullable: true
+ type: array
+ bysetpos:
+ items:
+ description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.
+ type: number
+ nullable: true
+ type: array
+ byweekday:
+ items:
+ anyOf:
+ - type: string
+ - type: number
+ description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination.
+ nullable: true
+ type: array
+ byweekno:
+ items:
+ description: Indicates number of the week hours to recur.
+ type: number
+ nullable: true
+ type: array
+ byyearday:
+ items:
+ description: Indicates the days of the year that this rule should recur.
+ type: number
+ nullable: true
+ type: array
+ count:
+ description: Number of times the rule should recur until it stops.
+ type: number
+ dtstart:
+ description: Rule start date in Coordinated Universal Time (UTC).
+ type: string
+ freq:
+ description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
+ enum:
+ - 0
+ - 1
+ - 2
+ - 3
+ - 4
+ - 5
+ - 6
+ type: integer
+ interval:
+ description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
+ type: number
+ tzid:
+ description: Indicates timezone abbreviation.
+ type: string
+ until:
+ description: Recur the rule until this date.
+ type: string
+ wkst:
+ description: Indicates the start of week, defaults to Monday.
+ enum:
+ - MO
+ - TU
+ - WE
+ - TH
+ - FR
+ - SA
+ - SU
+ type: string
+ required:
+ - dtstart
+ - tzid
+ skipRecurrences:
+ items:
+ description: Skips recurrence of rule on this date.
+ type: string
+ type: array
+ required:
+ - duration
+ - rRule
+ type: array
+ tags:
+ items:
+ description: The tags for the rule.
+ type: string
+ type: array
+ throttle:
+ deprecated: true
+ description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ nullable: true
+ type: string
+ updated_at:
+ description: The date and time that the rule was updated most recently.
+ type: string
+ updated_by:
+ description: The identifier for the user that updated this rule most recently.
+ nullable: true
+ type: string
+ view_in_app_relative_url:
+ description: Relative URL to view rule in the app.
+ nullable: true
+ type: string
+ required:
+ - id
+ - enabled
+ - name
+ - tags
+ - rule_type_id
+ - consumer
+ - schedule
+ - actions
+ - params
+ - created_by
+ - updated_by
+ - created_at
+ - updated_at
+ - api_key_owner
+ - mute_all
+ - muted_alert_ids
+ - execution_status
+ - revision
+ examples:
+ createEsQueryEsqlRuleResponse:
+ $ref: '#/components/examples/create_es_query_esql_rule_response'
+ createEsQueryRuleResponse:
+ $ref: '#/components/examples/create_es_query_rule_response'
+ createEsQueryKqlRuleResponse:
+ $ref: '#/components/examples/create_es_query_kql_rule_response'
+ createIndexThresholdRuleResponse:
+ $ref: '#/components/examples/create_index_threshold_rule_response'
+ createTrackingContainmentRuleResponse:
+ $ref: '#/components/examples/create_tracking_containment_rule_response'
+ description: Indicates a successful call.
+ '400':
+ description: Indicates an invalid schema or parameters.
+ '403':
+ description: Indicates that this call is forbidden.
+ '409':
+ description: Indicates that the rule id is already in use.
+ summary: Create a rule
+ tags:
+ - alerting
+ x-beta: true
+ put:
+ operationId: put-alerting-rule-id
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The identifier for the rule.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actions:
+ default: []
+ items:
+ additionalProperties: false
+ description: An action that runs under defined conditions.
+ type: object
+ properties:
+ alerts_filter:
+ additionalProperties: false
+ type: object
+ properties:
+ query:
+ additionalProperties: false
+ type: object
+ properties:
+ dsl:
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
+ type: string
+ filters:
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ $state:
+ additionalProperties: false
+ type: object
+ properties:
+ store:
+ description: A filter can be either specific to an application context or applied globally.
+ enum:
+ - appState
+ - globalState
+ type: string
+ required:
+ - store
+ meta:
+ additionalProperties: {}
+ type: object
+ query:
+ additionalProperties: {}
+ type: object
+ required:
+ - meta
+ type: array
+ kql:
+ description: A filter written in Kibana Query Language (KQL).
+ type: string
+ required:
+ - kql
+ - filters
+ timeframe:
+ additionalProperties: false
+ description: Defines a period that limits whether the action runs.
+ type: object
+ properties:
+ days:
+ description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
+ items:
+ enum:
+ - 1
+ - 2
+ - 3
+ - 4
+ - 5
+ - 6
+ - 7
+ type: integer
+ type: array
+ hours:
+ additionalProperties: false
+ description: Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.
+ type: object
+ properties:
+ end:
+ description: The end of the time frame in 24-hour notation (`hh:mm`).
+ type: string
+ start:
+ description: The start of the time frame in 24-hour notation (`hh:mm`).
+ type: string
+ required:
+ - start
+ - end
+ timezone:
+ description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
+ type: string
+ required:
+ - days
+ - hours
+ - timezone
+ frequency:
+ additionalProperties: false
+ type: object
+ properties:
+ notify_when:
+ description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ enum:
+ - onActionGroupChange
+ - onActiveAlert
+ - onThrottleInterval
+ type: string
+ summary:
+ description: Indicates whether the action is a summary.
+ type: boolean
+ throttle:
+ description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ nullable: true
+ type: string
+ required:
+ - summary
+ - notify_when
+ - throttle
+ group:
+ description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
+ type: string
+ id:
+ description: The identifier for the connector saved object.
+ type: string
+ params:
+ additionalProperties: {}
+ default: {}
+ description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
+ type: object
+ use_alert_data_for_template:
+ description: Indicates whether to use alert data as a template.
+ type: boolean
+ uuid:
+ description: A universally unique identifier (UUID) for the action.
+ type: string
+ required:
+ - id
+ type: array
+ alert_delay:
+ additionalProperties: false
+ description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
+ type: object
+ properties:
+ active:
+ description: The number of consecutive runs that must meet the rule conditions.
+ type: number
+ required:
+ - active
+ flapping:
+ additionalProperties: false
+ description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
+ nullable: true
+ type: object
+ properties:
+ look_back_window:
+ description: The minimum number of runs in which the threshold must be met.
+ maximum: 20
+ minimum: 2
+ type: number
+ status_change_threshold:
+ description: The minimum number of times an alert must switch states in the look back window.
+ maximum: 20
+ minimum: 2
+ type: number
+ required:
+ - look_back_window
+ - status_change_threshold
+ name:
+ description: The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.
+ type: string
+ notify_when:
+ description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ enum:
+ - onActionGroupChange
+ - onActiveAlert
+ - onThrottleInterval
+ nullable: true
+ type: string
+ params:
+ additionalProperties: {}
+ default: {}
+ description: The parameters for the rule.
+ type: object
+ schedule:
+ additionalProperties: false
+ type: object
+ properties:
+ interval:
+ description: The interval is specified in seconds, minutes, hours, or days.
+ type: string
+ required:
+ - interval
+ tags:
+ default: []
+ items:
+ description: The tags for the rule.
+ type: string
+ type: array
+ throttle:
+ description: 'Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ nullable: true
+ type: string
+ required:
+ - name
+ - schedule
+ examples:
+ updateRuleRequest:
+ $ref: '#/components/examples/update_rule_request'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actions:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ alerts_filter:
+ additionalProperties: false
+ description: Defines a period that limits whether the action runs.
+ type: object
+ properties:
+ query:
+ additionalProperties: false
+ type: object
+ properties:
+ dsl:
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
+ type: string
+ filters:
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ $state:
+ additionalProperties: false
+ type: object
+ properties:
+ store:
+ description: A filter can be either specific to an application context or applied globally.
+ enum:
+ - appState
+ - globalState
+ type: string
+ required:
+ - store
+ meta:
+ additionalProperties: {}
+ type: object
+ query:
+ additionalProperties: {}
+ type: object
+ required:
+ - meta
+ type: array
+ kql:
+ description: A filter written in Kibana Query Language (KQL).
+ type: string
+ required:
+ - kql
+ - filters
+ timeframe:
+ additionalProperties: false
+ type: object
+ properties:
+ days:
+ description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
+ items:
+ enum:
+ - 1
+ - 2
+ - 3
+ - 4
+ - 5
+ - 6
+ - 7
+ type: integer
+ type: array
+ hours:
+ additionalProperties: false
+ type: object
+ properties:
+ end:
+ description: The end of the time frame in 24-hour notation (`hh:mm`).
+ type: string
+ start:
+ description: The start of the time frame in 24-hour notation (`hh:mm`).
+ type: string
+ required:
+ - start
+ - end
+ timezone:
+ description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
+ type: string
+ required:
+ - days
+ - hours
+ - timezone
+ connector_type_id:
+ description: The type of connector. This property appears in responses but cannot be set in requests.
+ type: string
+ frequency:
+ additionalProperties: false
+ type: object
+ properties:
+ notify_when:
+ description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ enum:
+ - onActionGroupChange
+ - onActiveAlert
+ - onThrottleInterval
+ type: string
+ summary:
+ description: Indicates whether the action is a summary.
+ type: boolean
+ throttle:
+ description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ nullable: true
+ type: string
+ required:
+ - summary
+ - notify_when
+ - throttle
+ group:
+ description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
+ type: string
+ id:
+ description: The identifier for the connector saved object.
+ type: string
+ params:
+ additionalProperties: {}
+ description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
+ type: object
+ use_alert_data_for_template:
+ description: Indicates whether to use alert data as a template.
+ type: boolean
+ uuid:
+ description: A universally unique identifier (UUID) for the action.
+ type: string
+ required:
+ - id
+ - connector_type_id
+ - params
+ type: array
+ active_snoozes:
+ items:
+ description: List of active snoozes for the rule.
+ type: string
+ type: array
+ alert_delay:
+ additionalProperties: false
+ description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
+ type: object
+ properties:
+ active:
+ description: The number of consecutive runs that must meet the rule conditions.
+ type: number
+ required:
+ - active
+ api_key_created_by_user:
+ description: Indicates whether the API key that is associated with the rule was created by the user.
+ nullable: true
+ type: boolean
+ api_key_owner:
+ description: The owner of the API key that is associated with the rule and used to run background tasks.
+ nullable: true
+ type: string
+ consumer:
+ description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
+ type: string
+ created_at:
+ description: The date and time that the rule was created.
+ type: string
+ created_by:
+ description: The identifier for the user that created the rule.
+ nullable: true
+ type: string
+ enabled:
+ description: Indicates whether you want to run the rule on an interval basis after it is created.
+ type: boolean
+ execution_status:
+ additionalProperties: false
+ type: object
+ properties:
+ error:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ description: Error message.
+ type: string
+ reason:
+ description: Reason for error.
+ enum:
+ - read
+ - decrypt
+ - execute
+ - unknown
+ - license
+ - timeout
+ - disabled
+ - validate
+ type: string
+ required:
+ - reason
+ - message
+ last_duration:
+ description: Duration of last execution of the rule.
+ type: number
+ last_execution_date:
+ description: The date and time when rule was executed last.
+ type: string
+ status:
+ description: Status of rule execution.
+ enum:
+ - ok
+ - active
+ - error
+ - warning
+ - pending
+ - unknown
+ type: string
+ warning:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ description: Warning message.
+ type: string
+ reason:
+ description: Reason for warning.
+ enum:
+ - maxExecutableActions
+ - maxAlerts
+ - maxQueuedActions
+ - ruleExecution
+ type: string
+ required:
+ - reason
+ - message
+ required:
+ - status
+ - last_execution_date
+ flapping:
+ additionalProperties: false
+ description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
+ nullable: true
+ type: object
+ properties:
+ look_back_window:
+ description: The minimum number of runs in which the threshold must be met.
+ maximum: 20
+ minimum: 2
+ type: number
+ status_change_threshold:
+ description: The minimum number of times an alert must switch states in the look back window.
+ maximum: 20
+ minimum: 2
+ type: number
+ required:
+ - look_back_window
+ - status_change_threshold
+ id:
+ description: The identifier for the rule.
+ type: string
+ is_snoozed_until:
+ description: The date when the rule will no longer be snoozed.
+ nullable: true
+ type: string
+ last_run:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ alerts_count:
+ additionalProperties: false
+ type: object
+ properties:
+ active:
+ description: Number of active alerts during last run.
+ nullable: true
+ type: number
+ ignored:
+ description: Number of ignored alerts during last run.
+ nullable: true
+ type: number
+ new:
+ description: Number of new alerts during last run.
+ nullable: true
+ type: number
+ recovered:
+ description: Number of recovered alerts during last run.
+ nullable: true
+ type: number
+ outcome:
+ description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
+ enum:
+ - succeeded
+ - warning
+ - failed
+ type: string
+ outcome_msg:
+ items:
+ description: Outcome message generated during last rule run.
+ type: string
+ nullable: true
+ type: array
+ outcome_order:
+ description: Order of the outcome.
+ type: number
+ warning:
+ description: Warning of last rule execution.
+ enum:
+ - read
+ - decrypt
+ - execute
+ - unknown
+ - license
+ - timeout
+ - disabled
+ - validate
+ - maxExecutableActions
+ - maxAlerts
+ - maxQueuedActions
+ - ruleExecution
+ nullable: true
+ type: string
+ required:
+ - outcome
+ - alerts_count
+ mapped_params:
+ additionalProperties: {}
+ type: object
+ monitoring:
+ additionalProperties: false
+ description: Monitoring details of the rule.
+ type: object
+ properties:
+ run:
+ additionalProperties: false
+ description: Rule run details.
+ type: object
+ properties:
+ calculated_metrics:
+ additionalProperties: false
+ description: Calculation of different percentiles and success ratio.
+ type: object
+ properties:
+ p50:
+ type: number
+ p95:
+ type: number
+ p99:
+ type: number
+ success_ratio:
+ type: number
+ required:
+ - success_ratio
+ history:
+ description: History of the rule run.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ duration:
+ description: Duration of the rule run.
+ type: number
+ outcome:
+ description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
+ enum:
+ - succeeded
+ - warning
+ - failed
+ type: string
+ success:
+ description: Indicates whether the rule run was successful.
+ type: boolean
+ timestamp:
+ description: Time of rule run.
+ type: number
+ required:
+ - success
+ - timestamp
+ type: array
+ last_run:
+ additionalProperties: false
+ type: object
+ properties:
+ metrics:
+ additionalProperties: false
+ type: object
+ properties:
+ duration:
+ description: Duration of most recent rule run.
+ type: number
+ gap_duration_s:
+ description: Duration in seconds of rule run gap.
+ nullable: true
+ type: number
+ total_alerts_created:
+ description: Total number of alerts created during last rule run.
+ nullable: true
+ type: number
+ total_alerts_detected:
+ description: Total number of alerts detected during last rule run.
+ nullable: true
+ type: number
+ total_indexing_duration_ms:
+ description: Total time spent indexing documents during last rule run in milliseconds.
+ nullable: true
+ type: number
+ total_search_duration_ms:
+ description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
+ nullable: true
+ type: number
+ timestamp:
+ description: Time of the most recent rule run.
+ type: string
+ required:
+ - timestamp
+ - metrics
+ required:
+ - history
+ - calculated_metrics
+ - last_run
+ required:
+ - run
+ mute_all:
+ description: Indicates whether all alerts are muted.
+ type: boolean
+ muted_alert_ids:
+ items:
+ description: 'List of identifiers of muted alerts. '
+ type: string
+ type: array
+ name:
+ description: ' The name of the rule.'
+ type: string
+ next_run:
+ description: Date and time of the next run of the rule.
+ nullable: true
+ type: string
+ notify_when:
+ description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ enum:
+ - onActionGroupChange
+ - onActiveAlert
+ - onThrottleInterval
+ nullable: true
+ type: string
+ params:
+ additionalProperties: {}
+ description: The parameters for the rule.
+ type: object
+ revision:
+ description: The rule revision number.
+ type: number
+ rule_type_id:
+ description: The rule type identifier.
+ type: string
+ running:
+ description: Indicates whether the rule is running.
+ nullable: true
+ type: boolean
+ schedule:
+ additionalProperties: false
+ type: object
+ properties:
+ interval:
+ description: The interval is specified in seconds, minutes, hours, or days.
+ type: string
+ required:
+ - interval
+ scheduled_task_id:
+ description: Identifier of the scheduled task.
+ type: string
+ snooze_schedule:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ duration:
+ description: Duration of the rule snooze schedule.
+ type: number
+ id:
+ description: Identifier of the rule snooze schedule.
+ type: string
+ rRule:
+ additionalProperties: false
+ type: object
+ properties:
+ byhour:
+ items:
+ description: Indicates hours of the day to recur.
+ type: number
+ nullable: true
+ type: array
+ byminute:
+ items:
+ description: Indicates minutes of the hour to recur.
+ type: number
+ nullable: true
+ type: array
+ bymonth:
+ items:
+ description: Indicates months of the year that this rule should recur.
+ type: number
+ nullable: true
+ type: array
+ bymonthday:
+ items:
+ description: Indicates the days of the month to recur.
+ type: number
+ nullable: true
+ type: array
+ bysecond:
+ items:
+ description: Indicates seconds of the day to recur.
+ type: number
+ nullable: true
+ type: array
+ bysetpos:
+ items:
+ description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.
+ type: number
+ nullable: true
+ type: array
+ byweekday:
+ items:
+ anyOf:
+ - type: string
+ - type: number
+ description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination.
+ nullable: true
+ type: array
+ byweekno:
+ items:
+ description: Indicates number of the week hours to recur.
+ type: number
+ nullable: true
+ type: array
+ byyearday:
+ items:
+ description: Indicates the days of the year that this rule should recur.
+ type: number
+ nullable: true
+ type: array
+ count:
+ description: Number of times the rule should recur until it stops.
+ type: number
+ dtstart:
+ description: Rule start date in Coordinated Universal Time (UTC).
+ type: string
+ freq:
+ description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
+ enum:
+ - 0
+ - 1
+ - 2
+ - 3
+ - 4
+ - 5
+ - 6
+ type: integer
+ interval:
+ description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
+ type: number
+ tzid:
+ description: Indicates timezone abbreviation.
+ type: string
+ until:
+ description: Recur the rule until this date.
+ type: string
+ wkst:
+ description: Indicates the start of week, defaults to Monday.
+ enum:
+ - MO
+ - TU
+ - WE
+ - TH
+ - FR
+ - SA
+ - SU
+ type: string
+ required:
+ - dtstart
+ - tzid
+ skipRecurrences:
+ items:
+ description: Skips recurrence of rule on this date.
+ type: string
+ type: array
+ required:
+ - duration
+ - rRule
+ type: array
+ tags:
+ items:
+ description: The tags for the rule.
+ type: string
+ type: array
+ throttle:
+ deprecated: true
+ description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ nullable: true
+ type: string
+ updated_at:
+ description: The date and time that the rule was updated most recently.
+ type: string
+ updated_by:
+ description: The identifier for the user that updated this rule most recently.
+ nullable: true
+ type: string
+ view_in_app_relative_url:
+ description: Relative URL to view rule in the app.
+ nullable: true
+ type: string
+ required:
+ - id
+ - enabled
+ - name
+ - tags
+ - rule_type_id
+ - consumer
+ - schedule
+ - actions
+ - params
+ - created_by
+ - updated_by
+ - created_at
+ - updated_at
+ - api_key_owner
+ - mute_all
+ - muted_alert_ids
+ - execution_status
+ - revision
+ examples:
+ updateRuleResponse:
+ $ref: '#/components/examples/update_rule_response'
+ description: Indicates a successful call.
+ '400':
+ description: Indicates an invalid schema or parameters.
+ '403':
+ description: Indicates that this call is forbidden.
+ '404':
+ description: Indicates a rule with the given ID does not exist.
+ '409':
+ description: Indicates that the rule has already been updated by another user.
+ summary: Update a rule
+ tags:
+ - alerting
+ x-beta: true
+ /api/alerting/rule/{id}/_disable:
+ post:
+ operationId: post-alerting-rule-id-disable
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The identifier for the rule.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ untrack:
+ description: Defines whether this rule's alerts should be untracked.
+ type: boolean
+ x-oas-optional: true
+ responses:
+ '204':
+ description: Indicates a successful call.
+ '400':
+ description: Indicates an invalid schema.
+ '403':
+ description: Indicates that this call is forbidden.
+ '404':
+ description: Indicates a rule with the given ID does not exist.
+ summary: Disable a rule
+ tags:
+ - alerting
+ x-beta: true
+ /api/alerting/rule/{id}/_enable:
+ post:
+ operationId: post-alerting-rule-id-enable
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The identifier for the rule.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Indicates a successful call.
+ '400':
+ description: Indicates an invalid schema or parameters.
+ '403':
+ description: Indicates that this call is forbidden.
+ '404':
+ description: Indicates a rule with the given ID does not exist.
+ summary: Enable a rule
+ tags:
+ - alerting
+ x-beta: true
+ /api/alerting/rule/{id}/_mute_all:
+ post:
+ operationId: post-alerting-rule-id-mute-all
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The identifier for the rule.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Indicates a successful call.
+ '400':
+ description: Indicates an invalid schema or parameters.
+ '403':
+ description: Indicates that this call is forbidden.
+ '404':
+ description: Indicates a rule with the given ID does not exist.
+ summary: Mute all alerts
+ tags:
+ - alerting
+ x-beta: true
+ /api/alerting/rule/{id}/_unmute_all:
+ post:
+ operationId: post-alerting-rule-id-unmute-all
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The identifier for the rule.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Indicates a successful call.
+ '400':
+ description: Indicates an invalid schema or parameters.
+ '403':
+ description: Indicates that this call is forbidden.
+ '404':
+ description: Indicates a rule with the given ID does not exist.
+ summary: Unmute all alerts
+ tags:
+ - alerting
+ x-beta: true
+ /api/alerting/rule/{id}/_update_api_key:
+ post:
+ operationId: post-alerting-rule-id-update-api-key
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The identifier for the rule.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Indicates a successful call.
+ '400':
+ description: Indicates an invalid schema or parameters.
+ '403':
+ description: Indicates that this call is forbidden.
+ '404':
+ description: Indicates a rule with the given ID does not exist.
+ '409':
+ description: Indicates that the rule has already been updated by another user.
+ summary: Update the API key for a rule
+ tags:
+ - alerting
+ x-beta: true
+ /api/alerting/rule/{rule_id}/alert/{alert_id}/_mute:
+ post:
+ operationId: post-alerting-rule-rule-id-alert-alert-id-mute
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The identifier for the rule.
+ in: path
+ name: rule_id
+ required: true
+ schema:
+ type: string
+ - description: The identifier for the alert.
+ in: path
+ name: alert_id
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Indicates a successful call.
+ '400':
+ description: Indicates an invalid schema or parameters.
+ '403':
+ description: Indicates that this call is forbidden.
+ '404':
+ description: Indicates a rule or alert with the given ID does not exist.
+ summary: Mute an alert
+ tags:
+ - alerting
+ x-beta: true
+ /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute:
+ post:
+ operationId: post-alerting-rule-rule-id-alert-alert-id-unmute
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The identifier for the rule.
+ in: path
+ name: rule_id
+ required: true
+ schema:
+ type: string
+ - description: The identifier for the alert.
+ in: path
+ name: alert_id
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Indicates a successful call.
+ '400':
+ description: Indicates an invalid schema or parameters.
+ '403':
+ description: Indicates that this call is forbidden.
+ '404':
+ description: Indicates a rule or alert with the given ID does not exist.
+ summary: Unmute an alert
+ tags:
+ - alerting
+ x-beta: true
+ /api/alerting/rules/_find:
+ get:
+ operationId: get-alerting-rules-find
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: The number of rules to return per page.
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 10
+ minimum: 0
+ type: number
+ - description: The page number to return.
+ in: query
+ name: page
+ required: false
+ schema:
+ default: 1
+ minimum: 1
+ type: number
+ - description: An Elasticsearch simple_query_string query that filters the objects in the response.
+ in: query
+ name: search
+ required: false
+ schema:
+ type: string
+ - description: The default operator to use for the simple_query_string.
+ in: query
+ name: default_search_operator
+ required: false
+ schema:
+ default: OR
+ enum:
+ - OR
+ - AND
+ type: string
+ - description: The fields to perform the simple_query_string parsed query against.
+ in: query
+ name: search_fields
+ required: false
+ schema:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - type: string
+ - description: Determines which field is used to sort the results. The field must exist in the `attributes` key of the response.
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ type: string
+ - description: Determines the sort order.
+ in: query
+ name: sort_order
+ required: false
+ schema:
+ enum:
+ - asc
+ - desc
+ type: string
+ - description: Filters the rules that have a relation with the reference objects with a specific type and identifier.
+ in: query
+ name: has_reference
+ required: false
+ schema:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ id:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ - id
+ - in: query
+ name: fields
+ required: false
+ schema:
+ items:
+ description: The fields to return in the `attributes` key of the response.
+ type: string
+ type: array
+ - description: 'A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: "myTitle"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.'
+ in: query
+ name: filter
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: filter_consumers
+ required: false
+ schema:
+ items:
+ description: List of consumers to filter.
+ type: string
+ type: array
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actions:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ alerts_filter:
+ additionalProperties: false
+ description: Defines a period that limits whether the action runs.
+ type: object
+ properties:
+ query:
+ additionalProperties: false
+ type: object
+ properties:
+ dsl:
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL).
+ type: string
+ filters:
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ $state:
+ additionalProperties: false
+ type: object
+ properties:
+ store:
+ description: A filter can be either specific to an application context or applied globally.
+ enum:
+ - appState
+ - globalState
+ type: string
+ required:
+ - store
+ meta:
+ additionalProperties: {}
+ type: object
+ query:
+ additionalProperties: {}
+ type: object
+ required:
+ - meta
+ type: array
+ kql:
+ description: A filter written in Kibana Query Language (KQL).
+ type: string
+ required:
+ - kql
+ - filters
+ timeframe:
+ additionalProperties: false
+ type: object
+ properties:
+ days:
+ description: Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.
+ items:
+ enum:
+ - 1
+ - 2
+ - 3
+ - 4
+ - 5
+ - 6
+ - 7
+ type: integer
+ type: array
+ hours:
+ additionalProperties: false
+ type: object
+ properties:
+ end:
+ description: The end of the time frame in 24-hour notation (`hh:mm`).
+ type: string
+ start:
+ description: The start of the time frame in 24-hour notation (`hh:mm`).
+ type: string
+ required:
+ - start
+ - end
+ timezone:
+ description: The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.
+ type: string
+ required:
+ - days
+ - hours
+ - timezone
+ connector_type_id:
+ description: The type of connector. This property appears in responses but cannot be set in requests.
+ type: string
+ frequency:
+ additionalProperties: false
+ type: object
+ properties:
+ notify_when:
+ description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ enum:
+ - onActionGroupChange
+ - onActiveAlert
+ - onThrottleInterval
+ type: string
+ summary:
+ description: Indicates whether the action is a summary.
+ type: boolean
+ throttle:
+ description: 'The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if ''notify_when'' is set to ''onThrottleInterval''. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ nullable: true
+ type: string
+ required:
+ - summary
+ - notify_when
+ - throttle
+ group:
+ description: The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.
+ type: string
+ id:
+ description: The identifier for the connector saved object.
+ type: string
+ params:
+ additionalProperties: {}
+ description: The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.
+ type: object
+ use_alert_data_for_template:
+ description: Indicates whether to use alert data as a template.
+ type: boolean
+ uuid:
+ description: A universally unique identifier (UUID) for the action.
+ type: string
+ required:
+ - id
+ - connector_type_id
+ - params
+ type: array
+ active_snoozes:
+ items:
+ description: List of active snoozes for the rule.
+ type: string
+ type: array
+ alert_delay:
+ additionalProperties: false
+ description: Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.
+ type: object
+ properties:
+ active:
+ description: The number of consecutive runs that must meet the rule conditions.
+ type: number
+ required:
+ - active
+ api_key_created_by_user:
+ description: Indicates whether the API key that is associated with the rule was created by the user.
+ nullable: true
+ type: boolean
+ api_key_owner:
+ description: The owner of the API key that is associated with the rule and used to run background tasks.
+ nullable: true
+ type: string
+ consumer:
+ description: 'The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.'
+ type: string
+ created_at:
+ description: The date and time that the rule was created.
+ type: string
+ created_by:
+ description: The identifier for the user that created the rule.
+ nullable: true
+ type: string
+ enabled:
+ description: Indicates whether you want to run the rule on an interval basis after it is created.
+ type: boolean
+ execution_status:
+ additionalProperties: false
+ type: object
+ properties:
+ error:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ description: Error message.
+ type: string
+ reason:
+ description: Reason for error.
+ enum:
+ - read
+ - decrypt
+ - execute
+ - unknown
+ - license
+ - timeout
+ - disabled
+ - validate
+ type: string
+ required:
+ - reason
+ - message
+ last_duration:
+ description: Duration of last execution of the rule.
+ type: number
+ last_execution_date:
+ description: The date and time when rule was executed last.
+ type: string
+ status:
+ description: Status of rule execution.
+ enum:
+ - ok
+ - active
+ - error
+ - warning
+ - pending
+ - unknown
+ type: string
+ warning:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ description: Warning message.
+ type: string
+ reason:
+ description: Reason for warning.
+ enum:
+ - maxExecutableActions
+ - maxAlerts
+ - maxQueuedActions
+ - ruleExecution
+ type: string
+ required:
+ - reason
+ - message
+ required:
+ - status
+ - last_execution_date
+ flapping:
+ additionalProperties: false
+ description: When flapping detection is turned on, alerts that switch quickly between active and recovered states are identified as “flapping” and notifications are reduced.
+ nullable: true
+ type: object
+ properties:
+ look_back_window:
+ description: The minimum number of runs in which the threshold must be met.
+ maximum: 20
+ minimum: 2
+ type: number
+ status_change_threshold:
+ description: The minimum number of times an alert must switch states in the look back window.
+ maximum: 20
+ minimum: 2
+ type: number
+ required:
+ - look_back_window
+ - status_change_threshold
+ id:
+ description: The identifier for the rule.
+ type: string
+ is_snoozed_until:
+ description: The date when the rule will no longer be snoozed.
+ nullable: true
+ type: string
+ last_run:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ alerts_count:
+ additionalProperties: false
+ type: object
+ properties:
+ active:
+ description: Number of active alerts during last run.
+ nullable: true
+ type: number
+ ignored:
+ description: Number of ignored alerts during last run.
+ nullable: true
+ type: number
+ new:
+ description: Number of new alerts during last run.
+ nullable: true
+ type: number
+ recovered:
+ description: Number of recovered alerts during last run.
+ nullable: true
+ type: number
+ outcome:
+ description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
+ enum:
+ - succeeded
+ - warning
+ - failed
+ type: string
+ outcome_msg:
+ items:
+ description: Outcome message generated during last rule run.
+ type: string
+ nullable: true
+ type: array
+ outcome_order:
+ description: Order of the outcome.
+ type: number
+ warning:
+ description: Warning of last rule execution.
+ enum:
+ - read
+ - decrypt
+ - execute
+ - unknown
+ - license
+ - timeout
+ - disabled
+ - validate
+ - maxExecutableActions
+ - maxAlerts
+ - maxQueuedActions
+ - ruleExecution
+ nullable: true
+ type: string
+ required:
+ - outcome
+ - alerts_count
+ mapped_params:
+ additionalProperties: {}
+ type: object
+ monitoring:
+ additionalProperties: false
+ description: Monitoring details of the rule.
+ type: object
+ properties:
+ run:
+ additionalProperties: false
+ description: Rule run details.
+ type: object
+ properties:
+ calculated_metrics:
+ additionalProperties: false
+ description: Calculation of different percentiles and success ratio.
+ type: object
+ properties:
+ p50:
+ type: number
+ p95:
+ type: number
+ p99:
+ type: number
+ success_ratio:
+ type: number
+ required:
+ - success_ratio
+ history:
+ description: History of the rule run.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ duration:
+ description: Duration of the rule run.
+ type: number
+ outcome:
+ description: Outcome of last run of the rule. Value could be succeeded, warning or failed.
+ enum:
+ - succeeded
+ - warning
+ - failed
+ type: string
+ success:
+ description: Indicates whether the rule run was successful.
+ type: boolean
+ timestamp:
+ description: Time of rule run.
+ type: number
+ required:
+ - success
+ - timestamp
+ type: array
+ last_run:
+ additionalProperties: false
+ type: object
+ properties:
+ metrics:
+ additionalProperties: false
+ type: object
+ properties:
+ duration:
+ description: Duration of most recent rule run.
+ type: number
+ gap_duration_s:
+ description: Duration in seconds of rule run gap.
+ nullable: true
+ type: number
+ total_alerts_created:
+ description: Total number of alerts created during last rule run.
+ nullable: true
+ type: number
+ total_alerts_detected:
+ description: Total number of alerts detected during last rule run.
+ nullable: true
+ type: number
+ total_indexing_duration_ms:
+ description: Total time spent indexing documents during last rule run in milliseconds.
+ nullable: true
+ type: number
+ total_search_duration_ms:
+ description: Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.
+ nullable: true
+ type: number
+ timestamp:
+ description: Time of the most recent rule run.
+ type: string
+ required:
+ - timestamp
+ - metrics
+ required:
+ - history
+ - calculated_metrics
+ - last_run
+ required:
+ - run
+ mute_all:
+ description: Indicates whether all alerts are muted.
+ type: boolean
+ muted_alert_ids:
+ items:
+ description: 'List of identifiers of muted alerts. '
+ type: string
+ type: array
+ name:
+ description: ' The name of the rule.'
+ type: string
+ next_run:
+ description: Date and time of the next run of the rule.
+ nullable: true
+ type: string
+ notify_when:
+ description: 'Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ enum:
+ - onActionGroupChange
+ - onActiveAlert
+ - onThrottleInterval
+ nullable: true
+ type: string
+ params:
+ additionalProperties: {}
+ description: The parameters for the rule.
+ type: object
+ revision:
+ description: The rule revision number.
+ type: number
+ rule_type_id:
+ description: The rule type identifier.
+ type: string
+ running:
+ description: Indicates whether the rule is running.
+ nullable: true
+ type: boolean
+ schedule:
+ additionalProperties: false
+ type: object
+ properties:
+ interval:
+ description: The interval is specified in seconds, minutes, hours, or days.
+ type: string
+ required:
+ - interval
+ scheduled_task_id:
+ description: Identifier of the scheduled task.
+ type: string
+ snooze_schedule:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ duration:
+ description: Duration of the rule snooze schedule.
+ type: number
+ id:
+ description: Identifier of the rule snooze schedule.
+ type: string
+ rRule:
+ additionalProperties: false
+ type: object
+ properties:
+ byhour:
+ items:
+ description: Indicates hours of the day to recur.
+ type: number
+ nullable: true
+ type: array
+ byminute:
+ items:
+ description: Indicates minutes of the hour to recur.
+ type: number
+ nullable: true
+ type: array
+ bymonth:
+ items:
+ description: Indicates months of the year that this rule should recur.
+ type: number
+ nullable: true
+ type: array
+ bymonthday:
+ items:
+ description: Indicates the days of the month to recur.
+ type: number
+ nullable: true
+ type: array
+ bysecond:
+ items:
+ description: Indicates seconds of the day to recur.
+ type: number
+ nullable: true
+ type: array
+ bysetpos:
+ items:
+ description: A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.
+ type: number
+ nullable: true
+ type: array
+ byweekday:
+ items:
+ anyOf:
+ - type: string
+ - type: number
+ description: Indicates the days of the week to recur or else nth-day-of-month strings. For example, "+2TU" second Tuesday of month, "-1FR" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination.
+ nullable: true
+ type: array
+ byweekno:
+ items:
+ description: Indicates number of the week hours to recur.
+ type: number
+ nullable: true
+ type: array
+ byyearday:
+ items:
+ description: Indicates the days of the year that this rule should recur.
+ type: number
+ nullable: true
+ type: array
+ count:
+ description: Number of times the rule should recur until it stops.
+ type: number
+ dtstart:
+ description: Rule start date in Coordinated Universal Time (UTC).
+ type: string
+ freq:
+ description: Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.
+ enum:
+ - 0
+ - 1
+ - 2
+ - 3
+ - 4
+ - 5
+ - 6
+ type: integer
+ interval:
+ description: Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.
+ type: number
+ tzid:
+ description: Indicates timezone abbreviation.
+ type: string
+ until:
+ description: Recur the rule until this date.
+ type: string
+ wkst:
+ description: Indicates the start of week, defaults to Monday.
+ enum:
+ - MO
+ - TU
+ - WE
+ - TH
+ - FR
+ - SA
+ - SU
+ type: string
+ required:
+ - dtstart
+ - tzid
+ skipRecurrences:
+ items:
+ description: Skips recurrence of rule on this date.
+ type: string
+ type: array
+ required:
+ - duration
+ - rRule
+ type: array
+ tags:
+ items:
+ description: The tags for the rule.
+ type: string
+ type: array
+ throttle:
+ deprecated: true
+ description: 'Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.'
+ nullable: true
+ type: string
+ updated_at:
+ description: The date and time that the rule was updated most recently.
+ type: string
+ updated_by:
+ description: The identifier for the user that updated this rule most recently.
+ nullable: true
+ type: string
+ view_in_app_relative_url:
+ description: Relative URL to view rule in the app.
+ nullable: true
+ type: string
+ required:
+ - id
+ - enabled
+ - name
+ - tags
+ - rule_type_id
+ - consumer
+ - schedule
+ - actions
+ - params
+ - created_by
+ - updated_by
+ - created_at
+ - updated_at
+ - api_key_owner
+ - mute_all
+ - muted_alert_ids
+ - execution_status
+ - revision
+ examples:
+ findRulesResponse:
+ $ref: '#/components/examples/find_rules_response'
+ findConditionalActionRulesResponse:
+ $ref: '#/components/examples/find_rules_response_conditional_action'
+ description: Indicates a successful call.
+ '400':
+ description: Indicates an invalid schema or parameters.
+ '403':
+ description: Indicates that this call is forbidden.
+ summary: Get information about rules
+ tags:
+ - alerting
+ x-beta: true
+ /api/apm/agent_keys:
+ post:
+ description: Create a new agent key for APM.
+ operationId: createAgentKey
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - $ref: '#/components/parameters/APM_UI_kbn_xsrf'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_agent_keys_object'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_agent_keys_response'
+ description: Agent key created successfully
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_403_response'
+ description: Forbidden response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_500_response'
+ description: Internal Server Error response
+ summary: Create an APM agent key
+ tags:
+ - APM agent keys
+ x-beta: true
+ /api/apm/fleet/apm_server_schema:
+ post:
+ operationId: saveApmServerSchema
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - $ref: '#/components/parameters/APM_UI_kbn_xsrf'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ schema:
+ additionalProperties: true
+ description: Schema object
+ example:
+ foo: bar
+ type: object
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_403_response'
+ description: Forbidden response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_404_response'
+ description: Not found response
+ summary: Save APM server schema
+ tags:
+ - APM server schema
+ x-beta: true
+ /api/apm/services/{serviceName}/annotation:
+ post:
+ description: Create a new annotation for a specific service.
+ operationId: createAnnotation
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - $ref: '#/components/parameters/APM_UI_kbn_xsrf'
+ - description: The name of the service
+ in: path
+ name: serviceName
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_create_annotation_object'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_create_annotation_response'
+ description: Annotation created successfully
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_403_response'
+ description: Forbidden response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_404_response'
+ description: Not found response
+ summary: Create a service annotation
+ tags:
+ - APM annotations
+ x-beta: true
+ /api/apm/services/{serviceName}/annotation/search:
+ get:
+ description: Search for annotations related to a specific service.
+ operationId: getAnnotation
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - description: The name of the service
+ in: path
+ name: serviceName
+ required: true
+ schema:
+ type: string
+ - description: The environment to filter annotations by
+ in: query
+ name: environment
+ required: false
+ schema:
+ type: string
+ - description: The start date for the search
+ in: query
+ name: start
+ required: false
+ schema:
+ type: string
+ - description: The end date for the search
+ in: query
+ name: end
+ required: false
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_annotation_search_response'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_500_response'
+ description: Internal Server Error response
+ summary: Search for annotations
+ tags:
+ - APM annotations
+ x-beta: true
+ /api/apm/settings/agent-configuration:
+ delete:
+ operationId: deleteAgentConfiguration
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - $ref: '#/components/parameters/APM_UI_kbn_xsrf'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_service_object'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_delete_agent_configurations_response'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_403_response'
+ description: Forbidden response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_404_response'
+ description: Not found response
+ summary: Delete agent configuration
+ tags:
+ - APM agent configuration
+ x-beta: true
+ get:
+ operationId: getAgentConfigurations
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_agent_configurations_response'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_404_response'
+ description: Not found response
+ summary: Get a list of agent configurations
+ tags:
+ - APM agent configuration
+ x-beta: true
+ put:
+ operationId: createUpdateAgentConfiguration
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - $ref: '#/components/parameters/APM_UI_kbn_xsrf'
+ - description: If the config exists ?overwrite=true is required
+ in: query
+ name: overwrite
+ schema:
+ type: boolean
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_agent_configuration_intake_object'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_403_response'
+ description: Forbidden response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_404_response'
+ description: Not found response
+ summary: Create or update agent configuration
+ tags:
+ - APM agent configuration
+ x-beta: true
+ /api/apm/settings/agent-configuration/agent_name:
+ get:
+ description: Retrieve `agentName` for a service.
+ operationId: getAgentNameForService
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - description: The name of the service
+ example: node
+ in: query
+ name: serviceName
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_service_agent_name_response'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_404_response'
+ description: Not found response
+ summary: Get agent name for service
+ tags:
+ - APM agent configuration
+ x-beta: true
+ /api/apm/settings/agent-configuration/environments:
+ get:
+ operationId: getEnvironmentsForService
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - description: The name of the service
+ in: query
+ name: serviceName
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_service_environments_response'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_404_response'
+ description: Not found response
+ summary: Get environments for service
+ tags:
+ - APM agent configuration
+ x-beta: true
+ /api/apm/settings/agent-configuration/search:
+ post:
+ description: |
+ This endpoint allows to search for single agent configuration and update 'applied_by_agent' field.
+ operationId: searchSingleConfiguration
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - $ref: '#/components/parameters/APM_UI_kbn_xsrf'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_search_agent_configuration_object'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_search_agent_configuration_response'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_404_response'
+ description: Not found response
+ summary: Lookup single agent configuration
+ tags:
+ - APM agent configuration
+ x-beta: true
+ /api/apm/settings/agent-configuration/view:
+ get:
+ operationId: getSingleAgentConfiguration
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - description: Service name
+ example: node
+ in: query
+ name: name
+ schema:
+ type: string
+ - description: Service environment
+ example: prod
+ in: query
+ name: environment
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_single_agent_configuration_response'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_404_response'
+ description: Not found response
+ summary: Get single agent configuration
+ tags:
+ - APM agent configuration
+ x-beta: true
+ /api/apm/sourcemaps:
+ get:
+ description: Returns an array of Fleet artifacts, including source map uploads.
+ operationId: getSourceMaps
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - description: Page number
+ in: query
+ name: page
+ schema:
+ type: number
+ - description: Number of records per page
+ in: query
+ name: perPage
+ schema:
+ type: number
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_source_maps_response'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_500_response'
+ description: Internal Server Error response
+ '501':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_501_response'
+ description: Not Implemented response
+ summary: Get source maps
+ tags:
+ - APM sourcemaps
+ x-beta: true
+ post:
+ description: Upload a source map for a specific service and version.
+ operationId: uploadSourceMap
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - $ref: '#/components/parameters/APM_UI_kbn_xsrf'
+ requestBody:
+ content:
+ multipart/form-data; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_upload_source_map_object'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_upload_source_maps_response'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_403_response'
+ description: Forbidden response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_500_response'
+ description: Internal Server Error response
+ '501':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_501_response'
+ description: Not Implemented response
+ summary: Upload source map
+ tags:
+ - APM sourcemaps
+ x-beta: true
+ /api/apm/sourcemaps/{id}:
+ delete:
+ description: Delete a previously uploaded source map.
+ operationId: deleteSourceMap
+ parameters:
+ - $ref: '#/components/parameters/APM_UI_elastic_api_version'
+ - $ref: '#/components/parameters/APM_UI_kbn_xsrf'
+ - description: Source map identifier
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_400_response'
+ description: Bad Request response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_403_response'
+ description: Forbidden response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_500_response'
+ description: Internal Server Error response
+ '501':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/APM_UI_501_response'
+ description: Not Implemented response
+ summary: Delete source map
+ tags:
+ - APM sourcemaps
+ x-beta: true
+ /api/asset_criticality:
+ delete:
+ description: Delete the asset criticality record for a specific entity.
+ operationId: DeleteAssetCriticalityRecord
+ parameters:
+ - description: The ID value of the asset.
+ in: query
+ name: id_value
+ required: true
+ schema:
+ type: string
+ - description: The field representing the ID.
+ example: host.name
+ in: query
+ name: id_field
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField'
+ - description: If 'wait_for' the request will wait for the index refresh.
+ in: query
+ name: refresh
+ required: false
+ schema:
+ enum:
+ - wait_for
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ deleted:
+ description: True if the record was deleted or false if the record did not exist.
+ type: boolean
+ record:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord'
+ description: The deleted record if it existed.
+ required:
+ - deleted
+ description: Successful response
+ '400':
+ description: Invalid request
+ summary: Delete an asset criticality record
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ get:
+ description: Get the asset criticality record for a specific entity.
+ operationId: GetAssetCriticalityRecord
+ parameters:
+ - description: The ID value of the asset.
+ in: query
+ name: id_value
+ required: true
+ schema:
+ type: string
+ - description: The field representing the ID.
+ example: host.name
+ in: query
+ name: id_field
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord'
+ description: Successful response
+ '400':
+ description: Invalid request
+ '404':
+ description: Criticality record not found
+ summary: Get an asset criticality record
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ post:
+ description: |
+ Create or update an asset criticality record for a specific entity.
+
+ If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created.
+ operationId: CreateAssetCriticalityRecord
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ allOf:
+ - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord'
+ - type: object
+ properties:
+ refresh:
+ description: If 'wait_for' the request will wait for the index refresh.
+ enum:
+ - wait_for
+ type: string
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord'
+ description: Successful response
+ '400':
+ description: Invalid request
+ summary: Upsert an asset criticality record
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/asset_criticality/bulk:
+ post:
+ description: |
+ Bulk upsert up to 1000 asset criticality records.
+
+ If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created.
+ operationId: BulkUpsertAssetCriticalityRecords
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ example:
+ records:
+ - criticality_level: low_impact
+ id_field: host.name
+ id_value: host-1
+ - criticality_level: medium_impact
+ id_field: host.name
+ id_value: host-2
+ type: object
+ properties:
+ records:
+ items:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord'
+ maxItems: 1000
+ minItems: 1
+ type: array
+ required:
+ - records
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ example:
+ errors:
+ - index: 0
+ message: Invalid ID field
+ stats:
+ failed: 1
+ successful: 1
+ total: 2
+ type: object
+ properties:
+ errors:
+ items:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem'
+ type: array
+ stats:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats'
+ required:
+ - errors
+ - stats
+ description: Bulk upload successful
+ '413':
+ description: File too large
+ summary: Bulk upsert asset criticality records
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/asset_criticality/list:
+ get:
+ description: List asset criticality records, paging, sorting and filtering as needed.
+ operationId: FindAssetCriticalityRecords
+ parameters:
+ - description: The field to sort by.
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ enum:
+ - id_value
+ - id_field
+ - criticality_level
+ - \@timestamp
+ type: string
+ - description: The order to sort by.
+ in: query
+ name: sort_direction
+ required: false
+ schema:
+ enum:
+ - asc
+ - desc
+ type: string
+ - description: The page number to return.
+ in: query
+ name: page
+ required: false
+ schema:
+ minimum: 1
+ type: integer
+ - description: The number of records to return per page.
+ in: query
+ name: per_page
+ required: false
+ schema:
+ maximum: 1000
+ minimum: 1
+ type: integer
+ - description: The kuery to filter by.
+ in: query
+ name: kuery
+ required: false
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ page:
+ minimum: 1
+ type: integer
+ per_page:
+ maximum: 1000
+ minimum: 1
+ type: integer
+ records:
+ items:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord'
+ type: array
+ total:
+ minimum: 0
+ type: integer
+ required:
+ - records
+ - page
+ - per_page
+ - total
+ description: Bulk upload successful
+ summary: List asset criticality records
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/data_views:
+ get:
+ operationId: getAllDataViewsDefault
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ getAllDataViewsResponse:
+ $ref: '#/components/examples/Data_views_get_data_views_response'
+ schema:
+ type: object
+ properties:
+ data_view:
+ items:
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ namespaces:
+ items:
+ type: string
+ type: array
+ title:
+ type: string
+ typeMeta:
+ type: object
+ type: array
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_400_response'
+ description: Bad request
+ summary: Get all data views
+ tags:
+ - data views
+ x-beta: true
+ /api/data_views/data_view:
+ post:
+ operationId: createDataViewDefaultw
+ parameters:
+ - $ref: '#/components/parameters/Data_views_kbn_xsrf'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ createDataViewRequest:
+ $ref: '#/components/examples/Data_views_create_data_view_request'
+ schema:
+ $ref: '#/components/schemas/Data_views_create_data_view_request_object'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_data_view_response_object'
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_400_response'
+ description: Bad request
+ summary: Create a data view
+ tags:
+ - data views
+ x-beta: true
+ /api/data_views/data_view/{viewId}:
+ delete:
+ description: |
+ WARNING: When you delete a data view, it cannot be recovered.
+ operationId: deleteDataViewDefault
+ parameters:
+ - $ref: '#/components/parameters/Data_views_kbn_xsrf'
+ - $ref: '#/components/parameters/Data_views_view_id'
+ responses:
+ '204':
+ description: Indicates a successful call.
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_404_response'
+ description: Object is not found.
+ summary: Delete a data view
+ tags:
+ - data views
+ x-beta: true
+ get:
+ operationId: getDataViewDefault
+ parameters:
+ - $ref: '#/components/parameters/Data_views_view_id'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ getDataViewResponse:
+ $ref: '#/components/examples/Data_views_get_data_view_response'
+ schema:
+ $ref: '#/components/schemas/Data_views_data_view_response_object'
+ description: Indicates a successful call.
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_404_response'
+ description: Object is not found.
+ summary: Get a data view
+ tags:
+ - data views
+ x-beta: true
+ post:
+ operationId: updateDataViewDefault
+ parameters:
+ - $ref: '#/components/parameters/Data_views_kbn_xsrf'
+ - $ref: '#/components/parameters/Data_views_view_id'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ updateDataViewRequest:
+ $ref: '#/components/examples/Data_views_update_data_view_request'
+ schema:
+ $ref: '#/components/schemas/Data_views_update_data_view_request_object'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_data_view_response_object'
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_400_response'
+ description: Bad request
+ summary: Update a data view
+ tags:
+ - data views
+ x-beta: true
+ /api/data_views/data_view/{viewId}/fields:
+ post:
+ description: |
+ Update fields presentation metadata such as count, customLabel, customDescription, and format.
+ operationId: updateFieldsMetadataDefault
+ parameters:
+ - $ref: '#/components/parameters/Data_views_kbn_xsrf'
+ - $ref: '#/components/parameters/Data_views_view_id'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ updateFieldsMetadataRequest:
+ $ref: '#/components/examples/Data_views_update_field_metadata_request'
+ schema:
+ type: object
+ properties:
+ fields:
+ description: The field object.
+ type: object
+ required:
+ - fields
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ acknowledged:
+ type: boolean
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_400_response'
+ description: Bad request
+ summary: Update data view fields metadata
+ tags:
+ - data views
+ x-beta: true
+ /api/data_views/data_view/{viewId}/runtime_field:
+ post:
+ operationId: createRuntimeFieldDefault
+ parameters:
+ - $ref: '#/components/parameters/Data_views_kbn_xsrf'
+ - $ref: '#/components/parameters/Data_views_view_id'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ createRuntimeFieldRequest:
+ $ref: '#/components/examples/Data_views_create_runtime_field_request'
+ schema:
+ type: object
+ properties:
+ name:
+ description: |
+ The name for a runtime field.
+ type: string
+ runtimeField:
+ description: |
+ The runtime field definition object.
+ type: object
+ required:
+ - name
+ - runtimeField
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ description: Indicates a successful call.
+ summary: Create a runtime field
+ tags:
+ - data views
+ x-beta: true
+ put:
+ operationId: createUpdateRuntimeFieldDefault
+ parameters:
+ - $ref: '#/components/parameters/Data_views_kbn_xsrf'
+ - description: |
+ The ID of the data view fields you want to update.
+ in: path
+ name: viewId
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ updateRuntimeFieldRequest:
+ $ref: '#/components/examples/Data_views_create_runtime_field_request'
+ schema:
+ type: object
+ properties:
+ name:
+ description: |
+ The name for a runtime field.
+ type: string
+ runtimeField:
+ description: |
+ The runtime field definition object.
+ type: object
+ required:
+ - name
+ - runtimeField
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ data_view:
+ type: object
+ fields:
+ items:
+ type: object
+ type: array
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_400_response'
+ description: Bad request
+ summary: Create or update a runtime field
+ tags:
+ - data views
+ x-beta: true
+ /api/data_views/data_view/{viewId}/runtime_field/{fieldName}:
+ delete:
+ operationId: deleteRuntimeFieldDefault
+ parameters:
+ - $ref: '#/components/parameters/Data_views_field_name'
+ - $ref: '#/components/parameters/Data_views_view_id'
+ responses:
+ '200':
+ description: Indicates a successful call.
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_404_response'
+ description: Object is not found.
+ summary: Delete a runtime field from a data view
+ tags:
+ - data views
+ x-beta: true
+ get:
+ operationId: getRuntimeFieldDefault
+ parameters:
+ - $ref: '#/components/parameters/Data_views_field_name'
+ - $ref: '#/components/parameters/Data_views_view_id'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ getRuntimeFieldResponse:
+ $ref: '#/components/examples/Data_views_get_runtime_field_response'
+ schema:
+ type: object
+ properties:
+ data_view:
+ type: object
+ fields:
+ items:
+ type: object
+ type: array
+ description: Indicates a successful call.
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_404_response'
+ description: Object is not found.
+ summary: Get a runtime field
+ tags:
+ - data views
+ x-beta: true
+ post:
+ operationId: updateRuntimeFieldDefault
+ parameters:
+ - $ref: '#/components/parameters/Data_views_field_name'
+ - $ref: '#/components/parameters/Data_views_view_id'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ updateRuntimeFieldRequest:
+ $ref: '#/components/examples/Data_views_update_runtime_field_request'
+ schema:
+ type: object
+ properties:
+ runtimeField:
+ description: |
+ The runtime field definition object.
+
+ You can update following fields:
+
+ - `type`
+ - `script`
+ type: object
+ required:
+ - runtimeField
+ required: true
+ responses:
+ '200':
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_400_response'
+ description: Bad request
+ summary: Update a runtime field
+ tags:
+ - data views
+ x-beta: true
+ /api/data_views/default:
+ get:
+ operationId: getDefaultDataViewDefault
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ getDefaultDataViewResponse:
+ $ref: '#/components/examples/Data_views_get_default_data_view_response'
+ schema:
+ type: object
+ properties:
+ data_view_id:
+ type: string
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_400_response'
+ description: Bad request
+ summary: Get the default data view
+ tags:
+ - data views
+ x-beta: true
+ post:
+ operationId: setDefaultDatailViewDefault
+ parameters:
+ - $ref: '#/components/parameters/Data_views_kbn_xsrf'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ setDefaultDataViewRequest:
+ $ref: '#/components/examples/Data_views_set_default_data_view_request'
+ schema:
+ type: object
+ properties:
+ data_view_id:
+ description: |
+ The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use `null` to unset the default data view.
+ nullable: true
+ type: string
+ force:
+ default: false
+ description: Update an existing default data view identifier.
+ type: boolean
+ required:
+ - data_view_id
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ acknowledged:
+ type: boolean
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Data_views_400_response'
+ description: Bad request
+ summary: Set the default data view
+ tags:
+ - data views
+ x-beta: true
+ /api/data_views/swap_references:
+ post:
+ description: |
+ Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended.
+ operationId: swapDataViewsDefault
+ parameters:
+ - $ref: '#/components/parameters/Data_views_kbn_xsrf'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ swapDataViewRequest:
+ $ref: '#/components/examples/Data_views_swap_data_view_request'
+ schema:
+ $ref: '#/components/schemas/Data_views_swap_data_view_request_object'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ deleteStatus:
+ type: object
+ properties:
+ deletePerformed:
+ type: boolean
+ remainingRefs:
+ type: integer
+ result:
+ items:
+ type: object
+ properties:
+ id:
+ description: A saved object identifier.
+ type: string
+ type:
+ description: The saved object type.
+ type: string
+ type: array
+ description: Indicates a successful call.
+ summary: Swap saved object references
+ tags:
+ - data views
+ x-beta: true
+ /api/data_views/swap_references/_preview:
+ post:
+ description: |
+ Preview the impact of swapping saved object references from one data view identifier to another.
+ operationId: previewSwapDataViewsDefault
+ parameters:
+ - $ref: '#/components/parameters/Data_views_kbn_xsrf'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ previewSwapDataViewRequest:
+ $ref: '#/components/examples/Data_views_preview_swap_data_view_request'
+ schema:
+ $ref: '#/components/schemas/Data_views_swap_data_view_request_object'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ result:
+ items:
+ type: object
+ properties:
+ id:
+ description: A saved object identifier.
+ type: string
+ type:
+ description: The saved object type.
+ type: string
+ type: array
+ description: Indicates a successful call.
+ summary: Preview a saved object reference swap
+ tags:
+ - data views
+ x-beta: true
+ /api/detection_engine/privileges:
+ get:
+ description: |
+ Retrieves whether or not the user is authenticated, and the user's Kibana
+ space and index privileges, which determine if the user can create an
+ index for the Elastic Security alerts generated by
+ detection engine rules.
+ operationId: ReadPrivileges
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ has_encryption_key:
+ type: boolean
+ is_authenticated:
+ type: boolean
+ required:
+ - is_authenticated
+ - has_encryption_key
+ description: Successful response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Returns user privileges for the Kibana space
+ tags:
+ - Security Detections API
+ x-beta: true
+ /api/detection_engine/rules:
+ delete:
+ description: Delete a detection rule using the `rule_id` or `id` field.
+ operationId: DeleteRule
+ parameters:
+ - description: The rule's `id` value.
+ in: query
+ name: id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ - description: The rule's `rule_id` value.
+ in: query
+ name: rule_id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RuleResponse'
+ description: Indicates a successful call.
+ summary: Delete a detection rule
+ tags:
+ - Security Detections API
+ x-beta: true
+ get:
+ description: Retrieve a detection rule using the `rule_id` or `id` field.
+ operationId: ReadRule
+ parameters:
+ - description: The rule's `id` value.
+ in: query
+ name: id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ - description: The rule's `rule_id` value.
+ in: query
+ name: rule_id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RuleResponse'
+ description: Indicates a successful call.
+ summary: Retrieve a detection rule
+ tags:
+ - Security Detections API
+ x-beta: true
+ patch:
+ description: Update specific fields of an existing detection rule using the `rule_id` or `id` field.
+ operationId: PatchRule
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RulePatchProps'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RuleResponse'
+ description: Indicates a successful call.
+ summary: Patch a detection rule
+ tags:
+ - Security Detections API
+ x-beta: true
+ post:
+ description: Create a new detection rule.
+ operationId: CreateRule
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RuleResponse'
+ description: Indicates a successful call.
+ summary: Create a detection rule
+ tags:
+ - Security Detections API
+ x-beta: true
+ put:
+ description: |
+ Update a detection rule using the `rule_id` or `id` field. The original rule is replaced, and all unspecified fields are deleted.
+ > info
+ > You cannot modify the `id` or `rule_id` values.
+ operationId: UpdateRule
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RuleResponse'
+ description: Indicates a successful call.
+ summary: Update a detection rule
+ tags:
+ - Security Detections API
+ x-beta: true
+ /api/detection_engine/rules/_bulk_action:
+ post:
+ description: Apply a bulk action, such as bulk edit, duplicate, or delete, to multiple detection rules. The bulk action is applied to all rules that match the query or to the rules listed by their IDs.
+ operationId: PerformRulesBulkAction
+ parameters:
+ - description: Enables dry run mode for the request call.
+ in: query
+ name: dry_run
+ required: false
+ schema:
+ type: boolean
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules'
+ - $ref: '#/components/schemas/Security_Detections_API_BulkDisableRules'
+ - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules'
+ - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules'
+ - $ref: '#/components/schemas/Security_Detections_API_BulkDuplicateRules'
+ - $ref: '#/components/schemas/Security_Detections_API_BulkManualRuleRun'
+ - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResponse'
+ - $ref: '#/components/schemas/Security_Detections_API_BulkExportActionResponse'
+ description: OK
+ summary: Apply a bulk action to detection rules
+ tags:
+ - Security Detections API
+ x-beta: true
+ /api/detection_engine/rules/_export:
+ post:
+ description: |
+ Export detection rules to an `.ndjson` file. The following configuration items are also included in the `.ndjson` file:
+ - Actions
+ - Exception lists
+ > info
+ > You cannot export prebuilt rules.
+ operationId: ExportRules
+ parameters:
+ - description: Determines whether a summary of the exported rules is returned.
+ in: query
+ name: exclude_export_details
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - description: File name for saving the exported rules.
+ in: query
+ name: file_name
+ required: false
+ schema:
+ default: export.ndjson
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ nullable: true
+ type: object
+ properties:
+ objects:
+ description: Array of `rule_id` fields. Exports all rules when unspecified.
+ items:
+ type: object
+ properties:
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ required:
+ - rule_id
+ type: array
+ required:
+ - objects
+ required: false
+ responses:
+ '200':
+ content:
+ application/ndjson; Elastic-Api-Version=2023-10-31:
+ schema:
+ description: An `.ndjson` file containing the returned rules.
+ format: binary
+ type: string
+ description: Indicates a successful call.
+ summary: Export detection rules
+ tags:
+ - Security Detections API
+ x-beta: true
+ /api/detection_engine/rules/_find:
+ get:
+ description: Retrieve a paginated list of detection rules. By default, the first page is returned, with 20 results per page.
+ operationId: FindRules
+ parameters:
+ - in: query
+ name: fields
+ required: false
+ schema:
+ items:
+ type: string
+ type: array
+ - description: Search query
+ in: query
+ name: filter
+ required: false
+ schema:
+ type: string
+ - description: Field to sort by
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField'
+ - description: Sort order
+ in: query
+ name: sort_order
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_SortOrder'
+ - description: Page number
+ in: query
+ name: page
+ required: false
+ schema:
+ default: 1
+ minimum: 1
+ type: integer
+ - description: Rules per page
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 20
+ minimum: 0
+ type: integer
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ data:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleResponse'
+ type: array
+ page:
+ type: integer
+ perPage:
+ type: integer
+ total:
+ type: integer
+ required:
+ - page
+ - perPage
+ - total
+ - data
+ description: Successful response
+ summary: List all detection rules
+ tags:
+ - Security Detections API
+ x-beta: true
+ /api/detection_engine/rules/_import:
+ post:
+ description: |
+ Import detection rules from an `.ndjson` file, including actions and exception lists. The request must include:
+ - The `Content-Type: multipart/form-data` HTTP header.
+ - A link to the `.ndjson` file containing the rules.
+ operationId: ImportRules
+ parameters:
+ - description: Determines whether existing rules with the same `rule_id` are overwritten.
+ in: query
+ name: overwrite
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - description: Determines whether existing exception lists with the same `list_id` are overwritten.
+ in: query
+ name: overwrite_exceptions
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - description: Determines whether existing actions with the same `kibana.alert.rule.actions.id` are overwritten.
+ in: query
+ name: overwrite_action_connectors
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - description: Generates a new list ID for each imported exception list.
+ in: query
+ name: as_new_list
+ required: false
+ schema:
+ default: false
+ type: boolean
+ requestBody:
+ content:
+ multipart/form-data; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ file:
+ description: The `.ndjson` file containing the rules.
+ format: binary
+ type: string
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ action_connectors_errors:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ErrorSchema'
+ type: array
+ action_connectors_success:
+ type: boolean
+ action_connectors_success_count:
+ minimum: 0
+ type: integer
+ action_connectors_warnings:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_WarningSchema'
+ type: array
+ errors:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ErrorSchema'
+ type: array
+ exceptions_errors:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ErrorSchema'
+ type: array
+ exceptions_success:
+ type: boolean
+ exceptions_success_count:
+ minimum: 0
+ type: integer
+ rules_count:
+ minimum: 0
+ type: integer
+ success:
+ type: boolean
+ success_count:
+ minimum: 0
+ type: integer
+ required:
+ - exceptions_success
+ - exceptions_success_count
+ - exceptions_errors
+ - rules_count
+ - success
+ - success_count
+ - errors
+ - action_connectors_errors
+ - action_connectors_warnings
+ - action_connectors_success
+ - action_connectors_success_count
+ description: Indicates a successful call.
+ summary: Import detection rules
+ tags:
+ - Security Detections API
+ x-beta: true
+ /api/detection_engine/rules/{id}/exceptions:
+ post:
+ description: Create exception items that apply to a single detection rule.
+ operationId: CreateRuleExceptionListItems
+ parameters:
+ - description: Detection rule's identifier
+ in: path
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_RuleId'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ items:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps'
+ type: array
+ required:
+ - items
+ description: Rule exception list items
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem'
+ type: array
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Create rule exception list items
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ /api/detection_engine/rules/preview:
+ post:
+ operationId: RulePreview
+ parameters:
+ - description: Enables logging and returning in response ES queries, performed during rule execution
+ in: query
+ name: enable_logged_requests
+ required: false
+ schema:
+ type: boolean
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ anyOf:
+ - allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams'
+ - allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams'
+ - allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams'
+ - allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams'
+ - allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams'
+ - allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams'
+ - allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams'
+ - allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_RulePreviewParams'
+ discriminator:
+ propertyName: type
+ description: An object containing tags to add or remove and alert ids the changes will be applied
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ isAborted:
+ type: boolean
+ logs:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RulePreviewLogs'
+ type: array
+ previewId:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ required:
+ - logs
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Preview rule alerts generated on specified time range
+ tags:
+ - Security Detections API
+ x-beta: true
+ /api/detection_engine/signals/assignees:
+ post:
+ description: |
+ Assign users to detection alerts, and unassign them from alerts.
+ > info
+ > You cannot add and remove the same assignee in the same request.
+ operationId: SetAlertAssignees
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ assignees:
+ $ref: '#/components/schemas/Security_Detections_API_AlertAssignees'
+ description: Details about the assignees to assign and unassign.
+ ids:
+ $ref: '#/components/schemas/Security_Detections_API_AlertIds'
+ description: List of alerts ids to assign and unassign passed assignees.
+ required:
+ - assignees
+ - ids
+ required: true
+ responses:
+ '200':
+ description: Indicates a successful call.
+ '400':
+ description: Invalid request.
+ summary: Assign and unassign users from detection alerts
+ tags:
+ - Security Detections API
+ x-beta: true
+ /api/detection_engine/signals/search:
+ post:
+ description: Find and/or aggregate detection alerts that match the given query.
+ operationId: SearchAlerts
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ description: Elasticsearch query and aggregation request
+ type: object
+ properties:
+ _source:
+ oneOf:
+ - type: boolean
+ - type: string
+ - items:
+ type: string
+ type: array
+ aggs:
+ additionalProperties: true
+ type: object
+ fields:
+ items:
+ type: string
+ type: array
+ query:
+ additionalProperties: true
+ type: object
+ runtime_mappings:
+ additionalProperties: true
+ type: object
+ size:
+ minimum: 0
+ type: integer
+ sort:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsSort'
+ track_total_hits:
+ type: boolean
+ description: Search and/or aggregation query
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: true
+ description: Elasticsearch search response
+ type: object
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Find and/or aggregate detection alerts
+ tags:
+ - Security Detections API
+ x-beta: true
+ /api/detection_engine/signals/status:
+ post:
+ description: Set the status of one or more detection alerts.
+ operationId: SetAlertsStatus
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByIds'
+ - $ref: '#/components/schemas/Security_Detections_API_SetAlertsStatusByQuery'
+ description: An object containing desired status and explicit alert ids or a query to select alerts
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: true
+ description: Elasticsearch update by query response
+ type: object
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Set a detection alert status
+ tags:
+ - Security Detections API
+ x-beta: true
+ /api/detection_engine/signals/tags:
+ post:
+ description: |
+ And tags to detection alerts, and remove them from alerts.
+ > info
+ > You cannot add and remove the same alert tag in the same request.
+ operationId: SetAlertTags
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ ids:
+ $ref: '#/components/schemas/Security_Detections_API_AlertIds'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_SetAlertTags'
+ required:
+ - ids
+ - tags
+ description: An object containing tags to add or remove and alert ids the changes will be applied
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: true
+ description: Elasticsearch update by query response
+ type: object
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Add and remove detection alert tags
+ tags:
+ - Security Detections API
+ x-beta: true
+ /api/detection_engine/tags:
+ get:
+ description: List all unique tags from all detection rules.
+ operationId: ReadTags
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ description: Indicates a successful call
+ summary: List all detection rule tags
+ tags:
+ - Security Detections API
+ x-beta: true
+ /api/endpoint_list:
+ post:
+ description: Create an endpoint exception list, which groups endpoint exception list items. If an endpoint exception list already exists, an empty response is returned.
+ operationId: CreateEndpointList
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointList'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ description: Insufficient privileges
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Internal server error
+ summary: Create an endpoint exception list
+ tags:
+ - Security Endpoint Exceptions API
+ x-beta: true
+ /api/endpoint_list/items:
+ delete:
+ description: Delete an endpoint exception list item using the `id` or `item_id` field.
+ operationId: DeleteEndpointListItem
+ parameters:
+ - description: Either `id` or `item_id` must be specified
+ in: query
+ name: id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId'
+ - description: Either `id` or `item_id` must be specified
+ in: query
+ name: item_id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ description: Insufficient privileges
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Endpoint list item not found
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Internal server error
+ summary: Delete an endpoint exception list item
+ tags:
+ - Security Endpoint Exceptions API
+ x-beta: true
+ get:
+ description: Get the details of an endpoint exception list item using the `id` or `item_id` field.
+ operationId: ReadEndpointListItem
+ parameters:
+ - description: Either `id` or `item_id` must be specified
+ in: query
+ name: id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId'
+ - description: Either `id` or `item_id` must be specified
+ in: query
+ name: item_id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ items:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem'
+ type: array
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ description: Insufficient privileges
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Endpoint list item not found
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Internal server error
+ summary: Get an endpoint exception list item
+ tags:
+ - Security Endpoint Exceptions API
+ x-beta: true
+ post:
+ description: Create an endpoint exception list item, and associate it with the endpoint exception list.
+ operationId: CreateEndpointListItem
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ comments:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray'
+ default: []
+ description:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription'
+ entries:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray'
+ item_id:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId'
+ meta:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta'
+ name:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName'
+ os_types:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray'
+ default: []
+ tags:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags'
+ default: []
+ type:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType'
+ required:
+ - type
+ - name
+ - description
+ - entries
+ description: Exception list item's properties
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ description: Insufficient privileges
+ '409':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Endpoint list item already exists
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Internal server error
+ summary: Create an endpoint exception list item
+ tags:
+ - Security Endpoint Exceptions API
+ x-beta: true
+ put:
+ description: Update an endpoint exception list item using the `id` or `item_id` field.
+ operationId: UpdateEndpointListItem
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ _version:
+ type: string
+ comments:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray'
+ default: []
+ description:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription'
+ entries:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray'
+ id:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId'
+ description: Either `id` or `item_id` must be specified
+ item_id:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId'
+ description: Either `id` or `item_id` must be specified
+ meta:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta'
+ name:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName'
+ os_types:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray'
+ default: []
+ tags:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags'
+ type:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType'
+ required:
+ - type
+ - name
+ - description
+ - entries
+ description: Exception list item's properties
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ description: Insufficient privileges
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Endpoint list item not found
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Internal server error
+ summary: Update an endpoint exception list item
+ tags:
+ - Security Endpoint Exceptions API
+ x-beta: true
+ /api/endpoint_list/items/_find:
+ get:
+ description: Get a list of all endpoint exception list items.
+ operationId: FindEndpointListItems
+ parameters:
+ - description: |
+ Filters the returned results according to the value of the specified field,
+ using the `:` syntax.
+ in: query
+ name: filter
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter'
+ - description: The page number to return
+ in: query
+ name: page
+ required: false
+ schema:
+ minimum: 0
+ type: integer
+ - description: The number of exception list items to return per page
+ in: query
+ name: per_page
+ required: false
+ schema:
+ minimum: 0
+ type: integer
+ - description: Determines which field is used to sort the results
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ - description: Determines the sort order, which can be `desc` or `asc`
+ in: query
+ name: sort_order
+ required: false
+ schema:
+ enum:
+ - desc
+ - asc
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ data:
+ items:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem'
+ type: array
+ page:
+ minimum: 0
+ type: integer
+ per_page:
+ minimum: 0
+ type: integer
+ pit:
+ type: string
+ total:
+ minimum: 0
+ type: integer
+ required:
+ - data
+ - page
+ - per_page
+ - total
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse'
+ description: Insufficient privileges
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Endpoint list not found
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse'
+ description: Internal server error
+ summary: Get endpoint exception list items
+ tags:
+ - Security Endpoint Exceptions API
+ x-beta: true
+ /api/endpoint/action:
+ get:
+ description: Get a list of all response actions.
+ operationId: EndpointGetActionsList
+ parameters:
+ - in: query
+ name: query
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Get response actions
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action_status:
+ get:
+ description: Get the status of response actions for the specified agent IDs.
+ operationId: EndpointGetActionsStatus
+ parameters:
+ - in: query
+ name: query
+ required: true
+ schema:
+ type: object
+ properties:
+ agent_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse'
+ description: OK
+ summary: Get response actions status
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/{action_id}:
+ get:
+ description: Get the details of a response action using the action ID.
+ operationId: EndpointGetActionsDetails
+ parameters:
+ - in: path
+ name: action_id
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Get action details
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/{action_id}/file/{file_id}:
+ get:
+ description: Get information for the specified file using the file ID.
+ operationId: EndpointFileInfo
+ parameters:
+ - in: path
+ name: action_id
+ required: true
+ schema:
+ type: string
+ - in: path
+ name: file_id
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Get file information
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/{action_id}/file/{file_id}/download:
+ get:
+ description: Download a file from an endpoint.
+ operationId: EndpointFileDownload
+ parameters:
+ - in: path
+ name: action_id
+ required: true
+ schema:
+ type: string
+ - in: path
+ name: file_id
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Download a file
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/execute:
+ post:
+ description: Run a shell command on an endpoint.
+ operationId: EndpointExecuteAction
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Run a command
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/get_file:
+ post:
+ description: Get a file from an endpoint.
+ operationId: EndpointGetFileAction
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Get a file
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/isolate:
+ post:
+ description: Isolate an endpoint from the network. The endpoint remains isolated until it's released.
+ operationId: EndpointIsolateAction
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Isolate an endpoint
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/kill_process:
+ post:
+ description: Terminate a running process on an endpoint.
+ operationId: EndpointKillProcessAction
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Terminate a process
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/running_procs:
+ post:
+ description: Get a list of all processes running on an endpoint.
+ operationId: EndpointGetProcessesAction
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Get running processes
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/scan:
+ post:
+ description: Scan a specific file or directory on an endpoint for malware.
+ operationId: EndpointScanAction
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Scan a file or directory
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/state:
+ get:
+ description: Get a response actions state, which reports whether encryption is enabled.
+ operationId: EndpointGetActionsState
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse'
+ description: OK
+ summary: Get actions state
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/suspend_process:
+ post:
+ description: Suspend a running process on an endpoint.
+ operationId: EndpointSuspendProcessAction
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Suspend a process
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/unisolate:
+ post:
+ description: Release an isolated endpoint, allowing it to rejoin a network.
+ operationId: EndpointUnisolateAction
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Release an isolated endpoint
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/action/upload:
+ post:
+ description: Upload a file to an endpoint.
+ operationId: EndpointUploadAction
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Upload a file
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/metadata:
+ get:
+ operationId: GetEndpointMetadataList
+ parameters:
+ - in: query
+ name: query
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_ListRequestQuery'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Get a metadata list
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/metadata/{id}:
+ get:
+ operationId: GetEndpointMetadata
+ parameters:
+ - in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Get metadata
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/policy_response:
+ get:
+ operationId: GetPolicyResponse
+ parameters:
+ - in: query
+ name: query
+ required: true
+ schema:
+ type: object
+ properties:
+ agentId:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
+ description: OK
+ summary: Get a policy response
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/endpoint/protection_updates_note/{package_policy_id}:
+ get:
+ operationId: GetProtectionUpdatesNote
+ parameters:
+ - in: path
+ name: package_policy_id
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse'
+ description: OK
+ summary: Get a protection updates note
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ post:
+ operationId: CreateUpdateProtectionUpdatesNote
+ parameters:
+ - in: path
+ name: package_policy_id
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ note:
+ type: string
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse'
+ description: OK
+ summary: Create or update a protection updates note
+ tags:
+ - Security Endpoint Management API
+ x-beta: true
+ /api/entity_store/enable:
+ post:
+ operationId: InitEntityStore
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ fieldHistoryLength:
+ default: 10
+ description: The number of historical values to keep for each field.
+ type: integer
+ filter:
+ type: string
+ indexPattern:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern'
+ description: Schema for the entity store initialization
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ engines:
+ items:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor'
+ type: array
+ succeeded:
+ type: boolean
+ description: Successful response
+ summary: Initialize the Entity Store
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/entity_store/engines:
+ get:
+ operationId: ListEntityEngines
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ count:
+ type: integer
+ engines:
+ items:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor'
+ type: array
+ description: Successful response
+ summary: List the Entity Engines
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/entity_store/engines/{entityType}:
+ delete:
+ operationId: DeleteEntityEngine
+ parameters:
+ - description: The entity type of the engine (either 'user' or 'host').
+ in: path
+ name: entityType
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
+ - description: Control flag to also delete the entity data.
+ in: query
+ name: data
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ deleted:
+ type: boolean
+ description: Successful response
+ summary: Delete the Entity Engine
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ get:
+ operationId: GetEntityEngine
+ parameters:
+ - description: The entity type of the engine (either 'user' or 'host').
+ in: path
+ name: entityType
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor'
+ description: Successful response
+ summary: Get an Entity Engine
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/entity_store/engines/{entityType}/init:
+ post:
+ operationId: InitEntityEngine
+ parameters:
+ - description: The entity type of the engine (either 'user' or 'host').
+ in: path
+ name: entityType
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ fieldHistoryLength:
+ default: 10
+ description: The number of historical values to keep for each field.
+ type: integer
+ filter:
+ type: string
+ indexPattern:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern'
+ description: Schema for the engine initialization
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor'
+ description: Successful response
+ summary: Initialize an Entity Engine
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/entity_store/engines/{entityType}/start:
+ post:
+ operationId: StartEntityEngine
+ parameters:
+ - description: The entity type of the engine (either 'user' or 'host').
+ in: path
+ name: entityType
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ started:
+ type: boolean
+ description: Successful response
+ summary: Start an Entity Engine
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/entity_store/engines/{entityType}/stop:
+ post:
+ operationId: StopEntityEngine
+ parameters:
+ - description: The entity type of the engine (either 'user' or 'host').
+ in: path
+ name: entityType
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ stopped:
+ type: boolean
+ description: Successful response
+ summary: Stop an Entity Engine
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/entity_store/engines/apply_dataview_indices:
+ post:
+ operationId: ApplyEntityEngineDataviewIndices
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ result:
+ items:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult'
+ type: array
+ success:
+ type: boolean
+ description: Successful response
+ '207':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ errors:
+ items:
+ type: string
+ type: array
+ result:
+ items:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult'
+ type: array
+ success:
+ type: boolean
+ description: Partial successful response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ body:
+ type: string
+ statusCode:
+ type: number
+ description: Error response
+ summary: Apply DataView indices to all installed engines
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/entity_store/entities/list:
+ get:
+ description: List entities records, paging, sorting and filtering as needed.
+ operationId: ListEntities
+ parameters:
+ - in: query
+ name: sort_field
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: sort_order
+ required: false
+ schema:
+ enum:
+ - asc
+ - desc
+ type: string
+ - in: query
+ name: page
+ required: false
+ schema:
+ minimum: 1
+ type: integer
+ - in: query
+ name: per_page
+ required: false
+ schema:
+ maximum: 10000
+ minimum: 1
+ type: integer
+ - description: An ES query to filter by.
+ in: query
+ name: filterQuery
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: entities_types
+ required: true
+ schema:
+ items:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
+ type: array
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ inspect:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_InspectQuery'
+ page:
+ minimum: 1
+ type: integer
+ per_page:
+ maximum: 1000
+ minimum: 1
+ type: integer
+ records:
+ items:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_Entity'
+ type: array
+ total:
+ minimum: 0
+ type: integer
+ required:
+ - records
+ - page
+ - per_page
+ - total
+ description: Entities returned successfully
+ summary: List Entity Store Entities
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/entity_store/status:
+ get:
+ operationId: GetEntityStoreStatus
+ parameters:
+ - description: If true returns a detailed status of the engine including all it's components
+ in: query
+ name: include_components
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ engines:
+ items:
+ allOf:
+ - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineDescriptor'
+ - type: object
+ properties:
+ components:
+ items:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentStatus'
+ type: array
+ type: array
+ status:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_StoreStatus'
+ required:
+ - status
+ - engines
+ description: Successful response
+ summary: Get the status of the Entity Store
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/exception_lists:
+ delete:
+ description: Delete an exception list using the `id` or `list_id` field.
+ operationId: DeleteExceptionList
+ parameters:
+ - description: Either `id` or `list_id` must be specified
+ in: query
+ name: id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
+ - description: Either `id` or `list_id` must be specified
+ in: query
+ name: list_id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ - in: query
+ name: namespace_type
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ default: single
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Delete an exception list
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ get:
+ description: Get the details of an exception list using the `id` or `list_id` field.
+ operationId: ReadExceptionList
+ parameters:
+ - description: Either `id` or `list_id` must be specified
+ in: query
+ name: id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
+ - description: Either `id` or `list_id` must be specified
+ in: query
+ name: list_id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ - in: query
+ name: namespace_type
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ default: single
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list item not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Get exception list details
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ post:
+ description: |
+ An exception list groups exception items and can be associated with detection rules. You can assign detection rules with multiple exception lists.
+ > info
+ > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item.
+ operationId: CreateExceptionList
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ description:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription'
+ list_id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ meta:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta'
+ name:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName'
+ namespace_type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ default: single
+ os_types:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray'
+ tags:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags'
+ default: []
+ type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType'
+ version:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion'
+ default: 1
+ required:
+ - name
+ - description
+ - type
+ description: Exception list's properties
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '409':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list already exists response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Create an exception list
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ put:
+ description: Update an exception list using the `id` or `list_id` field.
+ operationId: UpdateExceptionList
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ _version:
+ type: string
+ description:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription'
+ id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
+ list_id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ meta:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta'
+ name:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName'
+ namespace_type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ default: single
+ os_types:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray'
+ default: []
+ tags:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags'
+ type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType'
+ version:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion'
+ required:
+ - name
+ - description
+ - type
+ description: Exception list's properties
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Update an exception list
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ /api/exception_lists/_duplicate:
+ post:
+ description: Duplicate an existing exception list.
+ operationId: DuplicateExceptionList
+ parameters:
+ - description: Exception list's human identifier
+ in: query
+ name: list_id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ - in: query
+ name: namespace_type
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ - description: Determines whether to include expired exceptions in the exported list
+ in: query
+ name: include_expired_exceptions
+ required: true
+ schema:
+ default: 'true'
+ enum:
+ - 'true'
+ - 'false'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '405':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list to duplicate not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Duplicate an exception list
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ /api/exception_lists/_export:
+ post:
+ description: Export an exception list and its associated items to an NDJSON file.
+ operationId: ExportExceptionList
+ parameters:
+ - description: Exception list's identifier
+ in: query
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
+ - description: Exception list's human identifier
+ in: query
+ name: list_id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ - in: query
+ name: namespace_type
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ - description: Determines whether to include expired exceptions in the exported list
+ in: query
+ name: include_expired_exceptions
+ required: true
+ schema:
+ default: 'true'
+ enum:
+ - 'true'
+ - 'false'
+ type: string
+ responses:
+ '200':
+ content:
+ application/ndjson; Elastic-Api-Version=2023-10-31:
+ schema:
+ description: A `.ndjson` file containing specified exception list and its items
+ format: binary
+ type: string
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Export an exception list
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ /api/exception_lists/_find:
+ get:
+ description: Get a list of all exception lists.
+ operationId: FindExceptionLists
+ parameters:
+ - description: |
+ Filters the returned results according to the value of the specified field.
+
+ Uses the `so type.field name:field` value syntax, where `so type` can be:
+
+ - `exception-list`: Specify a space-aware exception list.
+ - `exception-list-agnostic`: Specify an exception list that is shared across spaces.
+ in: query
+ name: filter
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListsFilter'
+ - description: |
+ Determines whether the returned containers are Kibana associated with a Kibana space
+ or available in all spaces (`agnostic` or `single`)
+ in: query
+ name: namespace_type
+ required: false
+ schema:
+ default:
+ - single
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ type: array
+ - description: The page number to return
+ in: query
+ name: page
+ required: false
+ schema:
+ minimum: 1
+ type: integer
+ - description: The number of exception lists to return per page
+ in: query
+ name: per_page
+ required: false
+ schema:
+ minimum: 1
+ type: integer
+ - description: Determines which field is used to sort the results
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ type: string
+ - description: Determines the sort order, which can be `desc` or `asc`
+ in: query
+ name: sort_order
+ required: false
+ schema:
+ enum:
+ - desc
+ - asc
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ data:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
+ type: array
+ page:
+ minimum: 1
+ type: integer
+ per_page:
+ minimum: 1
+ type: integer
+ total:
+ minimum: 0
+ type: integer
+ required:
+ - data
+ - page
+ - per_page
+ - total
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Get exception lists
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ /api/exception_lists/_import:
+ post:
+ description: Import an exception list and its associated items from an NDJSON file.
+ operationId: ImportExceptionList
+ parameters:
+ - description: |
+ Determines whether existing exception lists with the same `list_id` are overwritten.
+ If any exception items have the same `item_id`, those are also overwritten.
+ in: query
+ name: overwrite
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - in: query
+ name: overwrite_exceptions
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - in: query
+ name: overwrite_action_connectors
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - description: |
+ Determines whether the list being imported will have a new `list_id` generated.
+ Additional `item_id`'s are generated for each exception item. Both the exception
+ list and its items are overwritten.
+ in: query
+ name: as_new_list
+ required: false
+ schema:
+ default: false
+ type: boolean
+ requestBody:
+ content:
+ multipart/form-data; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ file:
+ description: A `.ndjson` file containing the exception list
+ format: binary
+ type: string
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ errors:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray'
+ success:
+ type: boolean
+ success_count:
+ minimum: 0
+ type: integer
+ success_count_exception_list_items:
+ minimum: 0
+ type: integer
+ success_count_exception_lists:
+ minimum: 0
+ type: integer
+ success_exception_list_items:
+ type: boolean
+ success_exception_lists:
+ type: boolean
+ required:
+ - errors
+ - success
+ - success_count
+ - success_exception_lists
+ - success_count_exception_lists
+ - success_exception_list_items
+ - success_count_exception_list_items
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Import an exception list
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ /api/exception_lists/items:
+ delete:
+ description: Delete an exception list item using the `id` or `item_id` field.
+ operationId: DeleteExceptionListItem
+ parameters:
+ - description: Either `id` or `item_id` must be specified
+ in: query
+ name: id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId'
+ - description: Either `id` or `item_id` must be specified
+ in: query
+ name: item_id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
+ - in: query
+ name: namespace_type
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ default: single
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list item not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Delete an exception list item
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ get:
+ description: Get the details of an exception list item using the `id` or `item_id` field.
+ operationId: ReadExceptionListItem
+ parameters:
+ - description: Either `id` or `item_id` must be specified
+ in: query
+ name: id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId'
+ - description: Either `id` or `item_id` must be specified
+ in: query
+ name: item_id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
+ - in: query
+ name: namespace_type
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ default: single
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list item not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Get an exception list item
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ post:
+ description: |
+ Create an exception item and associate it with the specified exception list.
+ > info
+ > Before creating exception items, you must create an exception list.
+ operationId: CreateExceptionListItem
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ comments:
+ $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray'
+ default: []
+ description:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription'
+ entries:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray'
+ expire_time:
+ format: date-time
+ type: string
+ item_id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
+ list_id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ meta:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta'
+ name:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName'
+ namespace_type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ default: single
+ os_types:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray'
+ default: []
+ tags:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags'
+ default: []
+ type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType'
+ required:
+ - list_id
+ - type
+ - name
+ - description
+ - entries
+ description: Exception list item's properties
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '409':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list item already exists response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Create an exception list item
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ put:
+ description: Update an exception list item using the `id` or `item_id` field.
+ operationId: UpdateExceptionListItem
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ _version:
+ type: string
+ comments:
+ $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray'
+ default: []
+ description:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription'
+ entries:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray'
+ expire_time:
+ format: date-time
+ type: string
+ id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId'
+ description: Either `id` or `item_id` must be specified
+ item_id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
+ description: Either `id` or `item_id` must be specified
+ list_id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ meta:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta'
+ name:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName'
+ namespace_type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ default: single
+ os_types:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray'
+ default: []
+ tags:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags'
+ type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType'
+ required:
+ - type
+ - name
+ - description
+ - entries
+ description: Exception list item's properties
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list item not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Update an exception list item
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ /api/exception_lists/items/_find:
+ get:
+ description: Get a list of all exception list items in the specified list.
+ operationId: FindExceptionListItems
+ parameters:
+ - description: List's id
+ in: query
+ name: list_id
+ required: true
+ schema:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ type: array
+ - description: |
+ Filters the returned results according to the value of the specified field,
+ using the `:` syntax.
+ in: query
+ name: filter
+ required: false
+ schema:
+ default: []
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter'
+ type: array
+ - description: |
+ Determines whether the returned containers are Kibana associated with a Kibana space
+ or available in all spaces (`agnostic` or `single`)
+ in: query
+ name: namespace_type
+ required: false
+ schema:
+ default:
+ - single
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ type: array
+ - in: query
+ name: search
+ required: false
+ schema:
+ type: string
+ - description: The page number to return
+ in: query
+ name: page
+ required: false
+ schema:
+ minimum: 0
+ type: integer
+ - description: The number of exception list items to return per page
+ in: query
+ name: per_page
+ required: false
+ schema:
+ minimum: 0
+ type: integer
+ - description: Determines which field is used to sort the results
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ - description: Determines the sort order, which can be `desc` or `asc`
+ in: query
+ name: sort_order
+ required: false
+ schema:
+ enum:
+ - desc
+ - asc
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ data:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem'
+ type: array
+ page:
+ minimum: 1
+ type: integer
+ per_page:
+ minimum: 1
+ type: integer
+ pit:
+ type: string
+ total:
+ minimum: 0
+ type: integer
+ required:
+ - data
+ - page
+ - per_page
+ - total
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Get exception list items
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ /api/exception_lists/summary:
+ get:
+ description: Get a summary of the specified exception list.
+ operationId: ReadExceptionListSummary
+ parameters:
+ - description: Exception list's identifier generated upon creation
+ in: query
+ name: id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
+ - description: Exception list's human readable identifier
+ in: query
+ name: list_id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ - in: query
+ name: namespace_type
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ default: single
+ - description: Search filter clause
+ in: query
+ name: filter
+ required: false
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ linux:
+ minimum: 0
+ type: integer
+ macos:
+ minimum: 0
+ type: integer
+ total:
+ minimum: 0
+ type: integer
+ windows:
+ minimum: 0
+ type: integer
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Get an exception list summary
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ /api/exceptions/shared:
+ post:
+ description: |
+ An exception list groups exception items and can be associated with detection rules. A shared exception list can apply to multiple detection rules.
+ > info
+ > All exception items added to the same list are evaluated using `OR` logic. That is, if any of the items in a list evaluate to `true`, the exception prevents the rule from generating an alert. Likewise, `OR` logic is used for evaluating exceptions when more than one exception list is assigned to a rule. To use the `AND` operator, you can define multiple clauses (`entries`) in a single exception item.
+ operationId: CreateSharedExceptionList
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ description:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription'
+ name:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName'
+ required:
+ - name
+ - description
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '409':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Exception list already exists response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Create a shared exception list
+ tags:
+ - Security Exceptions API
+ x-beta: true
+ /api/fleet/agent_download_sources:
+ get:
+ operationId: get-fleet-agent-download-sources
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ host:
+ format: uri
+ type: string
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ description: The ID of the proxy to use for this download source. See the proxies API for more information.
+ nullable: true
+ type: string
+ required:
+ - id
+ - name
+ - host
+ type: array
+ page:
+ type: number
+ perPage:
+ type: number
+ total:
+ type: number
+ required:
+ - items
+ - total
+ - page
+ - perPage
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get agent binary download sources
+ tags:
+ - Elastic Agent binary download sources
+ x-beta: true
+ post:
+ operationId: post-fleet-agent-download-sources
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ host:
+ format: uri
+ type: string
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ description: The ID of the proxy to use for this download source. See the proxies API for more information.
+ nullable: true
+ type: string
+ required:
+ - name
+ - host
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ host:
+ format: uri
+ type: string
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ description: The ID of the proxy to use for this download source. See the proxies API for more information.
+ nullable: true
+ type: string
+ required:
+ - id
+ - name
+ - host
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Create an agent binary download source
+ tags:
+ - Elastic Agent binary download sources
+ x-beta: true
+ /api/fleet/agent_download_sources/{sourceId}:
+ delete:
+ description: Delete an agent binary download source by ID.
+ operationId: delete-fleet-agent-download-sources-sourceid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: sourceId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Delete an agent binary download source
+ tags:
+ - Elastic Agent binary download sources
+ x-beta: true
+ get:
+ description: Get an agent binary download source by ID.
+ operationId: get-fleet-agent-download-sources-sourceid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: sourceId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ host:
+ format: uri
+ type: string
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ description: The ID of the proxy to use for this download source. See the proxies API for more information.
+ nullable: true
+ type: string
+ required:
+ - id
+ - name
+ - host
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get an agent binary download source
+ tags:
+ - Elastic Agent binary download sources
+ x-beta: true
+ put:
+ description: Update an agent binary download source by ID.
+ operationId: put-fleet-agent-download-sources-sourceid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: sourceId
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ host:
+ format: uri
+ type: string
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ description: The ID of the proxy to use for this download source. See the proxies API for more information.
+ nullable: true
+ type: string
+ required:
+ - name
+ - host
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ host:
+ format: uri
+ type: string
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ description: The ID of the proxy to use for this download source. See the proxies API for more information.
+ nullable: true
+ type: string
+ required:
+ - id
+ - name
+ - host
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Update an agent binary download source
+ tags:
+ - Elastic Agent binary download sources
+ x-beta: true
+ /api/fleet/agent_policies:
+ get:
+ operationId: get-fleet-agent-policies
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: page
+ required: false
+ schema:
+ type: number
+ - in: query
+ name: perPage
+ required: false
+ schema:
+ type: number
+ - in: query
+ name: sortField
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: sortOrder
+ required: false
+ schema:
+ enum:
+ - desc
+ - asc
+ type: string
+ - in: query
+ name: showUpgradeable
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: kuery
+ required: false
+ schema:
+ type: string
+ - description: use withAgentCount instead
+ in: query
+ name: noAgentCount
+ required: false
+ schema:
+ deprecated: true
+ type: boolean
+ - description: get policies with agent count
+ in: query
+ name: withAgentCount
+ required: false
+ schema:
+ type: boolean
+ - description: get full policies with package policies populated
+ in: query
+ name: full
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: format
+ required: false
+ schema:
+ enum:
+ - simplified
+ - legacy
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ advanced_settings:
+ additionalProperties: false
+ type: object
+ properties:
+ agent_download_target_directory:
+ nullable: true
+ agent_download_timeout:
+ nullable: true
+ agent_limits_go_max_procs:
+ nullable: true
+ agent_logging_files_interval:
+ nullable: true
+ agent_logging_files_keepfiles:
+ nullable: true
+ agent_logging_files_rotateeverybytes:
+ nullable: true
+ agent_logging_level:
+ nullable: true
+ agent_logging_metrics_period:
+ nullable: true
+ agent_logging_to_files:
+ nullable: true
+ agent_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ name:
+ type: string
+ required:
+ - name
+ - enabled
+ type: array
+ agents:
+ type: number
+ data_output_id:
+ nullable: true
+ type: string
+ description:
+ type: string
+ download_source_id:
+ nullable: true
+ type: string
+ fleet_server_host_id:
+ nullable: true
+ type: string
+ global_data_tags:
+ description: User defined data tags that are added to all of the inputs. The values can be strings or numbers.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ value:
+ anyOf:
+ - type: string
+ - type: number
+ required:
+ - name
+ - value
+ type: array
+ has_fleet_server:
+ type: boolean
+ id:
+ type: string
+ inactivity_timeout:
+ default: 1209600
+ minimum: 0
+ type: number
+ is_default:
+ type: boolean
+ is_default_fleet_server:
+ type: boolean
+ is_managed:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ is_protected:
+ description: Indicates whether the agent policy has tamper protection enabled. Default false.
+ type: boolean
+ keep_monitoring_alive:
+ default: false
+ description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled
+ nullable: true
+ type: boolean
+ monitoring_diagnostics:
+ additionalProperties: false
+ type: object
+ properties:
+ limit:
+ additionalProperties: false
+ type: object
+ properties:
+ burst:
+ type: number
+ interval:
+ type: string
+ uploader:
+ additionalProperties: false
+ type: object
+ properties:
+ init_dur:
+ type: string
+ max_dur:
+ type: string
+ max_retries:
+ type: number
+ monitoring_enabled:
+ items:
+ enum:
+ - logs
+ - metrics
+ - traces
+ type: string
+ type: array
+ monitoring_http:
+ additionalProperties: false
+ type: object
+ properties:
+ buffer:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ default: false
+ type: boolean
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ maximum: 65353
+ minimum: 0
+ type: number
+ required:
+ - enabled
+ monitoring_output_id:
+ nullable: true
+ type: string
+ monitoring_pprof_enabled:
+ type: boolean
+ name:
+ minLength: 1
+ type: string
+ namespace:
+ minLength: 1
+ type: string
+ overrides:
+ additionalProperties: {}
+ description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ package_policies:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ created_at:
+ type: string
+ created_by:
+ type: string
+ description:
+ description: Package policy description
+ type: string
+ elasticsearch:
+ additionalProperties: true
+ type: object
+ properties:
+ privileges:
+ additionalProperties: true
+ type: object
+ properties:
+ cluster:
+ items:
+ type: string
+ type: array
+ enabled:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_input: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ - compiled_input
+ type: array
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ version:
+ type: string
+ required:
+ - name
+ - enabled
+ - inputs
+ - id
+ - revision
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ type: array
+ revision:
+ type: number
+ schema_version:
+ type: string
+ space_ids:
+ items:
+ type: string
+ type: array
+ status:
+ enum:
+ - active
+ - inactive
+ type: string
+ supports_agentless:
+ default: false
+ description: Indicates whether the agent policy supports agentless integrations.
+ nullable: true
+ type: boolean
+ unenroll_timeout:
+ minimum: 0
+ type: number
+ unprivileged_agents:
+ type: number
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - name
+ - namespace
+ - is_managed
+ - is_protected
+ - status
+ - updated_at
+ - updated_by
+ - revision
+ type: array
+ page:
+ type: number
+ perPage:
+ type: number
+ total:
+ type: number
+ required:
+ - items
+ - total
+ - page
+ - perPage
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get agent policies
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ post:
+ operationId: post-fleet-agent-policies
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: query
+ name: sys_monitoring
+ required: false
+ schema:
+ type: boolean
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ advanced_settings:
+ additionalProperties: false
+ type: object
+ properties:
+ agent_download_target_directory:
+ nullable: true
+ agent_download_timeout:
+ nullable: true
+ agent_limits_go_max_procs:
+ nullable: true
+ agent_logging_files_interval:
+ nullable: true
+ agent_logging_files_keepfiles:
+ nullable: true
+ agent_logging_files_rotateeverybytes:
+ nullable: true
+ agent_logging_level:
+ nullable: true
+ agent_logging_metrics_period:
+ nullable: true
+ agent_logging_to_files:
+ nullable: true
+ agent_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ name:
+ type: string
+ required:
+ - name
+ - enabled
+ type: array
+ data_output_id:
+ nullable: true
+ type: string
+ description:
+ type: string
+ download_source_id:
+ nullable: true
+ type: string
+ fleet_server_host_id:
+ nullable: true
+ type: string
+ force:
+ type: boolean
+ global_data_tags:
+ description: User defined data tags that are added to all of the inputs. The values can be strings or numbers.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ value:
+ anyOf:
+ - type: string
+ - type: number
+ required:
+ - name
+ - value
+ type: array
+ has_fleet_server:
+ type: boolean
+ id:
+ type: string
+ inactivity_timeout:
+ default: 1209600
+ minimum: 0
+ type: number
+ is_default:
+ type: boolean
+ is_default_fleet_server:
+ type: boolean
+ is_managed:
+ type: boolean
+ is_protected:
+ type: boolean
+ keep_monitoring_alive:
+ default: false
+ description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled
+ nullable: true
+ type: boolean
+ monitoring_diagnostics:
+ additionalProperties: false
+ type: object
+ properties:
+ limit:
+ additionalProperties: false
+ type: object
+ properties:
+ burst:
+ type: number
+ interval:
+ type: string
+ uploader:
+ additionalProperties: false
+ type: object
+ properties:
+ init_dur:
+ type: string
+ max_dur:
+ type: string
+ max_retries:
+ type: number
+ monitoring_enabled:
+ items:
+ enum:
+ - logs
+ - metrics
+ - traces
+ type: string
+ type: array
+ monitoring_http:
+ additionalProperties: false
+ type: object
+ properties:
+ buffer:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ default: false
+ type: boolean
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ maximum: 65353
+ minimum: 0
+ type: number
+ required:
+ - enabled
+ monitoring_output_id:
+ nullable: true
+ type: string
+ monitoring_pprof_enabled:
+ type: boolean
+ name:
+ minLength: 1
+ type: string
+ namespace:
+ minLength: 1
+ type: string
+ overrides:
+ additionalProperties: {}
+ description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ space_ids:
+ items:
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the agent policy supports agentless integrations.
+ nullable: true
+ type: boolean
+ unenroll_timeout:
+ minimum: 0
+ type: number
+ required:
+ - name
+ - namespace
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ advanced_settings:
+ additionalProperties: false
+ type: object
+ properties:
+ agent_download_target_directory:
+ nullable: true
+ agent_download_timeout:
+ nullable: true
+ agent_limits_go_max_procs:
+ nullable: true
+ agent_logging_files_interval:
+ nullable: true
+ agent_logging_files_keepfiles:
+ nullable: true
+ agent_logging_files_rotateeverybytes:
+ nullable: true
+ agent_logging_level:
+ nullable: true
+ agent_logging_metrics_period:
+ nullable: true
+ agent_logging_to_files:
+ nullable: true
+ agent_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ name:
+ type: string
+ required:
+ - name
+ - enabled
+ type: array
+ agents:
+ type: number
+ data_output_id:
+ nullable: true
+ type: string
+ description:
+ type: string
+ download_source_id:
+ nullable: true
+ type: string
+ fleet_server_host_id:
+ nullable: true
+ type: string
+ global_data_tags:
+ description: User defined data tags that are added to all of the inputs. The values can be strings or numbers.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ value:
+ anyOf:
+ - type: string
+ - type: number
+ required:
+ - name
+ - value
+ type: array
+ has_fleet_server:
+ type: boolean
+ id:
+ type: string
+ inactivity_timeout:
+ default: 1209600
+ minimum: 0
+ type: number
+ is_default:
+ type: boolean
+ is_default_fleet_server:
+ type: boolean
+ is_managed:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ is_protected:
+ description: Indicates whether the agent policy has tamper protection enabled. Default false.
+ type: boolean
+ keep_monitoring_alive:
+ default: false
+ description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled
+ nullable: true
+ type: boolean
+ monitoring_diagnostics:
+ additionalProperties: false
+ type: object
+ properties:
+ limit:
+ additionalProperties: false
+ type: object
+ properties:
+ burst:
+ type: number
+ interval:
+ type: string
+ uploader:
+ additionalProperties: false
+ type: object
+ properties:
+ init_dur:
+ type: string
+ max_dur:
+ type: string
+ max_retries:
+ type: number
+ monitoring_enabled:
+ items:
+ enum:
+ - logs
+ - metrics
+ - traces
+ type: string
+ type: array
+ monitoring_http:
+ additionalProperties: false
+ type: object
+ properties:
+ buffer:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ default: false
+ type: boolean
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ maximum: 65353
+ minimum: 0
+ type: number
+ required:
+ - enabled
+ monitoring_output_id:
+ nullable: true
+ type: string
+ monitoring_pprof_enabled:
+ type: boolean
+ name:
+ minLength: 1
+ type: string
+ namespace:
+ minLength: 1
+ type: string
+ overrides:
+ additionalProperties: {}
+ description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ package_policies:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ created_at:
+ type: string
+ created_by:
+ type: string
+ description:
+ description: Package policy description
+ type: string
+ elasticsearch:
+ additionalProperties: true
+ type: object
+ properties:
+ privileges:
+ additionalProperties: true
+ type: object
+ properties:
+ cluster:
+ items:
+ type: string
+ type: array
+ enabled:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_input: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ - compiled_input
+ type: array
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ version:
+ type: string
+ required:
+ - name
+ - enabled
+ - inputs
+ - id
+ - revision
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ type: array
+ revision:
+ type: number
+ schema_version:
+ type: string
+ space_ids:
+ items:
+ type: string
+ type: array
+ status:
+ enum:
+ - active
+ - inactive
+ type: string
+ supports_agentless:
+ default: false
+ description: Indicates whether the agent policy supports agentless integrations.
+ nullable: true
+ type: boolean
+ unenroll_timeout:
+ minimum: 0
+ type: number
+ unprivileged_agents:
+ type: number
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - name
+ - namespace
+ - is_managed
+ - is_protected
+ - status
+ - updated_at
+ - updated_by
+ - revision
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Create an agent policy
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ /api/fleet/agent_policies/_bulk_get:
+ post:
+ operationId: post-fleet-agent-policies-bulk-get
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: query
+ name: format
+ required: false
+ schema:
+ enum:
+ - simplified
+ - legacy
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ full:
+ description: get full policies with package policies populated
+ type: boolean
+ ids:
+ description: list of package policy ids
+ items:
+ type: string
+ type: array
+ ignoreMissing:
+ type: boolean
+ required:
+ - ids
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ advanced_settings:
+ additionalProperties: false
+ type: object
+ properties:
+ agent_download_target_directory:
+ nullable: true
+ agent_download_timeout:
+ nullable: true
+ agent_limits_go_max_procs:
+ nullable: true
+ agent_logging_files_interval:
+ nullable: true
+ agent_logging_files_keepfiles:
+ nullable: true
+ agent_logging_files_rotateeverybytes:
+ nullable: true
+ agent_logging_level:
+ nullable: true
+ agent_logging_metrics_period:
+ nullable: true
+ agent_logging_to_files:
+ nullable: true
+ agent_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ name:
+ type: string
+ required:
+ - name
+ - enabled
+ type: array
+ agents:
+ type: number
+ data_output_id:
+ nullable: true
+ type: string
+ description:
+ type: string
+ download_source_id:
+ nullable: true
+ type: string
+ fleet_server_host_id:
+ nullable: true
+ type: string
+ global_data_tags:
+ description: User defined data tags that are added to all of the inputs. The values can be strings or numbers.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ value:
+ anyOf:
+ - type: string
+ - type: number
+ required:
+ - name
+ - value
+ type: array
+ has_fleet_server:
+ type: boolean
+ id:
+ type: string
+ inactivity_timeout:
+ default: 1209600
+ minimum: 0
+ type: number
+ is_default:
+ type: boolean
+ is_default_fleet_server:
+ type: boolean
+ is_managed:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ is_protected:
+ description: Indicates whether the agent policy has tamper protection enabled. Default false.
+ type: boolean
+ keep_monitoring_alive:
+ default: false
+ description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled
+ nullable: true
+ type: boolean
+ monitoring_diagnostics:
+ additionalProperties: false
+ type: object
+ properties:
+ limit:
+ additionalProperties: false
+ type: object
+ properties:
+ burst:
+ type: number
+ interval:
+ type: string
+ uploader:
+ additionalProperties: false
+ type: object
+ properties:
+ init_dur:
+ type: string
+ max_dur:
+ type: string
+ max_retries:
+ type: number
+ monitoring_enabled:
+ items:
+ enum:
+ - logs
+ - metrics
+ - traces
+ type: string
+ type: array
+ monitoring_http:
+ additionalProperties: false
+ type: object
+ properties:
+ buffer:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ default: false
+ type: boolean
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ maximum: 65353
+ minimum: 0
+ type: number
+ required:
+ - enabled
+ monitoring_output_id:
+ nullable: true
+ type: string
+ monitoring_pprof_enabled:
+ type: boolean
+ name:
+ minLength: 1
+ type: string
+ namespace:
+ minLength: 1
+ type: string
+ overrides:
+ additionalProperties: {}
+ description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ package_policies:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ created_at:
+ type: string
+ created_by:
+ type: string
+ description:
+ description: Package policy description
+ type: string
+ elasticsearch:
+ additionalProperties: true
+ type: object
+ properties:
+ privileges:
+ additionalProperties: true
+ type: object
+ properties:
+ cluster:
+ items:
+ type: string
+ type: array
+ enabled:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_input: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ - compiled_input
+ type: array
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ version:
+ type: string
+ required:
+ - name
+ - enabled
+ - inputs
+ - id
+ - revision
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ type: array
+ revision:
+ type: number
+ schema_version:
+ type: string
+ space_ids:
+ items:
+ type: string
+ type: array
+ status:
+ enum:
+ - active
+ - inactive
+ type: string
+ supports_agentless:
+ default: false
+ description: Indicates whether the agent policy supports agentless integrations.
+ nullable: true
+ type: boolean
+ unenroll_timeout:
+ minimum: 0
+ type: number
+ unprivileged_agents:
+ type: number
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - name
+ - namespace
+ - is_managed
+ - is_protected
+ - status
+ - updated_at
+ - updated_by
+ - revision
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Bulk get agent policies
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ /api/fleet/agent_policies/{agentPolicyId}:
+ get:
+ description: Get an agent policy by ID.
+ operationId: get-fleet-agent-policies-agentpolicyid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: agentPolicyId
+ required: true
+ schema:
+ type: string
+ - in: query
+ name: format
+ required: false
+ schema:
+ enum:
+ - simplified
+ - legacy
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ advanced_settings:
+ additionalProperties: false
+ type: object
+ properties:
+ agent_download_target_directory:
+ nullable: true
+ agent_download_timeout:
+ nullable: true
+ agent_limits_go_max_procs:
+ nullable: true
+ agent_logging_files_interval:
+ nullable: true
+ agent_logging_files_keepfiles:
+ nullable: true
+ agent_logging_files_rotateeverybytes:
+ nullable: true
+ agent_logging_level:
+ nullable: true
+ agent_logging_metrics_period:
+ nullable: true
+ agent_logging_to_files:
+ nullable: true
+ agent_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ name:
+ type: string
+ required:
+ - name
+ - enabled
+ type: array
+ agents:
+ type: number
+ data_output_id:
+ nullable: true
+ type: string
+ description:
+ type: string
+ download_source_id:
+ nullable: true
+ type: string
+ fleet_server_host_id:
+ nullable: true
+ type: string
+ global_data_tags:
+ description: User defined data tags that are added to all of the inputs. The values can be strings or numbers.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ value:
+ anyOf:
+ - type: string
+ - type: number
+ required:
+ - name
+ - value
+ type: array
+ has_fleet_server:
+ type: boolean
+ id:
+ type: string
+ inactivity_timeout:
+ default: 1209600
+ minimum: 0
+ type: number
+ is_default:
+ type: boolean
+ is_default_fleet_server:
+ type: boolean
+ is_managed:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ is_protected:
+ description: Indicates whether the agent policy has tamper protection enabled. Default false.
+ type: boolean
+ keep_monitoring_alive:
+ default: false
+ description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled
+ nullable: true
+ type: boolean
+ monitoring_diagnostics:
+ additionalProperties: false
+ type: object
+ properties:
+ limit:
+ additionalProperties: false
+ type: object
+ properties:
+ burst:
+ type: number
+ interval:
+ type: string
+ uploader:
+ additionalProperties: false
+ type: object
+ properties:
+ init_dur:
+ type: string
+ max_dur:
+ type: string
+ max_retries:
+ type: number
+ monitoring_enabled:
+ items:
+ enum:
+ - logs
+ - metrics
+ - traces
+ type: string
+ type: array
+ monitoring_http:
+ additionalProperties: false
+ type: object
+ properties:
+ buffer:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ default: false
+ type: boolean
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ maximum: 65353
+ minimum: 0
+ type: number
+ required:
+ - enabled
+ monitoring_output_id:
+ nullable: true
+ type: string
+ monitoring_pprof_enabled:
+ type: boolean
+ name:
+ minLength: 1
+ type: string
+ namespace:
+ minLength: 1
+ type: string
+ overrides:
+ additionalProperties: {}
+ description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ package_policies:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ created_at:
+ type: string
+ created_by:
+ type: string
+ description:
+ description: Package policy description
+ type: string
+ elasticsearch:
+ additionalProperties: true
+ type: object
+ properties:
+ privileges:
+ additionalProperties: true
+ type: object
+ properties:
+ cluster:
+ items:
+ type: string
+ type: array
+ enabled:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_input: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ - compiled_input
+ type: array
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ version:
+ type: string
+ required:
+ - name
+ - enabled
+ - inputs
+ - id
+ - revision
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ type: array
+ revision:
+ type: number
+ schema_version:
+ type: string
+ space_ids:
+ items:
+ type: string
+ type: array
+ status:
+ enum:
+ - active
+ - inactive
+ type: string
+ supports_agentless:
+ default: false
+ description: Indicates whether the agent policy supports agentless integrations.
+ nullable: true
+ type: boolean
+ unenroll_timeout:
+ minimum: 0
+ type: number
+ unprivileged_agents:
+ type: number
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - name
+ - namespace
+ - is_managed
+ - is_protected
+ - status
+ - updated_at
+ - updated_by
+ - revision
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get an agent policy
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ put:
+ description: Update an agent policy by ID.
+ operationId: put-fleet-agent-policies-agentpolicyid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: agentPolicyId
+ required: true
+ schema:
+ type: string
+ - in: query
+ name: format
+ required: false
+ schema:
+ enum:
+ - simplified
+ - legacy
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ advanced_settings:
+ additionalProperties: false
+ type: object
+ properties:
+ agent_download_target_directory:
+ nullable: true
+ agent_download_timeout:
+ nullable: true
+ agent_limits_go_max_procs:
+ nullable: true
+ agent_logging_files_interval:
+ nullable: true
+ agent_logging_files_keepfiles:
+ nullable: true
+ agent_logging_files_rotateeverybytes:
+ nullable: true
+ agent_logging_level:
+ nullable: true
+ agent_logging_metrics_period:
+ nullable: true
+ agent_logging_to_files:
+ nullable: true
+ agent_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ name:
+ type: string
+ required:
+ - name
+ - enabled
+ type: array
+ data_output_id:
+ nullable: true
+ type: string
+ description:
+ type: string
+ download_source_id:
+ nullable: true
+ type: string
+ fleet_server_host_id:
+ nullable: true
+ type: string
+ force:
+ type: boolean
+ global_data_tags:
+ description: User defined data tags that are added to all of the inputs. The values can be strings or numbers.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ value:
+ anyOf:
+ - type: string
+ - type: number
+ required:
+ - name
+ - value
+ type: array
+ has_fleet_server:
+ type: boolean
+ id:
+ type: string
+ inactivity_timeout:
+ default: 1209600
+ minimum: 0
+ type: number
+ is_default:
+ type: boolean
+ is_default_fleet_server:
+ type: boolean
+ is_managed:
+ type: boolean
+ is_protected:
+ type: boolean
+ keep_monitoring_alive:
+ default: false
+ description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled
+ nullable: true
+ type: boolean
+ monitoring_diagnostics:
+ additionalProperties: false
+ type: object
+ properties:
+ limit:
+ additionalProperties: false
+ type: object
+ properties:
+ burst:
+ type: number
+ interval:
+ type: string
+ uploader:
+ additionalProperties: false
+ type: object
+ properties:
+ init_dur:
+ type: string
+ max_dur:
+ type: string
+ max_retries:
+ type: number
+ monitoring_enabled:
+ items:
+ enum:
+ - logs
+ - metrics
+ - traces
+ type: string
+ type: array
+ monitoring_http:
+ additionalProperties: false
+ type: object
+ properties:
+ buffer:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ default: false
+ type: boolean
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ maximum: 65353
+ minimum: 0
+ type: number
+ required:
+ - enabled
+ monitoring_output_id:
+ nullable: true
+ type: string
+ monitoring_pprof_enabled:
+ type: boolean
+ name:
+ minLength: 1
+ type: string
+ namespace:
+ minLength: 1
+ type: string
+ overrides:
+ additionalProperties: {}
+ description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ space_ids:
+ items:
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the agent policy supports agentless integrations.
+ nullable: true
+ type: boolean
+ unenroll_timeout:
+ minimum: 0
+ type: number
+ required:
+ - name
+ - namespace
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ advanced_settings:
+ additionalProperties: false
+ type: object
+ properties:
+ agent_download_target_directory:
+ nullable: true
+ agent_download_timeout:
+ nullable: true
+ agent_limits_go_max_procs:
+ nullable: true
+ agent_logging_files_interval:
+ nullable: true
+ agent_logging_files_keepfiles:
+ nullable: true
+ agent_logging_files_rotateeverybytes:
+ nullable: true
+ agent_logging_level:
+ nullable: true
+ agent_logging_metrics_period:
+ nullable: true
+ agent_logging_to_files:
+ nullable: true
+ agent_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ name:
+ type: string
+ required:
+ - name
+ - enabled
+ type: array
+ agents:
+ type: number
+ data_output_id:
+ nullable: true
+ type: string
+ description:
+ type: string
+ download_source_id:
+ nullable: true
+ type: string
+ fleet_server_host_id:
+ nullable: true
+ type: string
+ global_data_tags:
+ description: User defined data tags that are added to all of the inputs. The values can be strings or numbers.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ value:
+ anyOf:
+ - type: string
+ - type: number
+ required:
+ - name
+ - value
+ type: array
+ has_fleet_server:
+ type: boolean
+ id:
+ type: string
+ inactivity_timeout:
+ default: 1209600
+ minimum: 0
+ type: number
+ is_default:
+ type: boolean
+ is_default_fleet_server:
+ type: boolean
+ is_managed:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ is_protected:
+ description: Indicates whether the agent policy has tamper protection enabled. Default false.
+ type: boolean
+ keep_monitoring_alive:
+ default: false
+ description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled
+ nullable: true
+ type: boolean
+ monitoring_diagnostics:
+ additionalProperties: false
+ type: object
+ properties:
+ limit:
+ additionalProperties: false
+ type: object
+ properties:
+ burst:
+ type: number
+ interval:
+ type: string
+ uploader:
+ additionalProperties: false
+ type: object
+ properties:
+ init_dur:
+ type: string
+ max_dur:
+ type: string
+ max_retries:
+ type: number
+ monitoring_enabled:
+ items:
+ enum:
+ - logs
+ - metrics
+ - traces
+ type: string
+ type: array
+ monitoring_http:
+ additionalProperties: false
+ type: object
+ properties:
+ buffer:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ default: false
+ type: boolean
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ maximum: 65353
+ minimum: 0
+ type: number
+ required:
+ - enabled
+ monitoring_output_id:
+ nullable: true
+ type: string
+ monitoring_pprof_enabled:
+ type: boolean
+ name:
+ minLength: 1
+ type: string
+ namespace:
+ minLength: 1
+ type: string
+ overrides:
+ additionalProperties: {}
+ description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ package_policies:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ created_at:
+ type: string
+ created_by:
+ type: string
+ description:
+ description: Package policy description
+ type: string
+ elasticsearch:
+ additionalProperties: true
+ type: object
+ properties:
+ privileges:
+ additionalProperties: true
+ type: object
+ properties:
+ cluster:
+ items:
+ type: string
+ type: array
+ enabled:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_input: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ - compiled_input
+ type: array
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ version:
+ type: string
+ required:
+ - name
+ - enabled
+ - inputs
+ - id
+ - revision
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ type: array
+ revision:
+ type: number
+ schema_version:
+ type: string
+ space_ids:
+ items:
+ type: string
+ type: array
+ status:
+ enum:
+ - active
+ - inactive
+ type: string
+ supports_agentless:
+ default: false
+ description: Indicates whether the agent policy supports agentless integrations.
+ nullable: true
+ type: boolean
+ unenroll_timeout:
+ minimum: 0
+ type: number
+ unprivileged_agents:
+ type: number
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - name
+ - namespace
+ - is_managed
+ - is_protected
+ - status
+ - updated_at
+ - updated_by
+ - revision
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Update an agent policy
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ /api/fleet/agent_policies/{agentPolicyId}/copy:
+ post:
+ description: Copy an agent policy by ID.
+ operationId: post-fleet-agent-policies-agentpolicyid-copy
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: agentPolicyId
+ required: true
+ schema:
+ type: string
+ - in: query
+ name: format
+ required: false
+ schema:
+ enum:
+ - simplified
+ - legacy
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ description:
+ type: string
+ name:
+ minLength: 1
+ type: string
+ required:
+ - name
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ advanced_settings:
+ additionalProperties: false
+ type: object
+ properties:
+ agent_download_target_directory:
+ nullable: true
+ agent_download_timeout:
+ nullable: true
+ agent_limits_go_max_procs:
+ nullable: true
+ agent_logging_files_interval:
+ nullable: true
+ agent_logging_files_keepfiles:
+ nullable: true
+ agent_logging_files_rotateeverybytes:
+ nullable: true
+ agent_logging_level:
+ nullable: true
+ agent_logging_metrics_period:
+ nullable: true
+ agent_logging_to_files:
+ nullable: true
+ agent_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ name:
+ type: string
+ required:
+ - name
+ - enabled
+ type: array
+ agents:
+ type: number
+ data_output_id:
+ nullable: true
+ type: string
+ description:
+ type: string
+ download_source_id:
+ nullable: true
+ type: string
+ fleet_server_host_id:
+ nullable: true
+ type: string
+ global_data_tags:
+ description: User defined data tags that are added to all of the inputs. The values can be strings or numbers.
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ value:
+ anyOf:
+ - type: string
+ - type: number
+ required:
+ - name
+ - value
+ type: array
+ has_fleet_server:
+ type: boolean
+ id:
+ type: string
+ inactivity_timeout:
+ default: 1209600
+ minimum: 0
+ type: number
+ is_default:
+ type: boolean
+ is_default_fleet_server:
+ type: boolean
+ is_managed:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ is_protected:
+ description: Indicates whether the agent policy has tamper protection enabled. Default false.
+ type: boolean
+ keep_monitoring_alive:
+ default: false
+ description: When set to true, monitoring will be enabled but logs/metrics collection will be disabled
+ nullable: true
+ type: boolean
+ monitoring_diagnostics:
+ additionalProperties: false
+ type: object
+ properties:
+ limit:
+ additionalProperties: false
+ type: object
+ properties:
+ burst:
+ type: number
+ interval:
+ type: string
+ uploader:
+ additionalProperties: false
+ type: object
+ properties:
+ init_dur:
+ type: string
+ max_dur:
+ type: string
+ max_retries:
+ type: number
+ monitoring_enabled:
+ items:
+ enum:
+ - logs
+ - metrics
+ - traces
+ type: string
+ type: array
+ monitoring_http:
+ additionalProperties: false
+ type: object
+ properties:
+ buffer:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ default: false
+ type: boolean
+ enabled:
+ type: boolean
+ host:
+ type: string
+ port:
+ maximum: 65353
+ minimum: 0
+ type: number
+ required:
+ - enabled
+ monitoring_output_id:
+ nullable: true
+ type: string
+ monitoring_pprof_enabled:
+ type: boolean
+ name:
+ minLength: 1
+ type: string
+ namespace:
+ minLength: 1
+ type: string
+ overrides:
+ additionalProperties: {}
+ description: Override settings that are defined in the agent policy. Input settings cannot be overridden. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ package_policies:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - description: This field is present only when retrieving a single agent policy, or when retrieving a list of agent policies with the ?full=true parameter
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ created_at:
+ type: string
+ created_by:
+ type: string
+ description:
+ description: Package policy description
+ type: string
+ elasticsearch:
+ additionalProperties: true
+ type: object
+ properties:
+ privileges:
+ additionalProperties: true
+ type: object
+ properties:
+ cluster:
+ items:
+ type: string
+ type: array
+ enabled:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_input: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ - compiled_input
+ type: array
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ version:
+ type: string
+ required:
+ - name
+ - enabled
+ - inputs
+ - id
+ - revision
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ type: array
+ revision:
+ type: number
+ schema_version:
+ type: string
+ space_ids:
+ items:
+ type: string
+ type: array
+ status:
+ enum:
+ - active
+ - inactive
+ type: string
+ supports_agentless:
+ default: false
+ description: Indicates whether the agent policy supports agentless integrations.
+ nullable: true
+ type: boolean
+ unenroll_timeout:
+ minimum: 0
+ type: number
+ unprivileged_agents:
+ type: number
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - name
+ - namespace
+ - is_managed
+ - is_protected
+ - status
+ - updated_at
+ - updated_by
+ - revision
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Copy an agent policy
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ /api/fleet/agent_policies/{agentPolicyId}/download:
+ get:
+ description: Download an agent policy by ID.
+ operationId: get-fleet-agent-policies-agentpolicyid-download
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: agentPolicyId
+ required: true
+ schema:
+ type: string
+ - in: query
+ name: download
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: standalone
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: kubernetes
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: string
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Download an agent policy
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ /api/fleet/agent_policies/{agentPolicyId}/full:
+ get:
+ description: Get a full agent policy by ID.
+ operationId: get-fleet-agent-policies-agentpolicyid-full
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: agentPolicyId
+ required: true
+ schema:
+ type: string
+ - in: query
+ name: download
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: standalone
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: kubernetes
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ anyOf:
+ - type: string
+ - additionalProperties: false
+ type: object
+ properties:
+ agent:
+ additionalProperties: false
+ type: object
+ properties:
+ download:
+ additionalProperties: false
+ type: object
+ properties:
+ sourceURI:
+ type: string
+ required:
+ - sourceURI
+ features:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ required:
+ - enabled
+ type: object
+ limits:
+ additionalProperties: false
+ type: object
+ properties:
+ go_max_procs:
+ type: number
+ logging:
+ additionalProperties: false
+ type: object
+ properties:
+ files:
+ additionalProperties: false
+ type: object
+ properties:
+ interval:
+ type: string
+ keepfiles:
+ type: number
+ rotateeverybytes:
+ type: number
+ level:
+ type: string
+ to_files:
+ type: boolean
+ monitoring:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ logs:
+ type: boolean
+ metrics:
+ type: boolean
+ namespace:
+ type: string
+ traces:
+ type: boolean
+ use_output:
+ type: string
+ required:
+ - enabled
+ - metrics
+ - logs
+ - traces
+ protection:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ signing_key:
+ type: string
+ uninstall_token_hash:
+ type: string
+ required:
+ - enabled
+ - uninstall_token_hash
+ - signing_key
+ required:
+ - monitoring
+ - download
+ - features
+ fleet:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ hosts:
+ items:
+ type: string
+ type: array
+ proxy_headers: {}
+ proxy_url:
+ type: string
+ ssl:
+ additionalProperties: false
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ renegotiation:
+ type: string
+ verification_mode:
+ type: string
+ required:
+ - hosts
+ - proxy_headers
+ - additionalProperties: false
+ type: object
+ properties:
+ kibana:
+ additionalProperties: false
+ type: object
+ properties:
+ hosts:
+ items:
+ type: string
+ type: array
+ path:
+ type: string
+ protocol:
+ type: string
+ required:
+ - hosts
+ - protocol
+ required:
+ - kibana
+ id:
+ type: string
+ inputs:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ data_stream:
+ additionalProperties: true
+ type: object
+ properties:
+ namespace:
+ type: string
+ required:
+ - namespace
+ id:
+ type: string
+ meta:
+ additionalProperties: true
+ type: object
+ properties:
+ package:
+ additionalProperties: true
+ type: object
+ properties:
+ name:
+ type: string
+ version:
+ type: string
+ required:
+ - name
+ - version
+ name:
+ type: string
+ package_policy_id:
+ type: string
+ processors:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ add_fields:
+ additionalProperties: true
+ type: object
+ properties:
+ fields:
+ additionalProperties:
+ anyOf:
+ - type: string
+ - type: number
+ type: object
+ target:
+ type: string
+ required:
+ - target
+ - fields
+ required:
+ - add_fields
+ type: array
+ revision:
+ type: number
+ streams:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ data_stream:
+ additionalProperties: true
+ type: object
+ properties:
+ dataset:
+ type: string
+ type:
+ type: string
+ required:
+ - dataset
+ id:
+ type: string
+ required:
+ - id
+ - data_stream
+ type: array
+ type:
+ type: string
+ use_output:
+ type: string
+ required:
+ - id
+ - name
+ - revision
+ - type
+ - data_stream
+ - use_output
+ - package_policy_id
+ type: array
+ namespaces:
+ items:
+ type: string
+ type: array
+ output_permissions:
+ additionalProperties:
+ additionalProperties: {}
+ type: object
+ type: object
+ outputs:
+ additionalProperties:
+ additionalProperties: true
+ type: object
+ properties:
+ ca_sha256:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ type: string
+ type: array
+ proxy_headers: {}
+ proxy_url:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ - proxy_headers
+ type: object
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ signed:
+ additionalProperties: false
+ type: object
+ properties:
+ data:
+ type: string
+ signature:
+ type: string
+ required:
+ - data
+ - signature
+ required:
+ - id
+ - outputs
+ - inputs
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get a full agent policy
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ /api/fleet/agent_policies/{agentPolicyId}/outputs:
+ get:
+ description: Get a list of outputs associated with agent policy by policy id.
+ operationId: get-fleet-agent-policies-agentpolicyid-outputs
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: agentPolicyId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ agentPolicyId:
+ type: string
+ data:
+ additionalProperties: false
+ type: object
+ properties:
+ integrations:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ integrationPolicyName:
+ type: string
+ name:
+ type: string
+ pkgName:
+ type: string
+ type: array
+ output:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ required:
+ - id
+ - name
+ required:
+ - output
+ monitoring:
+ additionalProperties: false
+ type: object
+ properties:
+ output:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ required:
+ - id
+ - name
+ required:
+ - output
+ required:
+ - monitoring
+ - data
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get outputs for an agent policy
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ /api/fleet/agent_policies/delete:
+ post:
+ description: Delete an agent policy by ID.
+ operationId: post-fleet-agent-policies-delete
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ agentPolicyId:
+ type: string
+ force:
+ description: bypass validation checks that can prevent agent policy deletion
+ type: boolean
+ required:
+ - agentPolicyId
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ required:
+ - id
+ - name
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Delete an agent policy
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ /api/fleet/agent_policies/outputs:
+ post:
+ description: Get a list of outputs associated with agent policies.
+ operationId: post-fleet-agent-policies-outputs
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ description: list of package policy ids
+ items:
+ type: string
+ type: array
+ required:
+ - ids
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ agentPolicyId:
+ type: string
+ data:
+ additionalProperties: false
+ type: object
+ properties:
+ integrations:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ integrationPolicyName:
+ type: string
+ name:
+ type: string
+ pkgName:
+ type: string
+ type: array
+ output:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ required:
+ - id
+ - name
+ required:
+ - output
+ monitoring:
+ additionalProperties: false
+ type: object
+ properties:
+ output:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ required:
+ - id
+ - name
+ required:
+ - output
+ required:
+ - monitoring
+ - data
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get outputs for agent policies
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ /api/fleet/agent_status:
+ get:
+ operationId: get-fleet-agent-status
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: policyId
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: policyIds
+ required: false
+ schema:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - type: string
+ - in: query
+ name: kuery
+ required: false
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ results:
+ additionalProperties: false
+ type: object
+ properties:
+ active:
+ type: number
+ all:
+ type: number
+ error:
+ type: number
+ events:
+ type: number
+ inactive:
+ type: number
+ offline:
+ type: number
+ online:
+ type: number
+ other:
+ type: number
+ unenrolled:
+ type: number
+ updating:
+ type: number
+ required:
+ - events
+ - online
+ - error
+ - offline
+ - other
+ - updating
+ - inactive
+ - unenrolled
+ - all
+ - active
+ required:
+ - results
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get an agent status summary
+ tags:
+ - Elastic Agent status
+ x-beta: true
+ /api/fleet/agent_status/data:
+ get:
+ operationId: get-fleet-agent-status-data
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: agentsIds
+ required: true
+ schema:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - type: string
+ - in: query
+ name: pkgName
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: pkgVersion
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: previewData
+ required: false
+ schema:
+ default: false
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ dataPreview:
+ items: {}
+ type: array
+ items:
+ items:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ data:
+ type: boolean
+ required:
+ - data
+ type: object
+ type: array
+ required:
+ - items
+ - dataPreview
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get incoming agent data
+ tags:
+ - Elastic Agents
+ x-beta: true
+ /api/fleet/agents:
+ get:
+ operationId: get-fleet-agents
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: page
+ required: false
+ schema:
+ default: 1
+ type: number
+ - in: query
+ name: perPage
+ required: false
+ schema:
+ default: 20
+ type: number
+ - in: query
+ name: kuery
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: showInactive
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - in: query
+ name: withMetrics
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - in: query
+ name: showUpgradeable
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - in: query
+ name: getStatusSummary
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - in: query
+ name: sortField
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: sortOrder
+ required: false
+ schema:
+ enum:
+ - asc
+ - desc
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ access_api_key:
+ type: string
+ access_api_key_id:
+ type: string
+ active:
+ type: boolean
+ agent:
+ additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - version
+ components:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ message:
+ type: string
+ status:
+ enum:
+ - STARTING
+ - CONFIGURING
+ - HEALTHY
+ - DEGRADED
+ - FAILED
+ - STOPPING
+ - STOPPED
+ type: string
+ type:
+ type: string
+ units:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ message:
+ type: string
+ payload:
+ additionalProperties: {}
+ type: object
+ status:
+ enum:
+ - STARTING
+ - CONFIGURING
+ - HEALTHY
+ - DEGRADED
+ - FAILED
+ - STOPPING
+ - STOPPED
+ type: string
+ type:
+ enum:
+ - input
+ - output
+ type: string
+ required:
+ - id
+ - type
+ - status
+ - message
+ type: array
+ required:
+ - id
+ - type
+ - status
+ - message
+ type: array
+ default_api_key:
+ type: string
+ default_api_key_history:
+ items:
+ additionalProperties: false
+ deprecated: true
+ type: object
+ properties:
+ id:
+ type: string
+ retired_at:
+ type: string
+ required:
+ - id
+ - retired_at
+ type: array
+ default_api_key_id:
+ type: string
+ enrolled_at:
+ type: string
+ id:
+ type: string
+ last_checkin:
+ type: string
+ last_checkin_message:
+ type: string
+ last_checkin_status:
+ enum:
+ - error
+ - online
+ - degraded
+ - updating
+ - starting
+ type: string
+ local_metadata:
+ additionalProperties: {}
+ type: object
+ metrics:
+ additionalProperties: false
+ type: object
+ properties:
+ cpu_avg:
+ type: number
+ memory_size_byte_avg:
+ type: number
+ namespaces:
+ items:
+ type: string
+ type: array
+ outputs:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ api_key_id:
+ type: string
+ to_retire_api_key_ids:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ retired_at:
+ type: string
+ required:
+ - id
+ - retired_at
+ type: array
+ type:
+ type: string
+ required:
+ - api_key_id
+ - type
+ type: object
+ packages:
+ items:
+ type: string
+ type: array
+ policy_id:
+ type: string
+ policy_revision:
+ nullable: true
+ type: number
+ sort:
+ items:
+ anyOf:
+ - type: number
+ - type: string
+ - enum: []
+ nullable: true
+ type: array
+ status:
+ enum:
+ - offline
+ - error
+ - online
+ - inactive
+ - enrolling
+ - unenrolling
+ - unenrolled
+ - updating
+ - degraded
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ type:
+ enum:
+ - PERMANENT
+ - EPHEMERAL
+ - TEMPORARY
+ type: string
+ unenrolled_at:
+ type: string
+ unenrollment_started_at:
+ type: string
+ unhealthy_reason:
+ items:
+ enum:
+ - input
+ - output
+ - other
+ type: string
+ nullable: true
+ type: array
+ upgrade_details:
+ additionalProperties: false
+ type: object
+ properties:
+ action_id:
+ type: string
+ metadata:
+ additionalProperties: false
+ type: object
+ properties:
+ download_percent:
+ type: number
+ download_rate:
+ type: number
+ error_msg:
+ type: string
+ failed_state:
+ enum:
+ - UPG_REQUESTED
+ - UPG_SCHEDULED
+ - UPG_DOWNLOADING
+ - UPG_EXTRACTING
+ - UPG_REPLACING
+ - UPG_RESTARTING
+ - UPG_FAILED
+ - UPG_WATCHING
+ - UPG_ROLLBACK
+ type: string
+ retry_error_msg:
+ type: string
+ retry_until:
+ type: string
+ scheduled_at:
+ type: string
+ state:
+ enum:
+ - UPG_REQUESTED
+ - UPG_SCHEDULED
+ - UPG_DOWNLOADING
+ - UPG_EXTRACTING
+ - UPG_REPLACING
+ - UPG_RESTARTING
+ - UPG_FAILED
+ - UPG_WATCHING
+ - UPG_ROLLBACK
+ type: string
+ target_version:
+ type: string
+ required:
+ - target_version
+ - action_id
+ - state
+ upgrade_started_at:
+ nullable: true
+ type: string
+ upgraded_at:
+ nullable: true
+ type: string
+ user_provided_metadata:
+ additionalProperties: {}
+ type: object
+ required:
+ - id
+ - packages
+ - type
+ - active
+ - enrolled_at
+ - local_metadata
+ type: array
+ page:
+ type: number
+ perPage:
+ type: number
+ statusSummary:
+ additionalProperties:
+ type: number
+ type: object
+ total:
+ type: number
+ required:
+ - items
+ - total
+ - page
+ - perPage
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get agents
+ tags:
+ - Elastic Agents
+ x-beta: true
+ post:
+ operationId: post-fleet-agents
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actionIds:
+ items:
+ type: string
+ type: array
+ required:
+ - actionIds
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ type: string
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get agents by action ids
+ tags:
+ - Elastic Agents
+ x-beta: true
+ /api/fleet/agents/{agentId}:
+ delete:
+ description: Delete an agent by ID.
+ operationId: delete-fleet-agents-agentid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: agentId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ action:
+ enum:
+ - deleted
+ type: string
+ required:
+ - action
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Delete an agent
+ tags:
+ - Elastic Agents
+ x-beta: true
+ get:
+ description: Get an agent by ID.
+ operationId: get-fleet-agents-agentid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: agentId
+ required: true
+ schema:
+ type: string
+ - in: query
+ name: withMetrics
+ required: false
+ schema:
+ default: false
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ access_api_key:
+ type: string
+ access_api_key_id:
+ type: string
+ active:
+ type: boolean
+ agent:
+ additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - version
+ components:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ message:
+ type: string
+ status:
+ enum:
+ - STARTING
+ - CONFIGURING
+ - HEALTHY
+ - DEGRADED
+ - FAILED
+ - STOPPING
+ - STOPPED
+ type: string
+ type:
+ type: string
+ units:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ message:
+ type: string
+ payload:
+ additionalProperties: {}
+ type: object
+ status:
+ enum:
+ - STARTING
+ - CONFIGURING
+ - HEALTHY
+ - DEGRADED
+ - FAILED
+ - STOPPING
+ - STOPPED
+ type: string
+ type:
+ enum:
+ - input
+ - output
+ type: string
+ required:
+ - id
+ - type
+ - status
+ - message
+ type: array
+ required:
+ - id
+ - type
+ - status
+ - message
+ type: array
+ default_api_key:
+ type: string
+ default_api_key_history:
+ items:
+ additionalProperties: false
+ deprecated: true
+ type: object
+ properties:
+ id:
+ type: string
+ retired_at:
+ type: string
+ required:
+ - id
+ - retired_at
+ type: array
+ default_api_key_id:
+ type: string
+ enrolled_at:
+ type: string
+ id:
+ type: string
+ last_checkin:
+ type: string
+ last_checkin_message:
+ type: string
+ last_checkin_status:
+ enum:
+ - error
+ - online
+ - degraded
+ - updating
+ - starting
+ type: string
+ local_metadata:
+ additionalProperties: {}
+ type: object
+ metrics:
+ additionalProperties: false
+ type: object
+ properties:
+ cpu_avg:
+ type: number
+ memory_size_byte_avg:
+ type: number
+ namespaces:
+ items:
+ type: string
+ type: array
+ outputs:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ api_key_id:
+ type: string
+ to_retire_api_key_ids:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ retired_at:
+ type: string
+ required:
+ - id
+ - retired_at
+ type: array
+ type:
+ type: string
+ required:
+ - api_key_id
+ - type
+ type: object
+ packages:
+ items:
+ type: string
+ type: array
+ policy_id:
+ type: string
+ policy_revision:
+ nullable: true
+ type: number
+ sort:
+ items:
+ anyOf:
+ - type: number
+ - type: string
+ - enum: []
+ nullable: true
+ type: array
+ status:
+ enum:
+ - offline
+ - error
+ - online
+ - inactive
+ - enrolling
+ - unenrolling
+ - unenrolled
+ - updating
+ - degraded
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ type:
+ enum:
+ - PERMANENT
+ - EPHEMERAL
+ - TEMPORARY
+ type: string
+ unenrolled_at:
+ type: string
+ unenrollment_started_at:
+ type: string
+ unhealthy_reason:
+ items:
+ enum:
+ - input
+ - output
+ - other
+ type: string
+ nullable: true
+ type: array
+ upgrade_details:
+ additionalProperties: false
+ type: object
+ properties:
+ action_id:
+ type: string
+ metadata:
+ additionalProperties: false
+ type: object
+ properties:
+ download_percent:
+ type: number
+ download_rate:
+ type: number
+ error_msg:
+ type: string
+ failed_state:
+ enum:
+ - UPG_REQUESTED
+ - UPG_SCHEDULED
+ - UPG_DOWNLOADING
+ - UPG_EXTRACTING
+ - UPG_REPLACING
+ - UPG_RESTARTING
+ - UPG_FAILED
+ - UPG_WATCHING
+ - UPG_ROLLBACK
+ type: string
+ retry_error_msg:
+ type: string
+ retry_until:
+ type: string
+ scheduled_at:
+ type: string
+ state:
+ enum:
+ - UPG_REQUESTED
+ - UPG_SCHEDULED
+ - UPG_DOWNLOADING
+ - UPG_EXTRACTING
+ - UPG_REPLACING
+ - UPG_RESTARTING
+ - UPG_FAILED
+ - UPG_WATCHING
+ - UPG_ROLLBACK
+ type: string
+ target_version:
+ type: string
+ required:
+ - target_version
+ - action_id
+ - state
+ upgrade_started_at:
+ nullable: true
+ type: string
+ upgraded_at:
+ nullable: true
+ type: string
+ user_provided_metadata:
+ additionalProperties: {}
+ type: object
+ required:
+ - id
+ - packages
+ - type
+ - active
+ - enrolled_at
+ - local_metadata
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get an agent
+ tags:
+ - Elastic Agents
+ x-beta: true
+ put:
+ description: Update an agent by ID.
+ operationId: put-fleet-agents-agentid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: agentId
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ tags:
+ items:
+ type: string
+ type: array
+ user_provided_metadata:
+ additionalProperties: {}
+ type: object
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ access_api_key:
+ type: string
+ access_api_key_id:
+ type: string
+ active:
+ type: boolean
+ agent:
+ additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - version
+ components:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ message:
+ type: string
+ status:
+ enum:
+ - STARTING
+ - CONFIGURING
+ - HEALTHY
+ - DEGRADED
+ - FAILED
+ - STOPPING
+ - STOPPED
+ type: string
+ type:
+ type: string
+ units:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ message:
+ type: string
+ payload:
+ additionalProperties: {}
+ type: object
+ status:
+ enum:
+ - STARTING
+ - CONFIGURING
+ - HEALTHY
+ - DEGRADED
+ - FAILED
+ - STOPPING
+ - STOPPED
+ type: string
+ type:
+ enum:
+ - input
+ - output
+ type: string
+ required:
+ - id
+ - type
+ - status
+ - message
+ type: array
+ required:
+ - id
+ - type
+ - status
+ - message
+ type: array
+ default_api_key:
+ type: string
+ default_api_key_history:
+ items:
+ additionalProperties: false
+ deprecated: true
+ type: object
+ properties:
+ id:
+ type: string
+ retired_at:
+ type: string
+ required:
+ - id
+ - retired_at
+ type: array
+ default_api_key_id:
+ type: string
+ enrolled_at:
+ type: string
+ id:
+ type: string
+ last_checkin:
+ type: string
+ last_checkin_message:
+ type: string
+ last_checkin_status:
+ enum:
+ - error
+ - online
+ - degraded
+ - updating
+ - starting
+ type: string
+ local_metadata:
+ additionalProperties: {}
+ type: object
+ metrics:
+ additionalProperties: false
+ type: object
+ properties:
+ cpu_avg:
+ type: number
+ memory_size_byte_avg:
+ type: number
+ namespaces:
+ items:
+ type: string
+ type: array
+ outputs:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ api_key_id:
+ type: string
+ to_retire_api_key_ids:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ retired_at:
+ type: string
+ required:
+ - id
+ - retired_at
+ type: array
+ type:
+ type: string
+ required:
+ - api_key_id
+ - type
+ type: object
+ packages:
+ items:
+ type: string
+ type: array
+ policy_id:
+ type: string
+ policy_revision:
+ nullable: true
+ type: number
+ sort:
+ items:
+ anyOf:
+ - type: number
+ - type: string
+ - enum: []
+ nullable: true
+ type: array
+ status:
+ enum:
+ - offline
+ - error
+ - online
+ - inactive
+ - enrolling
+ - unenrolling
+ - unenrolled
+ - updating
+ - degraded
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ type:
+ enum:
+ - PERMANENT
+ - EPHEMERAL
+ - TEMPORARY
+ type: string
+ unenrolled_at:
+ type: string
+ unenrollment_started_at:
+ type: string
+ unhealthy_reason:
+ items:
+ enum:
+ - input
+ - output
+ - other
+ type: string
+ nullable: true
+ type: array
+ upgrade_details:
+ additionalProperties: false
+ type: object
+ properties:
+ action_id:
+ type: string
+ metadata:
+ additionalProperties: false
+ type: object
+ properties:
+ download_percent:
+ type: number
+ download_rate:
+ type: number
+ error_msg:
+ type: string
+ failed_state:
+ enum:
+ - UPG_REQUESTED
+ - UPG_SCHEDULED
+ - UPG_DOWNLOADING
+ - UPG_EXTRACTING
+ - UPG_REPLACING
+ - UPG_RESTARTING
+ - UPG_FAILED
+ - UPG_WATCHING
+ - UPG_ROLLBACK
+ type: string
+ retry_error_msg:
+ type: string
+ retry_until:
+ type: string
+ scheduled_at:
+ type: string
+ state:
+ enum:
+ - UPG_REQUESTED
+ - UPG_SCHEDULED
+ - UPG_DOWNLOADING
+ - UPG_EXTRACTING
+ - UPG_REPLACING
+ - UPG_RESTARTING
+ - UPG_FAILED
+ - UPG_WATCHING
+ - UPG_ROLLBACK
+ type: string
+ target_version:
+ type: string
+ required:
+ - target_version
+ - action_id
+ - state
+ upgrade_started_at:
+ nullable: true
+ type: string
+ upgraded_at:
+ nullable: true
+ type: string
+ user_provided_metadata:
+ additionalProperties: {}
+ type: object
+ required:
+ - id
+ - packages
+ - type
+ - active
+ - enrolled_at
+ - local_metadata
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Update an agent
+ tags:
+ - Elastic Agents
+ x-beta: true
+ /api/fleet/agents/{agentId}/actions:
+ post:
+ operationId: post-fleet-agents-agentid-actions
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: agentId
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ action:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ ack_data: {}
+ data: {}
+ type:
+ enum:
+ - UNENROLL
+ - UPGRADE
+ - POLICY_REASSIGN
+ type: string
+ required:
+ - type
+ - data
+ - ack_data
+ - additionalProperties: false
+ type: object
+ properties:
+ data:
+ additionalProperties: false
+ type: object
+ properties:
+ log_level:
+ enum:
+ - debug
+ - info
+ - warning
+ - error
+ nullable: true
+ type: string
+ required:
+ - log_level
+ type:
+ enum:
+ - SETTINGS
+ type: string
+ required:
+ - type
+ - data
+ required:
+ - action
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ ack_data: {}
+ agents:
+ items:
+ type: string
+ type: array
+ created_at:
+ type: string
+ data: {}
+ expiration:
+ type: string
+ id:
+ type: string
+ minimum_execution_duration:
+ type: number
+ namespaces:
+ items:
+ type: string
+ type: array
+ rollout_duration_seconds:
+ type: number
+ sent_at:
+ type: string
+ source_uri:
+ type: string
+ start_time:
+ type: string
+ total:
+ type: number
+ type:
+ type: string
+ required:
+ - id
+ - type
+ - data
+ - created_at
+ - ack_data
+ - agents
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Create an agent action
+ tags:
+ - Elastic Agent actions
+ x-beta: true
+ /api/fleet/agents/{agentId}/reassign:
+ post:
+ operationId: post-fleet-agents-agentid-reassign
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: agentId
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ policy_id:
+ type: string
+ required:
+ - policy_id
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties: {}
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Reassign an agent
+ tags:
+ - Elastic Agent actions
+ x-beta: true
+ /api/fleet/agents/{agentId}/request_diagnostics:
+ post:
+ operationId: post-fleet-agents-agentid-request-diagnostics
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: agentId
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ additional_metrics:
+ items:
+ enum:
+ - CPU
+ type: string
+ type: array
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actionId:
+ type: string
+ required:
+ - actionId
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Request agent diagnostics
+ tags:
+ - Elastic Agent actions
+ x-beta: true
+ /api/fleet/agents/{agentId}/unenroll:
+ post:
+ operationId: post-fleet-agents-agentid-unenroll
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: agentId
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ force:
+ type: boolean
+ revoke:
+ type: boolean
+ responses: {}
+ summary: Unenroll an agent
+ tags:
+ - Elastic Agent actions
+ x-beta: true
+ /api/fleet/agents/{agentId}/upgrade:
+ post:
+ operationId: post-fleet-agents-agentid-upgrade
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: agentId
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ force:
+ type: boolean
+ skipRateLimitCheck:
+ type: boolean
+ source_uri:
+ type: string
+ version:
+ type: string
+ required:
+ - version
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties: {}
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Upgrade an agent
+ tags:
+ - Elastic Agent actions
+ x-beta: true
+ /api/fleet/agents/{agentId}/uploads:
+ get:
+ operationId: get-fleet-agents-agentid-uploads
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: agentId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ actionId:
+ type: string
+ createTime:
+ type: string
+ error:
+ type: string
+ filePath:
+ type: string
+ id:
+ type: string
+ name:
+ type: string
+ status:
+ enum:
+ - READY
+ - AWAITING_UPLOAD
+ - DELETED
+ - EXPIRED
+ - IN_PROGRESS
+ - FAILED
+ type: string
+ required:
+ - id
+ - name
+ - filePath
+ - createTime
+ - status
+ - actionId
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get agent uploads
+ tags:
+ - Elastic Agents
+ x-beta: true
+ /api/fleet/agents/action_status:
+ get:
+ operationId: get-fleet-agents-action-status
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: page
+ required: false
+ schema:
+ default: 0
+ type: number
+ - in: query
+ name: perPage
+ required: false
+ schema:
+ default: 20
+ type: number
+ - in: query
+ name: date
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: latest
+ required: false
+ schema:
+ type: number
+ - in: query
+ name: errorSize
+ required: false
+ schema:
+ default: 5
+ type: number
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ actionId:
+ type: string
+ cancellationTime:
+ type: string
+ completionTime:
+ type: string
+ creationTime:
+ description: creation time of action
+ type: string
+ expiration:
+ type: string
+ hasRolloutPeriod:
+ type: boolean
+ latestErrors:
+ items:
+ additionalProperties: false
+ description: latest errors that happened when the agents executed the action
+ type: object
+ properties:
+ agentId:
+ type: string
+ error:
+ type: string
+ hostname:
+ type: string
+ timestamp:
+ type: string
+ required:
+ - agentId
+ - error
+ - timestamp
+ type: array
+ nbAgentsAck:
+ description: number of agents that acknowledged the action
+ type: number
+ nbAgentsActionCreated:
+ description: number of agents included in action from kibana
+ type: number
+ nbAgentsActioned:
+ description: number of agents actioned
+ type: number
+ nbAgentsFailed:
+ description: number of agents that failed to execute the action
+ type: number
+ newPolicyId:
+ description: new policy id (POLICY_REASSIGN action)
+ type: string
+ policyId:
+ description: policy id (POLICY_CHANGE action)
+ type: string
+ revision:
+ description: new policy revision (POLICY_CHANGE action)
+ type: number
+ startTime:
+ description: start time of action (scheduled actions)
+ type: string
+ status:
+ enum:
+ - COMPLETE
+ - EXPIRED
+ - CANCELLED
+ - FAILED
+ - IN_PROGRESS
+ - ROLLOUT_PASSED
+ type: string
+ type:
+ enum:
+ - UPGRADE
+ - UNENROLL
+ - SETTINGS
+ - POLICY_REASSIGN
+ - CANCEL
+ - FORCE_UNENROLL
+ - REQUEST_DIAGNOSTICS
+ - UPDATE_TAGS
+ - POLICY_CHANGE
+ - INPUT_ACTION
+ type: string
+ version:
+ description: agent version number (UPGRADE action)
+ type: string
+ required:
+ - actionId
+ - nbAgentsActionCreated
+ - nbAgentsAck
+ - nbAgentsFailed
+ - type
+ - nbAgentsActioned
+ - status
+ - creationTime
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get an agent action status
+ tags:
+ - Elastic Agent actions
+ x-beta: true
+ /api/fleet/agents/actions/{actionId}/cancel:
+ post:
+ operationId: post-fleet-agents-actions-actionid-cancel
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: actionId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ ack_data: {}
+ agents:
+ items:
+ type: string
+ type: array
+ created_at:
+ type: string
+ data: {}
+ expiration:
+ type: string
+ id:
+ type: string
+ minimum_execution_duration:
+ type: number
+ namespaces:
+ items:
+ type: string
+ type: array
+ rollout_duration_seconds:
+ type: number
+ sent_at:
+ type: string
+ source_uri:
+ type: string
+ start_time:
+ type: string
+ total:
+ type: number
+ type:
+ type: string
+ required:
+ - id
+ - type
+ - data
+ - created_at
+ - ack_data
+ - agents
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Cancel an agent action
+ tags:
+ - Elastic Agent actions
+ x-beta: true
+ /api/fleet/agents/available_versions:
+ get:
+ operationId: get-fleet-agents-available-versions
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ type: string
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get available agent versions
+ tags:
+ - Elastic Agents
+ x-beta: true
+ /api/fleet/agents/bulk_reassign:
+ post:
+ operationId: post-fleet-agents-bulk-reassign
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ agents:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - type: string
+ batchSize:
+ type: number
+ includeInactive:
+ default: false
+ type: boolean
+ policy_id:
+ type: string
+ required:
+ - policy_id
+ - agents
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actionId:
+ type: string
+ required:
+ - actionId
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Bulk reassign agents
+ tags:
+ - Elastic Agent actions
+ x-beta: true
+ /api/fleet/agents/bulk_request_diagnostics:
+ post:
+ operationId: post-fleet-agents-bulk-request-diagnostics
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ additional_metrics:
+ items:
+ enum:
+ - CPU
+ type: string
+ type: array
+ agents:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - type: string
+ batchSize:
+ type: number
+ required:
+ - agents
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actionId:
+ type: string
+ required:
+ - actionId
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Bulk request diagnostics from agents
+ tags:
+ - Elastic Agent actions
+ x-beta: true
+ /api/fleet/agents/bulk_unenroll:
+ post:
+ operationId: post-fleet-agents-bulk-unenroll
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ agents:
+ anyOf:
+ - items:
+ description: KQL query string, leave empty to action all agents
+ type: string
+ type: array
+ - description: list of agent IDs
+ type: string
+ batchSize:
+ type: number
+ force:
+ description: Unenrolls hosted agents too
+ type: boolean
+ includeInactive:
+ description: When passing agents by KQL query, unenrolls inactive agents too
+ type: boolean
+ revoke:
+ description: Revokes API keys of agents
+ type: boolean
+ required:
+ - agents
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actionId:
+ type: string
+ required:
+ - actionId
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Bulk unenroll agents
+ tags:
+ - Elastic Agent actions
+ x-beta: true
+ /api/fleet/agents/bulk_update_agent_tags:
+ post:
+ operationId: post-fleet-agents-bulk-update-agent-tags
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ agents:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - type: string
+ batchSize:
+ type: number
+ includeInactive:
+ default: false
+ type: boolean
+ tagsToAdd:
+ items:
+ type: string
+ type: array
+ tagsToRemove:
+ items:
+ type: string
+ type: array
+ required:
+ - agents
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actionId:
+ type: string
+ required:
+ - actionId
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Bulk update agent tags
+ tags:
+ - Elastic Agent actions
+ x-beta: true
+ /api/fleet/agents/bulk_upgrade:
+ post:
+ operationId: post-fleet-agents-bulk-upgrade
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ agents:
+ anyOf:
+ - items:
+ type: string
+ type: array
+ - type: string
+ batchSize:
+ type: number
+ force:
+ type: boolean
+ includeInactive:
+ default: false
+ type: boolean
+ rollout_duration_seconds:
+ minimum: 600
+ type: number
+ skipRateLimitCheck:
+ type: boolean
+ source_uri:
+ type: string
+ start_time:
+ type: string
+ version:
+ type: string
+ required:
+ - agents
+ - version
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ actionId:
+ type: string
+ required:
+ - actionId
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Bulk upgrade agents
+ tags:
+ - Elastic Agent actions
+ x-beta: true
+ /api/fleet/agents/files/{fileId}:
+ delete:
+ description: Delete a file uploaded by an agent.
+ operationId: delete-fleet-agents-files-fileid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: fileId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ deleted:
+ type: boolean
+ id:
+ type: string
+ required:
+ - id
+ - deleted
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Delete an uploaded file
+ tags:
+ - Elastic Agents
+ x-beta: true
+ /api/fleet/agents/files/{fileId}/{fileName}:
+ get:
+ description: Get a file uploaded by an agent.
+ operationId: get-fleet-agents-files-fileid-filename
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: fileId
+ required: true
+ schema:
+ type: string
+ - in: path
+ name: fileName
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get an uploaded file
+ tags:
+ - Elastic Agents
+ x-beta: true
+ /api/fleet/agents/setup:
+ get:
+ operationId: get-fleet-agents-setup
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: A summary of the agent setup status. `isReady` indicates whether the setup is ready. If the setup is not ready, `missing_requirements` lists which requirements are missing.
+ type: object
+ properties:
+ is_secrets_storage_enabled:
+ type: boolean
+ is_space_awareness_enabled:
+ type: boolean
+ isReady:
+ type: boolean
+ missing_optional_features:
+ items:
+ enum:
+ - encrypted_saved_object_encryption_key_required
+ type: string
+ type: array
+ missing_requirements:
+ items:
+ enum:
+ - security_required
+ - tls_required
+ - api_keys
+ - fleet_admin_user
+ - fleet_server
+ type: string
+ type: array
+ package_verification_key_id:
+ type: string
+ required:
+ - isReady
+ - missing_requirements
+ - missing_optional_features
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get agent setup info
+ tags:
+ - Elastic Agents
+ x-beta: true
+ post:
+ operationId: post-fleet-agents-setup
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup.
+ type: object
+ properties:
+ isInitialized:
+ type: boolean
+ nonFatalErrors:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ - message
+ type: array
+ required:
+ - isInitialized
+ - nonFatalErrors
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Initiate agent setup
+ tags:
+ - Elastic Agents
+ x-beta: true
+ /api/fleet/agents/tags:
+ get:
+ operationId: get-fleet-agents-tags
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: kuery
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: showInactive
+ required: false
+ schema:
+ default: false
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ type: string
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get agent tags
+ tags:
+ - Elastic Agents
+ x-beta: true
+ /api/fleet/check-permissions:
+ get:
+ operationId: get-fleet-check-permissions
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: fleetServerSetup
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ error:
+ enum:
+ - MISSING_SECURITY
+ - MISSING_PRIVILEGES
+ - MISSING_FLEET_SERVER_SETUP_PRIVILEGES
+ type: string
+ success:
+ type: boolean
+ required:
+ - success
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Check permissions
+ tags:
+ - Fleet internals
+ x-beta: true
+ /api/fleet/data_streams:
+ get:
+ operationId: get-fleet-data-streams
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ data_streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ dashboards:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ title:
+ type: string
+ required:
+ - id
+ - title
+ type: array
+ dataset:
+ type: string
+ index:
+ type: string
+ last_activity_ms:
+ type: number
+ namespace:
+ type: string
+ package:
+ type: string
+ package_version:
+ type: string
+ serviceDetails:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ environment:
+ type: string
+ serviceName:
+ type: string
+ required:
+ - environment
+ - serviceName
+ size_in_bytes:
+ type: number
+ size_in_bytes_formatted:
+ anyOf:
+ - type: number
+ - type: string
+ type:
+ type: string
+ required:
+ - index
+ - dataset
+ - namespace
+ - type
+ - package
+ - package_version
+ - last_activity_ms
+ - size_in_bytes
+ - size_in_bytes_formatted
+ - dashboards
+ - serviceDetails
+ type: array
+ required:
+ - data_streams
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get data streams
+ tags:
+ - Data streams
+ x-beta: true
+ /api/fleet/enrollment_api_keys:
+ get:
+ operationId: get-fleet-enrollment-api-keys
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: page
+ required: false
+ schema:
+ default: 1
+ type: number
+ - in: query
+ name: perPage
+ required: false
+ schema:
+ default: 20
+ type: number
+ - in: query
+ name: kuery
+ required: false
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ active:
+ description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.
+ type: boolean
+ api_key:
+ description: The enrollment API key (token) used for enrolling Elastic Agents.
+ type: string
+ api_key_id:
+ description: The ID of the API key in the Security API.
+ type: string
+ created_at:
+ type: string
+ id:
+ type: string
+ name:
+ description: The name of the enrollment API key.
+ type: string
+ policy_id:
+ description: The ID of the agent policy the Elastic Agent will be enrolled in.
+ type: string
+ required:
+ - id
+ - api_key_id
+ - api_key
+ - active
+ - created_at
+ type: array
+ list:
+ deprecated: true
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ active:
+ description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.
+ type: boolean
+ api_key:
+ description: The enrollment API key (token) used for enrolling Elastic Agents.
+ type: string
+ api_key_id:
+ description: The ID of the API key in the Security API.
+ type: string
+ created_at:
+ type: string
+ id:
+ type: string
+ name:
+ description: The name of the enrollment API key.
+ type: string
+ policy_id:
+ description: The ID of the agent policy the Elastic Agent will be enrolled in.
+ type: string
+ required:
+ - id
+ - api_key_id
+ - api_key
+ - active
+ - created_at
+ type: array
+ page:
+ type: number
+ perPage:
+ type: number
+ total:
+ type: number
+ required:
+ - items
+ - total
+ - page
+ - perPage
+ - list
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get enrollment API keys
+ tags:
+ - Fleet enrollment API keys
+ x-beta: true
+ post:
+ operationId: post-fleet-enrollment-api-keys
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ expiration:
+ type: string
+ name:
+ type: string
+ policy_id:
+ type: string
+ required:
+ - policy_id
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ action:
+ enum:
+ - created
+ type: string
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ active:
+ description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.
+ type: boolean
+ api_key:
+ description: The enrollment API key (token) used for enrolling Elastic Agents.
+ type: string
+ api_key_id:
+ description: The ID of the API key in the Security API.
+ type: string
+ created_at:
+ type: string
+ id:
+ type: string
+ name:
+ description: The name of the enrollment API key.
+ type: string
+ policy_id:
+ description: The ID of the agent policy the Elastic Agent will be enrolled in.
+ type: string
+ required:
+ - id
+ - api_key_id
+ - api_key
+ - active
+ - created_at
+ required:
+ - item
+ - action
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Create an enrollment API key
+ tags:
+ - Fleet enrollment API keys
+ x-beta: true
+ /api/fleet/enrollment_api_keys/{keyId}:
+ delete:
+ description: Revoke an enrollment API key by ID by marking it as inactive.
+ operationId: delete-fleet-enrollment-api-keys-keyid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: keyId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ action:
+ enum:
+ - deleted
+ type: string
+ required:
+ - action
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Revoke an enrollment API key
+ tags:
+ - Fleet enrollment API keys
+ x-beta: true
+ get:
+ description: Get an enrollment API key by ID.
+ operationId: get-fleet-enrollment-api-keys-keyid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: keyId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ active:
+ description: When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.
+ type: boolean
+ api_key:
+ description: The enrollment API key (token) used for enrolling Elastic Agents.
+ type: string
+ api_key_id:
+ description: The ID of the API key in the Security API.
+ type: string
+ created_at:
+ type: string
+ id:
+ type: string
+ name:
+ description: The name of the enrollment API key.
+ type: string
+ policy_id:
+ description: The ID of the agent policy the Elastic Agent will be enrolled in.
+ type: string
+ required:
+ - id
+ - api_key_id
+ - api_key
+ - active
+ - created_at
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get an enrollment API key
+ tags:
+ - Fleet enrollment API keys
+ x-beta: true
+ /api/fleet/epm/bulk_assets:
+ post:
+ operationId: post-fleet-epm-bulk-assets
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ assetIds:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ type:
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ required:
+ - assetIds
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ appLink:
+ type: string
+ attributes:
+ additionalProperties: false
+ type: object
+ properties:
+ description:
+ type: string
+ service:
+ type: string
+ title:
+ type: string
+ id:
+ type: string
+ type:
+ type: string
+ updatedAt:
+ type: string
+ required:
+ - id
+ - type
+ - attributes
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Bulk get assets
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/epm/categories:
+ get:
+ operationId: get-fleet-epm-categories
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: prerelease
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: include_policy_templates
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ count:
+ type: number
+ id:
+ type: string
+ parent_id:
+ type: string
+ parent_title:
+ type: string
+ title:
+ type: string
+ required:
+ - id
+ - title
+ - count
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get package categories
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/epm/custom_integrations:
+ post:
+ operationId: post-fleet-epm-custom-integrations
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ datasets:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ type:
+ enum:
+ - logs
+ - metrics
+ - traces
+ - synthetics
+ - profiling
+ type: string
+ required:
+ - name
+ - type
+ type: array
+ force:
+ type: boolean
+ integrationName:
+ type: string
+ required:
+ - integrationName
+ - datasets
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ _meta:
+ additionalProperties: false
+ type: object
+ properties:
+ install_source:
+ type: string
+ required:
+ - install_source
+ items:
+ items:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ originId:
+ type: string
+ type:
+ enum:
+ - dashboard
+ - lens
+ - visualization
+ - search
+ - index-pattern
+ - map
+ - ml-module
+ - security-rule
+ - csp-rule-template
+ - osquery-pack-asset
+ - osquery-saved-query
+ - tag
+ type: string
+ required:
+ - id
+ - type
+ - additionalProperties: false
+ type: object
+ properties:
+ deferred:
+ type: boolean
+ id:
+ type: string
+ type:
+ enum:
+ - index
+ - index_template
+ - component_template
+ - ingest_pipeline
+ - ilm_policy
+ - data_stream_ilm_policy
+ - transform
+ - ml_model
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ required:
+ - items
+ - _meta
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Create a custom integration
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/epm/data_streams:
+ get:
+ operationId: get-fleet-epm-data-streams
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: type
+ required: false
+ schema:
+ enum:
+ - logs
+ - metrics
+ - traces
+ - synthetics
+ - profiling
+ type: string
+ - in: query
+ name: datasetQuery
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: sortOrder
+ required: false
+ schema:
+ default: asc
+ enum:
+ - asc
+ - desc
+ type: string
+ - in: query
+ name: uncategorisedOnly
+ required: false
+ schema:
+ default: false
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get data streams
+ tags:
+ - Data streams
+ x-beta: true
+ /api/fleet/epm/packages:
+ get:
+ operationId: get-fleet-epm-packages
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: category
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: prerelease
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: excludeInstallStatus
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ categories:
+ items:
+ type: string
+ type: array
+ conditions:
+ additionalProperties: true
+ type: object
+ properties:
+ elastic:
+ additionalProperties: true
+ type: object
+ properties:
+ capabilities:
+ items:
+ type: string
+ type: array
+ subscription:
+ type: string
+ kibana:
+ additionalProperties: true
+ type: object
+ properties:
+ version:
+ type: string
+ data_streams:
+ items:
+ additionalProperties: {}
+ type: object
+ type: array
+ description:
+ type: string
+ discovery:
+ additionalProperties: true
+ type: object
+ properties:
+ fields:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: array
+ download:
+ type: string
+ format_version:
+ type: string
+ icons:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ dark_mode:
+ type: boolean
+ path:
+ type: string
+ size:
+ type: string
+ src:
+ type: string
+ title:
+ type: string
+ type:
+ type: string
+ required:
+ - src
+ type: array
+ id:
+ type: string
+ installationInfo:
+ additionalProperties: true
+ type: object
+ properties:
+ additional_spaces_installed_kibana:
+ additionalProperties:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ originId:
+ type: string
+ type:
+ enum:
+ - dashboard
+ - lens
+ - visualization
+ - search
+ - index-pattern
+ - map
+ - ml-module
+ - security-rule
+ - csp-rule-template
+ - osquery-pack-asset
+ - osquery-saved-query
+ - tag
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ type: object
+ created_at:
+ type: string
+ experimental_data_stream_features:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: true
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ install_format_schema_version:
+ type: string
+ install_source:
+ enum:
+ - registry
+ - upload
+ - bundled
+ - custom
+ type: string
+ install_status:
+ enum:
+ - installed
+ - installing
+ - install_failed
+ type: string
+ installed_es:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ deferred:
+ type: boolean
+ id:
+ type: string
+ type:
+ enum:
+ - index
+ - index_template
+ - component_template
+ - ingest_pipeline
+ - ilm_policy
+ - data_stream_ilm_policy
+ - transform
+ - ml_model
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ installed_kibana:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ originId:
+ type: string
+ type:
+ enum:
+ - dashboard
+ - lens
+ - visualization
+ - search
+ - index-pattern
+ - map
+ - ml-module
+ - security-rule
+ - csp-rule-template
+ - osquery-pack-asset
+ - osquery-saved-query
+ - tag
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ installed_kibana_space_id:
+ type: string
+ latest_executed_state:
+ additionalProperties: true
+ type: object
+ properties:
+ error:
+ type: string
+ name:
+ type: string
+ started_at:
+ type: string
+ required:
+ - name
+ - started_at
+ latest_install_failed_attempts:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ created_at:
+ type: string
+ error:
+ additionalProperties: true
+ type: object
+ properties:
+ message:
+ type: string
+ name:
+ type: string
+ stack:
+ type: string
+ required:
+ - name
+ - message
+ target_version:
+ type: string
+ required:
+ - created_at
+ - target_version
+ - error
+ type: array
+ name:
+ type: string
+ namespaces:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ updated_at:
+ type: string
+ verification_key_id:
+ nullable: true
+ type: string
+ verification_status:
+ enum:
+ - unverified
+ - verified
+ - unknown
+ type: string
+ version:
+ type: string
+ required:
+ - type
+ - installed_kibana
+ - installed_es
+ - name
+ - version
+ - install_status
+ - install_source
+ - verification_status
+ integration:
+ type: string
+ internal:
+ type: boolean
+ latestVersion:
+ type: string
+ name:
+ type: string
+ owner:
+ additionalProperties: true
+ type: object
+ properties:
+ github:
+ type: string
+ type:
+ enum:
+ - elastic
+ - partner
+ - community
+ type: string
+ path:
+ type: string
+ policy_templates:
+ items:
+ additionalProperties: {}
+ type: object
+ type: array
+ readme:
+ type: string
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ signature_path:
+ type: string
+ source:
+ additionalProperties: true
+ type: object
+ properties:
+ license:
+ type: string
+ required:
+ - license
+ status:
+ type: string
+ title:
+ type: string
+ type:
+ enum:
+ - integration
+ - input
+ - content
+ type: string
+ vars:
+ items:
+ additionalProperties: {}
+ type: object
+ type: array
+ version:
+ type: string
+ required:
+ - name
+ - version
+ - title
+ - id
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get packages
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ post:
+ operationId: post-fleet-epm-packages
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: query
+ name: ignoreMappingUpdateErrors
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - in: query
+ name: skipDataStreamRollover
+ required: false
+ schema:
+ default: false
+ type: boolean
+ requestBody:
+ content:
+ application/gzip; application/zip; Elastic-Api-Version=2023-10-31:
+ schema:
+ format: binary
+ type: string
+ responses:
+ '200':
+ content:
+ application/gzip; application/zip; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ _meta:
+ additionalProperties: false
+ type: object
+ properties:
+ install_source:
+ type: string
+ required:
+ - install_source
+ items:
+ items:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ originId:
+ type: string
+ type:
+ enum:
+ - dashboard
+ - lens
+ - visualization
+ - search
+ - index-pattern
+ - map
+ - ml-module
+ - security-rule
+ - csp-rule-template
+ - osquery-pack-asset
+ - osquery-saved-query
+ - tag
+ type: string
+ required:
+ - id
+ - type
+ - additionalProperties: false
+ type: object
+ properties:
+ deferred:
+ type: boolean
+ id:
+ type: string
+ type:
+ enum:
+ - index
+ - index_template
+ - component_template
+ - ingest_pipeline
+ - ilm_policy
+ - data_stream_ilm_policy
+ - transform
+ - ml_model
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ required:
+ - items
+ - _meta
+ '400':
+ content:
+ application/gzip; application/zip; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Install a package by upload
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/epm/packages/_bulk:
+ post:
+ operationId: post-fleet-epm-packages-bulk
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: query
+ name: prerelease
+ required: false
+ schema:
+ type: boolean
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ force:
+ default: false
+ type: boolean
+ packages:
+ items:
+ anyOf:
+ - type: string
+ - additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ prerelease:
+ type: boolean
+ version:
+ type: string
+ required:
+ - name
+ - version
+ minItems: 1
+ type: array
+ required:
+ - packages
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ result:
+ additionalProperties: false
+ type: object
+ properties:
+ assets:
+ items:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ originId:
+ type: string
+ type:
+ enum:
+ - dashboard
+ - lens
+ - visualization
+ - search
+ - index-pattern
+ - map
+ - ml-module
+ - security-rule
+ - csp-rule-template
+ - osquery-pack-asset
+ - osquery-saved-query
+ - tag
+ type: string
+ required:
+ - id
+ - type
+ - additionalProperties: false
+ type: object
+ properties:
+ deferred:
+ type: boolean
+ id:
+ type: string
+ type:
+ enum:
+ - index
+ - index_template
+ - component_template
+ - ingest_pipeline
+ - ilm_policy
+ - data_stream_ilm_policy
+ - transform
+ - ml_model
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ error: {}
+ installSource:
+ type: string
+ installType:
+ type: string
+ status:
+ enum:
+ - installed
+ - already_installed
+ type: string
+ required:
+ - error
+ - installType
+ version:
+ type: string
+ required:
+ - name
+ - version
+ - result
+ - additionalProperties: false
+ type: object
+ properties:
+ error:
+ anyOf:
+ - type: string
+ - {}
+ name:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - name
+ - statusCode
+ - error
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Bulk install packages
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/epm/packages/{pkgName}/{pkgVersion}:
+ delete:
+ operationId: delete-fleet-epm-packages-pkgname-pkgversion
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: pkgName
+ required: true
+ schema:
+ type: string
+ - in: path
+ name: pkgVersion
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: force
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ originId:
+ type: string
+ type:
+ enum:
+ - dashboard
+ - lens
+ - visualization
+ - search
+ - index-pattern
+ - map
+ - ml-module
+ - security-rule
+ - csp-rule-template
+ - osquery-pack-asset
+ - osquery-saved-query
+ - tag
+ type: string
+ required:
+ - id
+ - type
+ - additionalProperties: false
+ type: object
+ properties:
+ deferred:
+ type: boolean
+ id:
+ type: string
+ type:
+ enum:
+ - index
+ - index_template
+ - component_template
+ - ingest_pipeline
+ - ilm_policy
+ - data_stream_ilm_policy
+ - transform
+ - ml_model
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Delete a package
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ get:
+ operationId: get-fleet-epm-packages-pkgname-pkgversion
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: pkgName
+ required: true
+ schema:
+ type: string
+ - in: path
+ name: pkgVersion
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: ignoreUnverified
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: prerelease
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: full
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: withMetadata
+ required: false
+ schema:
+ default: false
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: true
+ type: object
+ properties:
+ agent:
+ additionalProperties: false
+ type: object
+ properties:
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ root:
+ type: boolean
+ asset_tags:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ asset_ids:
+ items:
+ type: string
+ type: array
+ asset_types:
+ items:
+ type: string
+ type: array
+ text:
+ type: string
+ required:
+ - text
+ type: array
+ assets:
+ additionalProperties: {}
+ type: object
+ categories:
+ items:
+ type: string
+ type: array
+ conditions:
+ additionalProperties: true
+ type: object
+ properties:
+ elastic:
+ additionalProperties: true
+ type: object
+ properties:
+ capabilities:
+ items:
+ type: string
+ type: array
+ subscription:
+ type: string
+ kibana:
+ additionalProperties: true
+ type: object
+ properties:
+ version:
+ type: string
+ data_streams:
+ items:
+ additionalProperties: {}
+ type: object
+ type: array
+ description:
+ type: string
+ discovery:
+ additionalProperties: true
+ type: object
+ properties:
+ fields:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: array
+ download:
+ type: string
+ elasticsearch:
+ additionalProperties: {}
+ type: object
+ format_version:
+ type: string
+ icons:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ dark_mode:
+ type: boolean
+ path:
+ type: string
+ size:
+ type: string
+ src:
+ type: string
+ title:
+ type: string
+ type:
+ type: string
+ required:
+ - src
+ type: array
+ installationInfo:
+ additionalProperties: true
+ type: object
+ properties:
+ additional_spaces_installed_kibana:
+ additionalProperties:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ originId:
+ type: string
+ type:
+ enum:
+ - dashboard
+ - lens
+ - visualization
+ - search
+ - index-pattern
+ - map
+ - ml-module
+ - security-rule
+ - csp-rule-template
+ - osquery-pack-asset
+ - osquery-saved-query
+ - tag
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ type: object
+ created_at:
+ type: string
+ experimental_data_stream_features:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: true
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ install_format_schema_version:
+ type: string
+ install_source:
+ enum:
+ - registry
+ - upload
+ - bundled
+ - custom
+ type: string
+ install_status:
+ enum:
+ - installed
+ - installing
+ - install_failed
+ type: string
+ installed_es:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ deferred:
+ type: boolean
+ id:
+ type: string
+ type:
+ enum:
+ - index
+ - index_template
+ - component_template
+ - ingest_pipeline
+ - ilm_policy
+ - data_stream_ilm_policy
+ - transform
+ - ml_model
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ installed_kibana:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ originId:
+ type: string
+ type:
+ enum:
+ - dashboard
+ - lens
+ - visualization
+ - search
+ - index-pattern
+ - map
+ - ml-module
+ - security-rule
+ - csp-rule-template
+ - osquery-pack-asset
+ - osquery-saved-query
+ - tag
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ installed_kibana_space_id:
+ type: string
+ latest_executed_state:
+ additionalProperties: true
+ type: object
+ properties:
+ error:
+ type: string
+ name:
+ type: string
+ started_at:
+ type: string
+ required:
+ - name
+ - started_at
+ latest_install_failed_attempts:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ created_at:
+ type: string
+ error:
+ additionalProperties: true
+ type: object
+ properties:
+ message:
+ type: string
+ name:
+ type: string
+ stack:
+ type: string
+ required:
+ - name
+ - message
+ target_version:
+ type: string
+ required:
+ - created_at
+ - target_version
+ - error
+ type: array
+ name:
+ type: string
+ namespaces:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ updated_at:
+ type: string
+ verification_key_id:
+ nullable: true
+ type: string
+ verification_status:
+ enum:
+ - unverified
+ - verified
+ - unknown
+ type: string
+ version:
+ type: string
+ required:
+ - type
+ - installed_kibana
+ - installed_es
+ - name
+ - version
+ - install_status
+ - install_source
+ - verification_status
+ internal:
+ type: boolean
+ keepPoliciesUpToDate:
+ type: boolean
+ latestVersion:
+ type: string
+ license:
+ type: string
+ licensePath:
+ type: string
+ name:
+ type: string
+ notice:
+ type: string
+ owner:
+ additionalProperties: true
+ type: object
+ properties:
+ github:
+ type: string
+ type:
+ enum:
+ - elastic
+ - partner
+ - community
+ type: string
+ path:
+ type: string
+ policy_templates:
+ items:
+ additionalProperties: {}
+ type: object
+ type: array
+ readme:
+ type: string
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ screenshots:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ dark_mode:
+ type: boolean
+ path:
+ type: string
+ size:
+ type: string
+ src:
+ type: string
+ title:
+ type: string
+ type:
+ type: string
+ required:
+ - src
+ type: array
+ signature_path:
+ type: string
+ source:
+ additionalProperties: true
+ type: object
+ properties:
+ license:
+ type: string
+ required:
+ - license
+ status:
+ type: string
+ title:
+ type: string
+ type:
+ enum:
+ - integration
+ - input
+ - content
+ type: string
+ vars:
+ items:
+ additionalProperties: {}
+ type: object
+ type: array
+ version:
+ type: string
+ required:
+ - name
+ - version
+ - title
+ - assets
+ metadata:
+ additionalProperties: false
+ type: object
+ properties:
+ has_policies:
+ type: boolean
+ required:
+ - has_policies
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get a package
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ post:
+ operationId: post-fleet-epm-packages-pkgname-pkgversion
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: pkgName
+ required: true
+ schema:
+ type: string
+ - in: path
+ name: pkgVersion
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: prerelease
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: ignoreMappingUpdateErrors
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - in: query
+ name: skipDataStreamRollover
+ required: false
+ schema:
+ default: false
+ type: boolean
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ force:
+ default: false
+ type: boolean
+ ignore_constraints:
+ default: false
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ _meta:
+ additionalProperties: false
+ type: object
+ properties:
+ install_source:
+ type: string
+ required:
+ - install_source
+ items:
+ items:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ originId:
+ type: string
+ type:
+ enum:
+ - dashboard
+ - lens
+ - visualization
+ - search
+ - index-pattern
+ - map
+ - ml-module
+ - security-rule
+ - csp-rule-template
+ - osquery-pack-asset
+ - osquery-saved-query
+ - tag
+ type: string
+ required:
+ - id
+ - type
+ - additionalProperties: false
+ type: object
+ properties:
+ deferred:
+ type: boolean
+ id:
+ type: string
+ type:
+ enum:
+ - index
+ - index_template
+ - component_template
+ - ingest_pipeline
+ - ilm_policy
+ - data_stream_ilm_policy
+ - transform
+ - ml_model
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ required:
+ - items
+ - _meta
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Install a package from the registry
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ put:
+ operationId: put-fleet-epm-packages-pkgname-pkgversion
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: pkgName
+ required: true
+ schema:
+ type: string
+ - in: path
+ name: pkgVersion
+ required: false
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ keepPoliciesUpToDate:
+ type: boolean
+ required:
+ - keepPoliciesUpToDate
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: true
+ type: object
+ properties:
+ agent:
+ additionalProperties: false
+ type: object
+ properties:
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ root:
+ type: boolean
+ asset_tags:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ asset_ids:
+ items:
+ type: string
+ type: array
+ asset_types:
+ items:
+ type: string
+ type: array
+ text:
+ type: string
+ required:
+ - text
+ type: array
+ assets:
+ additionalProperties: {}
+ type: object
+ categories:
+ items:
+ type: string
+ type: array
+ conditions:
+ additionalProperties: true
+ type: object
+ properties:
+ elastic:
+ additionalProperties: true
+ type: object
+ properties:
+ capabilities:
+ items:
+ type: string
+ type: array
+ subscription:
+ type: string
+ kibana:
+ additionalProperties: true
+ type: object
+ properties:
+ version:
+ type: string
+ data_streams:
+ items:
+ additionalProperties: {}
+ type: object
+ type: array
+ description:
+ type: string
+ discovery:
+ additionalProperties: true
+ type: object
+ properties:
+ fields:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ name:
+ type: string
+ required:
+ - name
+ type: array
+ download:
+ type: string
+ elasticsearch:
+ additionalProperties: {}
+ type: object
+ format_version:
+ type: string
+ icons:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ dark_mode:
+ type: boolean
+ path:
+ type: string
+ size:
+ type: string
+ src:
+ type: string
+ title:
+ type: string
+ type:
+ type: string
+ required:
+ - src
+ type: array
+ installationInfo:
+ additionalProperties: true
+ type: object
+ properties:
+ additional_spaces_installed_kibana:
+ additionalProperties:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ originId:
+ type: string
+ type:
+ enum:
+ - dashboard
+ - lens
+ - visualization
+ - search
+ - index-pattern
+ - map
+ - ml-module
+ - security-rule
+ - csp-rule-template
+ - osquery-pack-asset
+ - osquery-saved-query
+ - tag
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ type: object
+ created_at:
+ type: string
+ experimental_data_stream_features:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: true
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ install_format_schema_version:
+ type: string
+ install_source:
+ enum:
+ - registry
+ - upload
+ - bundled
+ - custom
+ type: string
+ install_status:
+ enum:
+ - installed
+ - installing
+ - install_failed
+ type: string
+ installed_es:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ deferred:
+ type: boolean
+ id:
+ type: string
+ type:
+ enum:
+ - index
+ - index_template
+ - component_template
+ - ingest_pipeline
+ - ilm_policy
+ - data_stream_ilm_policy
+ - transform
+ - ml_model
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ installed_kibana:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ originId:
+ type: string
+ type:
+ enum:
+ - dashboard
+ - lens
+ - visualization
+ - search
+ - index-pattern
+ - map
+ - ml-module
+ - security-rule
+ - csp-rule-template
+ - osquery-pack-asset
+ - osquery-saved-query
+ - tag
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ installed_kibana_space_id:
+ type: string
+ latest_executed_state:
+ additionalProperties: true
+ type: object
+ properties:
+ error:
+ type: string
+ name:
+ type: string
+ started_at:
+ type: string
+ required:
+ - name
+ - started_at
+ latest_install_failed_attempts:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ created_at:
+ type: string
+ error:
+ additionalProperties: true
+ type: object
+ properties:
+ message:
+ type: string
+ name:
+ type: string
+ stack:
+ type: string
+ required:
+ - name
+ - message
+ target_version:
+ type: string
+ required:
+ - created_at
+ - target_version
+ - error
+ type: array
+ name:
+ type: string
+ namespaces:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ updated_at:
+ type: string
+ verification_key_id:
+ nullable: true
+ type: string
+ verification_status:
+ enum:
+ - unverified
+ - verified
+ - unknown
+ type: string
+ version:
+ type: string
+ required:
+ - type
+ - installed_kibana
+ - installed_es
+ - name
+ - version
+ - install_status
+ - install_source
+ - verification_status
+ internal:
+ type: boolean
+ keepPoliciesUpToDate:
+ type: boolean
+ latestVersion:
+ type: string
+ license:
+ type: string
+ licensePath:
+ type: string
+ name:
+ type: string
+ notice:
+ type: string
+ owner:
+ additionalProperties: true
+ type: object
+ properties:
+ github:
+ type: string
+ type:
+ enum:
+ - elastic
+ - partner
+ - community
+ type: string
+ path:
+ type: string
+ policy_templates:
+ items:
+ additionalProperties: {}
+ type: object
+ type: array
+ readme:
+ type: string
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ screenshots:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ dark_mode:
+ type: boolean
+ path:
+ type: string
+ size:
+ type: string
+ src:
+ type: string
+ title:
+ type: string
+ type:
+ type: string
+ required:
+ - src
+ type: array
+ signature_path:
+ type: string
+ source:
+ additionalProperties: true
+ type: object
+ properties:
+ license:
+ type: string
+ required:
+ - license
+ status:
+ type: string
+ title:
+ type: string
+ type:
+ enum:
+ - integration
+ - input
+ - content
+ type: string
+ vars:
+ items:
+ additionalProperties: {}
+ type: object
+ type: array
+ version:
+ type: string
+ required:
+ - name
+ - version
+ - title
+ - assets
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Update package settings
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}:
+ get:
+ operationId: get-fleet-epm-packages-pkgname-pkgversion-filepath
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: pkgName
+ required: true
+ schema:
+ type: string
+ - in: path
+ name: pkgVersion
+ required: true
+ schema:
+ type: string
+ - in: path
+ name: filePath
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema: {}
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get a package file
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize:
+ post:
+ operationId: post-fleet-epm-packages-pkgname-pkgversion-transforms-authorize
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: pkgName
+ required: true
+ schema:
+ type: string
+ - in: path
+ name: pkgVersion
+ required: true
+ schema:
+ type: string
+ - in: query
+ name: prerelease
+ required: false
+ schema:
+ type: boolean
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ transforms:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ transformId:
+ type: string
+ required:
+ - transformId
+ type: array
+ required:
+ - transforms
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ error:
+ nullable: true
+ success:
+ type: boolean
+ transformId:
+ type: string
+ required:
+ - transformId
+ - success
+ - error
+ type: array
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Authorize transforms
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/epm/packages/{pkgName}/stats:
+ get:
+ operationId: get-fleet-epm-packages-pkgname-stats
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: pkgName
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ response:
+ additionalProperties: false
+ type: object
+ properties:
+ agent_policy_count:
+ type: number
+ required:
+ - agent_policy_count
+ required:
+ - response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get package stats
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/epm/packages/installed:
+ get:
+ operationId: get-fleet-epm-packages-installed
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: dataStreamType
+ required: false
+ schema:
+ enum:
+ - logs
+ - metrics
+ - traces
+ - synthetics
+ - profiling
+ type: string
+ - in: query
+ name: showOnlyActiveDataStreams
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: nameQuery
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: searchAfter
+ required: false
+ schema:
+ items:
+ anyOf:
+ - type: string
+ - type: number
+ type: array
+ - in: query
+ name: perPage
+ required: false
+ schema:
+ default: 15
+ type: number
+ - in: query
+ name: sortOrder
+ required: false
+ schema:
+ default: asc
+ enum:
+ - asc
+ - desc
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ dataStreams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ title:
+ type: string
+ required:
+ - name
+ - title
+ type: array
+ description:
+ type: string
+ icons:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ dark_mode:
+ type: boolean
+ path:
+ type: string
+ size:
+ type: string
+ src:
+ type: string
+ title:
+ type: string
+ type:
+ type: string
+ required:
+ - src
+ type: array
+ name:
+ type: string
+ status:
+ type: string
+ title:
+ type: string
+ version:
+ type: string
+ required:
+ - name
+ - version
+ - status
+ - dataStreams
+ type: array
+ searchAfter:
+ items:
+ anyOf:
+ - type: string
+ - type: number
+ - type: boolean
+ - enum: []
+ nullable: true
+ - {}
+ type: array
+ total:
+ type: number
+ required:
+ - items
+ - total
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get installed packages
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/epm/packages/limited:
+ get:
+ operationId: get-fleet-epm-packages-limited
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ type: string
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get a limited package list
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs:
+ get:
+ operationId: get-fleet-epm-templates-pkgname-pkgversion-inputs
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: pkgName
+ required: true
+ schema:
+ type: string
+ - in: path
+ name: pkgVersion
+ required: true
+ schema:
+ type: string
+ - in: query
+ name: format
+ required: false
+ schema:
+ default: json
+ enum:
+ - json
+ - yml
+ - yaml
+ type: string
+ - in: query
+ name: prerelease
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: ignoreUnverified
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ anyOf:
+ - type: string
+ - additionalProperties: false
+ type: object
+ properties:
+ inputs:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ streams:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ data_stream:
+ additionalProperties: true
+ type: object
+ properties:
+ dataset:
+ type: string
+ type:
+ type: string
+ required:
+ - dataset
+ id:
+ type: string
+ required:
+ - id
+ - data_stream
+ type: array
+ type:
+ type: string
+ required:
+ - id
+ - type
+ type: array
+ required:
+ - inputs
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get an inputs template
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/epm/verification_key_id:
+ get:
+ operationId: get-fleet-epm-verification-key-id
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ nullable: true
+ type: string
+ required:
+ - id
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get a package signature verification key ID
+ tags:
+ - Elastic Package Manager (EPM)
+ x-beta: true
+ /api/fleet/fleet_server_hosts:
+ get:
+ operationId: get-fleet-fleet-server-hosts
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ host_urls:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ required:
+ - id
+ - name
+ - host_urls
+ type: array
+ page:
+ type: number
+ perPage:
+ type: number
+ total:
+ type: number
+ required:
+ - items
+ - total
+ - page
+ - perPage
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get Fleet Server hosts
+ tags:
+ - Fleet Server hosts
+ x-beta: true
+ post:
+ operationId: post-fleet-fleet-server-hosts
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ host_urls:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ required:
+ - name
+ - host_urls
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ host_urls:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ required:
+ - id
+ - name
+ - host_urls
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Create a Fleet Server host
+ tags:
+ - Fleet Server hosts
+ x-beta: true
+ /api/fleet/fleet_server_hosts/{itemId}:
+ delete:
+ description: Delete a Fleet Server host by ID.
+ operationId: delete-fleet-fleet-server-hosts-itemid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: itemId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Delete a Fleet Server host
+ tags:
+ - Fleet Server hosts
+ x-beta: true
+ get:
+ description: Get a Fleet Server host by ID.
+ operationId: get-fleet-fleet-server-hosts-itemid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: itemId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ host_urls:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ required:
+ - id
+ - name
+ - host_urls
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get a Fleet Server host
+ tags:
+ - Fleet Server hosts
+ x-beta: true
+ put:
+ description: Update a Fleet Server host by ID.
+ operationId: put-fleet-fleet-server-hosts-itemid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: itemId
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ host_urls:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ is_default:
+ type: boolean
+ is_internal:
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ required:
+ - proxy_id
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ host_urls:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ required:
+ - id
+ - name
+ - host_urls
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Update a Fleet Server host
+ tags:
+ - Fleet Server hosts
+ x-beta: true
+ /api/fleet/health_check:
+ post:
+ operationId: post-fleet-health-check
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ host_id:
+ type: string
+ name:
+ type: string
+ status:
+ type: string
+ required:
+ - status
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Check Fleet Server health
+ tags:
+ - Fleet internals
+ x-beta: true
+ /api/fleet/kubernetes:
+ get:
+ operationId: get-fleet-kubernetes
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: download
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: fleetServer
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: enrolToken
+ required: false
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ type: string
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get a full K8s agent manifest
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ /api/fleet/kubernetes/download:
+ get:
+ operationId: get-fleet-kubernetes-download
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: download
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: fleetServer
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: enrolToken
+ required: false
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: string
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Download an agent manifest
+ tags:
+ - Elastic Agent policies
+ x-beta: true
+ /api/fleet/logstash_api_keys:
+ post:
+ operationId: post-fleet-logstash-api-keys
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ api_key:
+ type: string
+ required:
+ - api_key
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Generate a Logstash API key
+ tags:
+ - Fleet outputs
+ x-beta: true
+ /api/fleet/message_signing_service/rotate_key_pair:
+ post:
+ operationId: post-fleet-message-signing-service-rotate-key-pair
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: query
+ name: acknowledge
+ required: false
+ schema:
+ default: false
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ type: string
+ required:
+ - message
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Rotate a Fleet message signing key pair
+ tags:
+ - Message Signing Service
+ x-beta: true
+ /api/fleet/outputs:
+ get:
+ operationId: get-fleet-outputs
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ format: uri
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ preset:
+ enum:
+ - balanced
+ - custom
+ - throughput
+ - scale
+ - latency
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - elasticsearch
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ format: uri
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ preset:
+ enum:
+ - balanced
+ - custom
+ - throughput
+ - scale
+ - latency
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ secrets:
+ additionalProperties: true
+ type: object
+ properties:
+ service_token:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ service_token:
+ nullable: true
+ type: string
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - remote_elasticsearch
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ secrets:
+ additionalProperties: true
+ type: object
+ properties:
+ ssl:
+ additionalProperties: true
+ type: object
+ properties:
+ key:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - logstash
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ auth_type:
+ enum:
+ - none
+ - user_pass
+ - ssl
+ - kerberos
+ type: string
+ broker_timeout:
+ type: number
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ client_id:
+ type: string
+ compression:
+ enum:
+ - gzip
+ - snappy
+ - lz4
+ - none
+ type: string
+ compression_level:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: number
+ - not: {}
+ config_yaml:
+ nullable: true
+ type: string
+ connection_type:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - enum:
+ - plaintext
+ - encryption
+ type: string
+ - not: {}
+ hash:
+ additionalProperties: true
+ type: object
+ properties:
+ hash:
+ type: string
+ random:
+ type: boolean
+ headers:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - value
+ type: array
+ hosts:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ key:
+ type: string
+ name:
+ type: string
+ partition:
+ enum:
+ - random
+ - round_robin
+ - hash
+ type: string
+ password:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - not: {}
+ - anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: string
+ - not: {}
+ proxy_id:
+ nullable: true
+ type: string
+ random:
+ additionalProperties: true
+ type: object
+ properties:
+ group_events:
+ type: number
+ required_acks:
+ enum:
+ - 1
+ - 0
+ - -1
+ type: integer
+ round_robin:
+ additionalProperties: true
+ type: object
+ properties:
+ group_events:
+ type: number
+ sasl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ mechanism:
+ enum:
+ - PLAIN
+ - SCRAM-SHA-256
+ - SCRAM-SHA-512
+ type: string
+ secrets:
+ additionalProperties: true
+ type: object
+ properties:
+ password:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ ssl:
+ additionalProperties: true
+ type: object
+ properties:
+ key:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ required:
+ - key
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ timeout:
+ type: number
+ topic:
+ type: string
+ type:
+ enum:
+ - kafka
+ type: string
+ username:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: string
+ - not: {}
+ version:
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - compression_level
+ - auth_type
+ - connection_type
+ - username
+ - password
+ type: array
+ page:
+ type: number
+ perPage:
+ type: number
+ total:
+ type: number
+ required:
+ - items
+ - total
+ - page
+ - perPage
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get outputs
+ tags:
+ - Fleet outputs
+ x-beta: true
+ post:
+ operationId: post-fleet-outputs
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ format: uri
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ preset:
+ enum:
+ - balanced
+ - custom
+ - throughput
+ - scale
+ - latency
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ shipper:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - elasticsearch
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: false
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ format: uri
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ preset:
+ enum:
+ - balanced
+ - custom
+ - throughput
+ - scale
+ - latency
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ secrets:
+ additionalProperties: false
+ type: object
+ properties:
+ service_token:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ service_token:
+ nullable: true
+ type: string
+ shipper:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - remote_elasticsearch
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: false
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ secrets:
+ additionalProperties: false
+ type: object
+ properties:
+ ssl:
+ additionalProperties: false
+ type: object
+ properties:
+ key:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ shipper:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - logstash
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: false
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ auth_type:
+ enum:
+ - none
+ - user_pass
+ - ssl
+ - kerberos
+ type: string
+ broker_timeout:
+ type: number
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ client_id:
+ type: string
+ compression:
+ enum:
+ - gzip
+ - snappy
+ - lz4
+ - none
+ type: string
+ compression_level:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: number
+ - not: {}
+ config_yaml:
+ nullable: true
+ type: string
+ connection_type:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - enum:
+ - plaintext
+ - encryption
+ type: string
+ - not: {}
+ hash:
+ additionalProperties: false
+ type: object
+ properties:
+ hash:
+ type: string
+ random:
+ type: boolean
+ headers:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - value
+ type: array
+ hosts:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ key:
+ type: string
+ name:
+ type: string
+ partition:
+ enum:
+ - random
+ - round_robin
+ - hash
+ type: string
+ password:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - not: {}
+ - anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: string
+ - not: {}
+ proxy_id:
+ nullable: true
+ type: string
+ random:
+ additionalProperties: false
+ type: object
+ properties:
+ group_events:
+ type: number
+ required_acks:
+ enum:
+ - 1
+ - 0
+ - -1
+ type: integer
+ round_robin:
+ additionalProperties: false
+ type: object
+ properties:
+ group_events:
+ type: number
+ sasl:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ mechanism:
+ enum:
+ - PLAIN
+ - SCRAM-SHA-256
+ - SCRAM-SHA-512
+ type: string
+ secrets:
+ additionalProperties: false
+ type: object
+ properties:
+ password:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ ssl:
+ additionalProperties: false
+ type: object
+ properties:
+ key:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ required:
+ - key
+ shipper:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ timeout:
+ type: number
+ topic:
+ type: string
+ type:
+ enum:
+ - kafka
+ type: string
+ username:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: string
+ - not: {}
+ version:
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - compression_level
+ - auth_type
+ - connection_type
+ - username
+ - password
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ format: uri
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ preset:
+ enum:
+ - balanced
+ - custom
+ - throughput
+ - scale
+ - latency
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - elasticsearch
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ format: uri
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ preset:
+ enum:
+ - balanced
+ - custom
+ - throughput
+ - scale
+ - latency
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ secrets:
+ additionalProperties: true
+ type: object
+ properties:
+ service_token:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ service_token:
+ nullable: true
+ type: string
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - remote_elasticsearch
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ secrets:
+ additionalProperties: true
+ type: object
+ properties:
+ ssl:
+ additionalProperties: true
+ type: object
+ properties:
+ key:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - logstash
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ auth_type:
+ enum:
+ - none
+ - user_pass
+ - ssl
+ - kerberos
+ type: string
+ broker_timeout:
+ type: number
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ client_id:
+ type: string
+ compression:
+ enum:
+ - gzip
+ - snappy
+ - lz4
+ - none
+ type: string
+ compression_level:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: number
+ - not: {}
+ config_yaml:
+ nullable: true
+ type: string
+ connection_type:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - enum:
+ - plaintext
+ - encryption
+ type: string
+ - not: {}
+ hash:
+ additionalProperties: true
+ type: object
+ properties:
+ hash:
+ type: string
+ random:
+ type: boolean
+ headers:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - value
+ type: array
+ hosts:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ key:
+ type: string
+ name:
+ type: string
+ partition:
+ enum:
+ - random
+ - round_robin
+ - hash
+ type: string
+ password:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - not: {}
+ - anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: string
+ - not: {}
+ proxy_id:
+ nullable: true
+ type: string
+ random:
+ additionalProperties: true
+ type: object
+ properties:
+ group_events:
+ type: number
+ required_acks:
+ enum:
+ - 1
+ - 0
+ - -1
+ type: integer
+ round_robin:
+ additionalProperties: true
+ type: object
+ properties:
+ group_events:
+ type: number
+ sasl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ mechanism:
+ enum:
+ - PLAIN
+ - SCRAM-SHA-256
+ - SCRAM-SHA-512
+ type: string
+ secrets:
+ additionalProperties: true
+ type: object
+ properties:
+ password:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ ssl:
+ additionalProperties: true
+ type: object
+ properties:
+ key:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ required:
+ - key
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ timeout:
+ type: number
+ topic:
+ type: string
+ type:
+ enum:
+ - kafka
+ type: string
+ username:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: string
+ - not: {}
+ version:
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - compression_level
+ - auth_type
+ - connection_type
+ - username
+ - password
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Create output
+ tags:
+ - Fleet outputs
+ x-beta: true
+ /api/fleet/outputs/{outputId}:
+ delete:
+ description: Delete output by ID.
+ operationId: delete-fleet-outputs-outputid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: outputId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Delete output
+ tags:
+ - Fleet outputs
+ x-beta: true
+ get:
+ description: Get output by ID.
+ operationId: get-fleet-outputs-outputid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: outputId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ format: uri
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ preset:
+ enum:
+ - balanced
+ - custom
+ - throughput
+ - scale
+ - latency
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - elasticsearch
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ format: uri
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ preset:
+ enum:
+ - balanced
+ - custom
+ - throughput
+ - scale
+ - latency
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ secrets:
+ additionalProperties: true
+ type: object
+ properties:
+ service_token:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ service_token:
+ nullable: true
+ type: string
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - remote_elasticsearch
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ secrets:
+ additionalProperties: true
+ type: object
+ properties:
+ ssl:
+ additionalProperties: true
+ type: object
+ properties:
+ key:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - logstash
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ auth_type:
+ enum:
+ - none
+ - user_pass
+ - ssl
+ - kerberos
+ type: string
+ broker_timeout:
+ type: number
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ client_id:
+ type: string
+ compression:
+ enum:
+ - gzip
+ - snappy
+ - lz4
+ - none
+ type: string
+ compression_level:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: number
+ - not: {}
+ config_yaml:
+ nullable: true
+ type: string
+ connection_type:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - enum:
+ - plaintext
+ - encryption
+ type: string
+ - not: {}
+ hash:
+ additionalProperties: true
+ type: object
+ properties:
+ hash:
+ type: string
+ random:
+ type: boolean
+ headers:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - value
+ type: array
+ hosts:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ key:
+ type: string
+ name:
+ type: string
+ partition:
+ enum:
+ - random
+ - round_robin
+ - hash
+ type: string
+ password:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - not: {}
+ - anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: string
+ - not: {}
+ proxy_id:
+ nullable: true
+ type: string
+ random:
+ additionalProperties: true
+ type: object
+ properties:
+ group_events:
+ type: number
+ required_acks:
+ enum:
+ - 1
+ - 0
+ - -1
+ type: integer
+ round_robin:
+ additionalProperties: true
+ type: object
+ properties:
+ group_events:
+ type: number
+ sasl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ mechanism:
+ enum:
+ - PLAIN
+ - SCRAM-SHA-256
+ - SCRAM-SHA-512
+ type: string
+ secrets:
+ additionalProperties: true
+ type: object
+ properties:
+ password:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ ssl:
+ additionalProperties: true
+ type: object
+ properties:
+ key:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ required:
+ - key
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ timeout:
+ type: number
+ topic:
+ type: string
+ type:
+ enum:
+ - kafka
+ type: string
+ username:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: string
+ - not: {}
+ version:
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - compression_level
+ - auth_type
+ - connection_type
+ - username
+ - password
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get output
+ tags:
+ - Fleet outputs
+ x-beta: true
+ put:
+ description: Update output by ID.
+ operationId: put-fleet-outputs-outputid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: outputId
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ format: uri
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ type: boolean
+ is_default_monitoring:
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ preset:
+ enum:
+ - balanced
+ - custom
+ - throughput
+ - scale
+ - latency
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ shipper:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - elasticsearch
+ type: string
+ - additionalProperties: false
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ format: uri
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ type: boolean
+ is_default_monitoring:
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ preset:
+ enum:
+ - balanced
+ - custom
+ - throughput
+ - scale
+ - latency
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ secrets:
+ additionalProperties: false
+ type: object
+ properties:
+ service_token:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ service_token:
+ nullable: true
+ type: string
+ shipper:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - remote_elasticsearch
+ type: string
+ - additionalProperties: false
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ type: boolean
+ is_default_monitoring:
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ secrets:
+ additionalProperties: false
+ type: object
+ properties:
+ ssl:
+ additionalProperties: false
+ type: object
+ properties:
+ key:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ shipper:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - logstash
+ type: string
+ - additionalProperties: false
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ auth_type:
+ enum:
+ - none
+ - user_pass
+ - ssl
+ - kerberos
+ type: string
+ broker_timeout:
+ type: number
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ client_id:
+ type: string
+ compression:
+ enum:
+ - gzip
+ - snappy
+ - lz4
+ - none
+ type: string
+ compression_level:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: number
+ - not: {}
+ config_yaml:
+ nullable: true
+ type: string
+ connection_type:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - enum:
+ - plaintext
+ - encryption
+ type: string
+ - not: {}
+ hash:
+ additionalProperties: false
+ type: object
+ properties:
+ hash:
+ type: string
+ random:
+ type: boolean
+ headers:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - value
+ type: array
+ hosts:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ key:
+ type: string
+ name:
+ type: string
+ partition:
+ enum:
+ - random
+ - round_robin
+ - hash
+ type: string
+ password:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - not: {}
+ - anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: string
+ - not: {}
+ proxy_id:
+ nullable: true
+ type: string
+ random:
+ additionalProperties: false
+ type: object
+ properties:
+ group_events:
+ type: number
+ required_acks:
+ enum:
+ - 1
+ - 0
+ - -1
+ type: integer
+ round_robin:
+ additionalProperties: false
+ type: object
+ properties:
+ group_events:
+ type: number
+ sasl:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ mechanism:
+ enum:
+ - PLAIN
+ - SCRAM-SHA-256
+ - SCRAM-SHA-512
+ type: string
+ secrets:
+ additionalProperties: false
+ type: object
+ properties:
+ password:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ ssl:
+ additionalProperties: false
+ type: object
+ properties:
+ key:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ required:
+ - key
+ shipper:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ timeout:
+ type: number
+ topic:
+ type: string
+ type:
+ enum:
+ - kafka
+ type: string
+ username:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: string
+ - not: {}
+ version:
+ type: string
+ required:
+ - name
+ - compression_level
+ - connection_type
+ - username
+ - password
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ format: uri
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ preset:
+ enum:
+ - balanced
+ - custom
+ - throughput
+ - scale
+ - latency
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - elasticsearch
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ format: uri
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ preset:
+ enum:
+ - balanced
+ - custom
+ - throughput
+ - scale
+ - latency
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ secrets:
+ additionalProperties: true
+ type: object
+ properties:
+ service_token:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ service_token:
+ nullable: true
+ type: string
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - remote_elasticsearch
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ config_yaml:
+ nullable: true
+ type: string
+ hosts:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ name:
+ type: string
+ proxy_id:
+ nullable: true
+ type: string
+ secrets:
+ additionalProperties: true
+ type: object
+ properties:
+ ssl:
+ additionalProperties: true
+ type: object
+ properties:
+ key:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ type:
+ enum:
+ - logstash
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - additionalProperties: true
+ type: object
+ properties:
+ allow_edit:
+ items:
+ type: string
+ type: array
+ auth_type:
+ enum:
+ - none
+ - user_pass
+ - ssl
+ - kerberos
+ type: string
+ broker_timeout:
+ type: number
+ ca_sha256:
+ nullable: true
+ type: string
+ ca_trusted_fingerprint:
+ nullable: true
+ type: string
+ client_id:
+ type: string
+ compression:
+ enum:
+ - gzip
+ - snappy
+ - lz4
+ - none
+ type: string
+ compression_level:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: number
+ - not: {}
+ config_yaml:
+ nullable: true
+ type: string
+ connection_type:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - enum:
+ - plaintext
+ - encryption
+ type: string
+ - not: {}
+ hash:
+ additionalProperties: true
+ type: object
+ properties:
+ hash:
+ type: string
+ random:
+ type: boolean
+ headers:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ key:
+ type: string
+ value:
+ type: string
+ required:
+ - key
+ - value
+ type: array
+ hosts:
+ items:
+ type: string
+ minItems: 1
+ type: array
+ id:
+ type: string
+ is_default:
+ default: false
+ type: boolean
+ is_default_monitoring:
+ default: false
+ type: boolean
+ is_internal:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ key:
+ type: string
+ name:
+ type: string
+ partition:
+ enum:
+ - random
+ - round_robin
+ - hash
+ type: string
+ password:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - not: {}
+ - anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: string
+ - not: {}
+ proxy_id:
+ nullable: true
+ type: string
+ random:
+ additionalProperties: true
+ type: object
+ properties:
+ group_events:
+ type: number
+ required_acks:
+ enum:
+ - 1
+ - 0
+ - -1
+ type: integer
+ round_robin:
+ additionalProperties: true
+ type: object
+ properties:
+ group_events:
+ type: number
+ sasl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ mechanism:
+ enum:
+ - PLAIN
+ - SCRAM-SHA-256
+ - SCRAM-SHA-512
+ type: string
+ secrets:
+ additionalProperties: true
+ type: object
+ properties:
+ password:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ ssl:
+ additionalProperties: true
+ type: object
+ properties:
+ key:
+ anyOf:
+ - additionalProperties: true
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - type: string
+ required:
+ - key
+ shipper:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ compression_level:
+ nullable: true
+ type: number
+ disk_queue_compression_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_enabled:
+ default: false
+ nullable: true
+ type: boolean
+ disk_queue_encryption_enabled:
+ nullable: true
+ type: boolean
+ disk_queue_max_size:
+ nullable: true
+ type: number
+ disk_queue_path:
+ nullable: true
+ type: string
+ loadbalance:
+ nullable: true
+ type: boolean
+ max_batch_bytes:
+ nullable: true
+ type: number
+ mem_queue_events:
+ nullable: true
+ type: number
+ queue_flush_timeout:
+ nullable: true
+ type: number
+ required:
+ - disk_queue_path
+ - disk_queue_max_size
+ - disk_queue_encryption_enabled
+ - disk_queue_compression_enabled
+ - compression_level
+ - loadbalance
+ - mem_queue_events
+ - queue_flush_timeout
+ - max_batch_bytes
+ ssl:
+ additionalProperties: true
+ nullable: true
+ type: object
+ properties:
+ certificate:
+ type: string
+ certificate_authorities:
+ items:
+ type: string
+ type: array
+ key:
+ type: string
+ verification_mode:
+ enum:
+ - full
+ - none
+ - certificate
+ - strict
+ type: string
+ timeout:
+ type: number
+ topic:
+ type: string
+ type:
+ enum:
+ - kafka
+ type: string
+ username:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - type: string
+ - not: {}
+ version:
+ type: string
+ required:
+ - name
+ - type
+ - hosts
+ - compression_level
+ - auth_type
+ - connection_type
+ - username
+ - password
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Update output
+ tags:
+ - Fleet outputs
+ x-beta: true
+ /api/fleet/outputs/{outputId}/health:
+ get:
+ operationId: get-fleet-outputs-outputid-health
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: outputId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ description: long message if unhealthy
+ type: string
+ state:
+ description: state of output, HEALTHY or DEGRADED
+ type: string
+ timestamp:
+ description: timestamp of reported state
+ type: string
+ required:
+ - state
+ - message
+ - timestamp
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get the latest output health
+ tags:
+ - Fleet outputs
+ x-beta: true
+ /api/fleet/package_policies:
+ get:
+ operationId: get-fleet-package-policies
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: query
+ name: page
+ required: false
+ schema:
+ type: number
+ - in: query
+ name: perPage
+ required: false
+ schema:
+ type: number
+ - in: query
+ name: sortField
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: sortOrder
+ required: false
+ schema:
+ enum:
+ - desc
+ - asc
+ type: string
+ - in: query
+ name: showUpgradeable
+ required: false
+ schema:
+ type: boolean
+ - in: query
+ name: kuery
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: format
+ required: false
+ schema:
+ enum:
+ - simplified
+ - legacy
+ type: string
+ - in: query
+ name: withAgentCount
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ agents:
+ type: number
+ created_at:
+ type: string
+ created_by:
+ type: string
+ description:
+ description: Package policy description
+ type: string
+ elasticsearch:
+ additionalProperties: true
+ type: object
+ properties:
+ privileges:
+ additionalProperties: true
+ type: object
+ properties:
+ cluster:
+ items:
+ type: string
+ type: array
+ enabled:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ anyOf:
+ - items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_input: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ - compiled_input
+ type: array
+ - additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that input, (default to true)
+ type: boolean
+ streams:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that stream, (default to true)
+ type: boolean
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Input streams (see integration documentation to know what streams are available)
+ type: object
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Package policy inputs (see integration documentation to know what inputs are available)
+ type: object
+ x-oas-optional: true
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ spaceIds:
+ items:
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ vars:
+ anyOf:
+ - additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ - additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ x-oas-optional: true
+ version:
+ type: string
+ required:
+ - name
+ - enabled
+ - inputs
+ - id
+ - revision
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ type: array
+ page:
+ type: number
+ perPage:
+ type: number
+ total:
+ type: number
+ required:
+ - items
+ - total
+ - page
+ - perPage
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get package policies
+ tags:
+ - Fleet package policies
+ x-beta: true
+ post:
+ operationId: post-fleet-package-policies
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: query
+ name: format
+ required: false
+ schema:
+ enum:
+ - simplified
+ - legacy
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ description:
+ description: Package policy description
+ type: string
+ enabled:
+ type: boolean
+ force:
+ description: Force package policy creation even if package is not verified, or if the agent policy is managed.
+ type: boolean
+ id:
+ description: Package policy unique identifier
+ type: string
+ inputs:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ type: array
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - name
+ - inputs
+ - additionalProperties: false
+ type: object
+ properties:
+ description:
+ type: string
+ force:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that input, (default to true)
+ type: boolean
+ streams:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that stream, (default to true)
+ type: boolean
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Input streams (see integration documentation to know what streams are available)
+ type: object
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Package policy inputs (see integration documentation to know what inputs are available)
+ type: object
+ name:
+ type: string
+ namespace:
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ required:
+ - name
+ - package
+ description: You should use inputs as an object and not use the deprecated inputs array.
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ agents:
+ type: number
+ created_at:
+ type: string
+ created_by:
+ type: string
+ description:
+ description: Package policy description
+ type: string
+ elasticsearch:
+ additionalProperties: true
+ type: object
+ properties:
+ privileges:
+ additionalProperties: true
+ type: object
+ properties:
+ cluster:
+ items:
+ type: string
+ type: array
+ enabled:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ anyOf:
+ - items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_input: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ - compiled_input
+ type: array
+ - additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that input, (default to true)
+ type: boolean
+ streams:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that stream, (default to true)
+ type: boolean
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Input streams (see integration documentation to know what streams are available)
+ type: object
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Package policy inputs (see integration documentation to know what inputs are available)
+ type: object
+ x-oas-optional: true
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ spaceIds:
+ items:
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ vars:
+ anyOf:
+ - additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ - additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ x-oas-optional: true
+ version:
+ type: string
+ required:
+ - name
+ - enabled
+ - inputs
+ - id
+ - revision
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ '409':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Create a package policy
+ tags:
+ - Fleet package policies
+ x-beta: true
+ /api/fleet/package_policies/_bulk_get:
+ post:
+ operationId: post-fleet-package-policies-bulk-get
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: query
+ name: format
+ required: false
+ schema:
+ enum:
+ - simplified
+ - legacy
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ ids:
+ description: list of package policy ids
+ items:
+ type: string
+ type: array
+ ignoreMissing:
+ type: boolean
+ required:
+ - ids
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ agents:
+ type: number
+ created_at:
+ type: string
+ created_by:
+ type: string
+ description:
+ description: Package policy description
+ type: string
+ elasticsearch:
+ additionalProperties: true
+ type: object
+ properties:
+ privileges:
+ additionalProperties: true
+ type: object
+ properties:
+ cluster:
+ items:
+ type: string
+ type: array
+ enabled:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ anyOf:
+ - items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_input: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ - compiled_input
+ type: array
+ - additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that input, (default to true)
+ type: boolean
+ streams:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that stream, (default to true)
+ type: boolean
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Input streams (see integration documentation to know what streams are available)
+ type: object
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Package policy inputs (see integration documentation to know what inputs are available)
+ type: object
+ x-oas-optional: true
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ spaceIds:
+ items:
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ vars:
+ anyOf:
+ - additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ - additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ x-oas-optional: true
+ version:
+ type: string
+ required:
+ - name
+ - enabled
+ - inputs
+ - id
+ - revision
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ type: array
+ required:
+ - items
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ type: string
+ required:
+ - message
+ summary: Bulk get package policies
+ tags:
+ - Fleet package policies
+ x-beta: true
+ /api/fleet/package_policies/{packagePolicyId}:
+ delete:
+ description: Delete a package policy by ID.
+ operationId: delete-fleet-package-policies-packagepolicyid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: packagePolicyId
+ required: true
+ schema:
+ type: string
+ - in: query
+ name: force
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Delete a package policy
+ tags:
+ - Fleet package policies
+ x-beta: true
+ get:
+ description: Get a package policy by ID.
+ operationId: get-fleet-package-policies-packagepolicyid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: packagePolicyId
+ required: true
+ schema:
+ type: string
+ - in: query
+ name: format
+ required: false
+ schema:
+ enum:
+ - simplified
+ - legacy
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ agents:
+ type: number
+ created_at:
+ type: string
+ created_by:
+ type: string
+ description:
+ description: Package policy description
+ type: string
+ elasticsearch:
+ additionalProperties: true
+ type: object
+ properties:
+ privileges:
+ additionalProperties: true
+ type: object
+ properties:
+ cluster:
+ items:
+ type: string
+ type: array
+ enabled:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ anyOf:
+ - items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_input: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ - compiled_input
+ type: array
+ - additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that input, (default to true)
+ type: boolean
+ streams:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that stream, (default to true)
+ type: boolean
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Input streams (see integration documentation to know what streams are available)
+ type: object
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Package policy inputs (see integration documentation to know what inputs are available)
+ type: object
+ x-oas-optional: true
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ spaceIds:
+ items:
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ vars:
+ anyOf:
+ - additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ - additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ x-oas-optional: true
+ version:
+ type: string
+ required:
+ - name
+ - enabled
+ - inputs
+ - id
+ - revision
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ type: string
+ required:
+ - message
+ summary: Get a package policy
+ tags:
+ - Fleet package policies
+ x-beta: true
+ put:
+ description: Update a package policy by ID.
+ operationId: put-fleet-package-policies-packagepolicyid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: packagePolicyId
+ required: true
+ schema:
+ type: string
+ - in: query
+ name: format
+ required: false
+ schema:
+ enum:
+ - simplified
+ - legacy
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ description:
+ description: Package policy description
+ type: string
+ enabled:
+ type: boolean
+ force:
+ type: boolean
+ inputs:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ type: array
+ is_managed:
+ type: boolean
+ name:
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ version:
+ type: string
+ - additionalProperties: false
+ type: object
+ properties:
+ description:
+ type: string
+ force:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that input, (default to true)
+ type: boolean
+ streams:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that stream, (default to true)
+ type: boolean
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Input streams (see integration documentation to know what streams are available)
+ type: object
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Package policy inputs (see integration documentation to know what inputs are available)
+ type: object
+ name:
+ type: string
+ namespace:
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ required:
+ - name
+ - package
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ agents:
+ type: number
+ created_at:
+ type: string
+ created_by:
+ type: string
+ description:
+ description: Package policy description
+ type: string
+ elasticsearch:
+ additionalProperties: true
+ type: object
+ properties:
+ privileges:
+ additionalProperties: true
+ type: object
+ properties:
+ cluster:
+ items:
+ type: string
+ type: array
+ enabled:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ anyOf:
+ - items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_input: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ - compiled_input
+ type: array
+ - additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that input, (default to true)
+ type: boolean
+ streams:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that stream, (default to true)
+ type: boolean
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Input streams (see integration documentation to know what streams are available)
+ type: object
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Package policy inputs (see integration documentation to know what inputs are available)
+ type: object
+ x-oas-optional: true
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ spaceIds:
+ items:
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ vars:
+ anyOf:
+ - additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ - additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ x-oas-optional: true
+ version:
+ type: string
+ required:
+ - name
+ - enabled
+ - inputs
+ - id
+ - revision
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Update a package policy
+ tags:
+ - Fleet package policies
+ x-beta: true
+ /api/fleet/package_policies/delete:
+ post:
+ operationId: post-fleet-package-policies-delete
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ force:
+ type: boolean
+ packagePolicyIds:
+ items:
+ type: string
+ type: array
+ required:
+ - packagePolicyIds
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ body:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ type: string
+ required:
+ - message
+ id:
+ type: string
+ name:
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Use `policy_ids` instead
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ type: string
+ type: array
+ statusCode:
+ type: number
+ success:
+ type: boolean
+ required:
+ - id
+ - success
+ - policy_ids
+ - package
+ type: array
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Bulk delete package policies
+ tags:
+ - Fleet package policies
+ x-beta: true
+ /api/fleet/package_policies/upgrade:
+ post:
+ description: Upgrade a package policy to a newer package version.
+ operationId: post-fleet-package-policies-upgrade
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ packagePolicyIds:
+ items:
+ type: string
+ type: array
+ required:
+ - packagePolicyIds
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ body:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ type: string
+ required:
+ - message
+ id:
+ type: string
+ name:
+ type: string
+ statusCode:
+ type: number
+ success:
+ type: boolean
+ required:
+ - id
+ - success
+ type: array
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Upgrade a package policy
+ tags:
+ - Fleet package policies
+ x-beta: true
+ /api/fleet/package_policies/upgrade/dryrun:
+ post:
+ operationId: post-fleet-package-policies-upgrade-dryrun
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ packagePolicyIds:
+ items:
+ type: string
+ type: array
+ packageVersion:
+ type: string
+ required:
+ - packagePolicyIds
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ agent_diff:
+ items:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ data_stream:
+ additionalProperties: true
+ type: object
+ properties:
+ namespace:
+ type: string
+ required:
+ - namespace
+ id:
+ type: string
+ meta:
+ additionalProperties: true
+ type: object
+ properties:
+ package:
+ additionalProperties: true
+ type: object
+ properties:
+ name:
+ type: string
+ version:
+ type: string
+ required:
+ - name
+ - version
+ required:
+ - package
+ name:
+ type: string
+ package_policy_id:
+ type: string
+ processors:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ add_fields:
+ additionalProperties: true
+ type: object
+ properties:
+ fields:
+ additionalProperties:
+ anyOf:
+ - type: string
+ - type: number
+ type: object
+ target:
+ type: string
+ required:
+ - target
+ - fields
+ required:
+ - add_fields
+ type: array
+ revision:
+ type: number
+ streams:
+ items:
+ additionalProperties: true
+ type: object
+ properties:
+ data_stream:
+ additionalProperties: true
+ type: object
+ properties:
+ dataset:
+ type: string
+ type:
+ type: string
+ required:
+ - dataset
+ id:
+ type: string
+ required:
+ - id
+ - data_stream
+ type: array
+ type:
+ type: string
+ use_output:
+ type: string
+ required:
+ - id
+ - name
+ - revision
+ - type
+ - data_stream
+ - use_output
+ - package_policy_id
+ type: array
+ type: array
+ body:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ type: string
+ required:
+ - message
+ diff:
+ items:
+ anyOf:
+ - additionalProperties: false
+ type: object
+ properties:
+ agents:
+ type: number
+ created_at:
+ type: string
+ created_by:
+ type: string
+ description:
+ description: Package policy description
+ type: string
+ elasticsearch:
+ additionalProperties: true
+ type: object
+ properties:
+ privileges:
+ additionalProperties: true
+ type: object
+ properties:
+ cluster:
+ items:
+ type: string
+ type: array
+ enabled:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ anyOf:
+ - items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_input: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ - compiled_input
+ type: array
+ - additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that input, (default to true)
+ type: boolean
+ streams:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ description: enable or disable that stream, (default to true)
+ type: boolean
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Input streams (see integration documentation to know what streams are available)
+ type: object
+ vars:
+ additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ description: Package policy inputs (see integration documentation to know what inputs are available)
+ type: object
+ x-oas-optional: true
+ is_managed:
+ type: boolean
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ revision:
+ type: number
+ secret_references:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ type: array
+ spaceIds:
+ items:
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ updated_at:
+ type: string
+ updated_by:
+ type: string
+ vars:
+ anyOf:
+ - additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ - additionalProperties:
+ anyOf:
+ - type: boolean
+ - type: string
+ - type: number
+ - items:
+ type: string
+ type: array
+ - items:
+ type: number
+ type: array
+ - additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ isSecretRef:
+ type: boolean
+ required:
+ - id
+ - isSecretRef
+ nullable: true
+ description: Input/stream level variable (see integration documentation for more information)
+ type: object
+ x-oas-optional: true
+ version:
+ type: string
+ required:
+ - name
+ - enabled
+ - inputs
+ - revision
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ - additionalProperties: false
+ type: object
+ properties:
+ description:
+ description: Package policy description
+ type: string
+ enabled:
+ type: boolean
+ errors:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ key:
+ type: string
+ message:
+ type: string
+ required:
+ - message
+ type: array
+ force:
+ type: boolean
+ id:
+ type: string
+ inputs:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ policy_template:
+ type: string
+ streams:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ compiled_stream: {}
+ config:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ data_stream:
+ additionalProperties: false
+ type: object
+ properties:
+ dataset:
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ dynamic_dataset:
+ type: boolean
+ dynamic_namespace:
+ type: boolean
+ privileges:
+ additionalProperties: false
+ type: object
+ properties:
+ indices:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - dataset
+ - type
+ enabled:
+ type: boolean
+ id:
+ type: string
+ keep_enabled:
+ type: boolean
+ release:
+ enum:
+ - ga
+ - beta
+ - experimental
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - enabled
+ - data_stream
+ - compiled_stream
+ type: array
+ type:
+ type: string
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - type
+ - enabled
+ - streams
+ type: array
+ is_managed:
+ type: boolean
+ missingVars:
+ items:
+ type: string
+ type: array
+ name:
+ description: Package policy name (should be unique)
+ type: string
+ namespace:
+ description: The package policy namespace. Leave blank to inherit the agent policy's namespace.
+ type: string
+ output_id:
+ nullable: true
+ type: string
+ overrides:
+ additionalProperties: false
+ description: Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.
+ nullable: true
+ type: object
+ properties:
+ inputs:
+ additionalProperties: {}
+ type: object
+ package:
+ additionalProperties: false
+ type: object
+ properties:
+ experimental_data_stream_features:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ data_stream:
+ type: string
+ features:
+ additionalProperties: false
+ type: object
+ properties:
+ doc_value_only_numeric:
+ type: boolean
+ doc_value_only_other:
+ type: boolean
+ synthetic_source:
+ type: boolean
+ tsdb:
+ type: boolean
+ required:
+ - data_stream
+ - features
+ type: array
+ name:
+ description: Package name
+ type: string
+ requires_root:
+ type: boolean
+ title:
+ type: string
+ version:
+ description: Package version
+ type: string
+ required:
+ - name
+ - version
+ policy_id:
+ deprecated: true
+ description: Agent policy ID where that package policy will be added
+ nullable: true
+ type: string
+ policy_ids:
+ items:
+ description: Agent policy IDs where that package policy will be added
+ type: string
+ type: array
+ supports_agentless:
+ default: false
+ description: Indicates whether the package policy belongs to an agentless agent policy.
+ nullable: true
+ type: boolean
+ vars:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ frozen:
+ type: boolean
+ type:
+ type: string
+ value: {}
+ required:
+ - value
+ description: Package variable (see integration documentation for more information)
+ type: object
+ required:
+ - name
+ - enabled
+ - inputs
+ type: array
+ hasErrors:
+ type: boolean
+ name:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - hasErrors
+ type: array
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Dry run a package policy upgrade
+ tags:
+ - Fleet package policies
+ x-beta: true
+ /api/fleet/proxies:
+ get:
+ operationId: get-fleet-proxies
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ certificate:
+ nullable: true
+ type: string
+ certificate_authorities:
+ nullable: true
+ type: string
+ certificate_key:
+ nullable: true
+ type: string
+ id:
+ type: string
+ is_preconfigured:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_headers:
+ additionalProperties:
+ anyOf:
+ - type: string
+ - type: boolean
+ - type: number
+ nullable: true
+ type: object
+ url:
+ type: string
+ required:
+ - id
+ - url
+ - name
+ type: array
+ page:
+ type: number
+ perPage:
+ type: number
+ total:
+ type: number
+ required:
+ - items
+ - total
+ - page
+ - perPage
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get proxies
+ tags:
+ - Fleet proxies
+ x-beta: true
+ post:
+ operationId: post-fleet-proxies
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ certificate:
+ nullable: true
+ type: string
+ certificate_authorities:
+ nullable: true
+ type: string
+ certificate_key:
+ nullable: true
+ type: string
+ id:
+ type: string
+ is_preconfigured:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_headers:
+ additionalProperties:
+ anyOf:
+ - type: string
+ - type: boolean
+ - type: number
+ nullable: true
+ type: object
+ url:
+ type: string
+ required:
+ - url
+ - name
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ certificate:
+ nullable: true
+ type: string
+ certificate_authorities:
+ nullable: true
+ type: string
+ certificate_key:
+ nullable: true
+ type: string
+ id:
+ type: string
+ is_preconfigured:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_headers:
+ additionalProperties:
+ anyOf:
+ - type: string
+ - type: boolean
+ - type: number
+ nullable: true
+ type: object
+ url:
+ type: string
+ required:
+ - id
+ - url
+ - name
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Create a proxy
+ tags:
+ - Fleet proxies
+ x-beta: true
+ /api/fleet/proxies/{itemId}:
+ delete:
+ description: Delete a proxy by ID
+ operationId: delete-fleet-proxies-itemid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: itemId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Delete a proxy
+ tags:
+ - Fleet proxies
+ x-beta: true
+ get:
+ description: Get a proxy by ID.
+ operationId: get-fleet-proxies-itemid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: itemId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ certificate:
+ nullable: true
+ type: string
+ certificate_authorities:
+ nullable: true
+ type: string
+ certificate_key:
+ nullable: true
+ type: string
+ id:
+ type: string
+ is_preconfigured:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_headers:
+ additionalProperties:
+ anyOf:
+ - type: string
+ - type: boolean
+ - type: number
+ nullable: true
+ type: object
+ url:
+ type: string
+ required:
+ - id
+ - url
+ - name
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get a proxy
+ tags:
+ - Fleet proxies
+ x-beta: true
+ put:
+ description: Update a proxy by ID.
+ operationId: put-fleet-proxies-itemid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: itemId
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ certificate:
+ nullable: true
+ type: string
+ certificate_authorities:
+ nullable: true
+ type: string
+ certificate_key:
+ nullable: true
+ type: string
+ name:
+ type: string
+ proxy_headers:
+ additionalProperties:
+ anyOf:
+ - type: string
+ - type: boolean
+ - type: number
+ nullable: true
+ type: object
+ url:
+ type: string
+ required:
+ - proxy_headers
+ - certificate_authorities
+ - certificate
+ - certificate_key
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ certificate:
+ nullable: true
+ type: string
+ certificate_authorities:
+ nullable: true
+ type: string
+ certificate_key:
+ nullable: true
+ type: string
+ id:
+ type: string
+ is_preconfigured:
+ default: false
+ type: boolean
+ name:
+ type: string
+ proxy_headers:
+ additionalProperties:
+ anyOf:
+ - type: string
+ - type: boolean
+ - type: number
+ nullable: true
+ type: object
+ url:
+ type: string
+ required:
+ - id
+ - url
+ - name
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Update a proxy
+ tags:
+ - Fleet proxies
+ x-beta: true
+ /api/fleet/service_tokens:
+ post:
+ operationId: post-fleet-service-tokens
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ nullable: true
+ type: object
+ properties:
+ remote:
+ default: false
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ name:
+ type: string
+ value:
+ type: string
+ required:
+ - name
+ - value
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Create a service token
+ tags:
+ - Fleet service tokens
+ x-beta: true
+ /api/fleet/settings:
+ get:
+ operationId: get-fleet-settings
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ delete_unenrolled_agents:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ required:
+ - enabled
+ - is_preconfigured
+ has_seen_add_data_notice:
+ type: boolean
+ id:
+ type: string
+ output_secret_storage_requirements_met:
+ type: boolean
+ preconfigured_fields:
+ items:
+ enum:
+ - fleet_server_hosts
+ type: string
+ type: array
+ prerelease_integrations_enabled:
+ type: boolean
+ secret_storage_requirements_met:
+ type: boolean
+ use_space_awareness_migration_started_at:
+ nullable: true
+ type: string
+ use_space_awareness_migration_status:
+ enum:
+ - pending
+ - success
+ - error
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ type: string
+ required:
+ - message
+ summary: Get settings
+ tags:
+ - Fleet internals
+ x-beta: true
+ put:
+ operationId: put-fleet-settings
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ additional_yaml_config:
+ type: string
+ delete_unenrolled_agents:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ required:
+ - enabled
+ - is_preconfigured
+ has_seen_add_data_notice:
+ type: boolean
+ kibana_ca_sha256:
+ type: string
+ kibana_urls:
+ items:
+ format: uri
+ type: string
+ type: array
+ prerelease_integrations_enabled:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ delete_unenrolled_agents:
+ additionalProperties: false
+ type: object
+ properties:
+ enabled:
+ type: boolean
+ is_preconfigured:
+ type: boolean
+ required:
+ - enabled
+ - is_preconfigured
+ has_seen_add_data_notice:
+ type: boolean
+ id:
+ type: string
+ output_secret_storage_requirements_met:
+ type: boolean
+ preconfigured_fields:
+ items:
+ enum:
+ - fleet_server_hosts
+ type: string
+ type: array
+ prerelease_integrations_enabled:
+ type: boolean
+ secret_storage_requirements_met:
+ type: boolean
+ use_space_awareness_migration_started_at:
+ nullable: true
+ type: string
+ use_space_awareness_migration_status:
+ enum:
+ - pending
+ - success
+ - error
+ type: string
+ version:
+ type: string
+ required:
+ - id
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ type: string
+ required:
+ - message
+ summary: Update settings
+ tags:
+ - Fleet internals
+ x-beta: true
+ /api/fleet/setup:
+ post:
+ operationId: post-fleet-setup
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: A summary of the result of Fleet's `setup` lifecycle. If `isInitialized` is true, Fleet is ready to accept agent enrollment. `nonFatalErrors` may include useful insight into non-blocking issues with Fleet setup.
+ type: object
+ properties:
+ isInitialized:
+ type: boolean
+ nonFatalErrors:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ message:
+ type: string
+ name:
+ type: string
+ required:
+ - name
+ - message
+ type: array
+ required:
+ - isInitialized
+ - nonFatalErrors
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Internal Server Error
+ type: object
+ properties:
+ message:
+ type: string
+ required:
+ - message
+ summary: Initiate Fleet setup
+ tags:
+ - Fleet internals
+ x-beta: true
+ /api/fleet/uninstall_tokens:
+ get:
+ description: List the metadata for the latest uninstall tokens per agent policy.
+ operationId: get-fleet-uninstall-tokens
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: Partial match filtering for policy IDs
+ in: query
+ name: policyId
+ required: false
+ schema:
+ maxLength: 50
+ type: string
+ - in: query
+ name: search
+ required: false
+ schema:
+ maxLength: 50
+ type: string
+ - description: The number of items to return
+ in: query
+ name: perPage
+ required: false
+ schema:
+ minimum: 5
+ type: number
+ - in: query
+ name: page
+ required: false
+ schema:
+ minimum: 1
+ type: number
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ items:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ created_at:
+ type: string
+ id:
+ type: string
+ namespaces:
+ items:
+ type: string
+ type: array
+ policy_id:
+ type: string
+ policy_name:
+ nullable: true
+ type: string
+ required:
+ - id
+ - policy_id
+ - created_at
+ type: array
+ page:
+ type: number
+ perPage:
+ type: number
+ total:
+ type: number
+ required:
+ - items
+ - total
+ - page
+ - perPage
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get metadata for latest uninstall tokens
+ tags:
+ - Fleet uninstall tokens
+ x-beta: true
+ /api/fleet/uninstall_tokens/{uninstallTokenId}:
+ get:
+ description: Get one decrypted uninstall token by its ID.
+ operationId: get-fleet-uninstall-tokens-uninstalltokenid
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - in: path
+ name: uninstallTokenId
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ item:
+ additionalProperties: false
+ type: object
+ properties:
+ created_at:
+ type: string
+ id:
+ type: string
+ namespaces:
+ items:
+ type: string
+ type: array
+ policy_id:
+ type: string
+ policy_name:
+ nullable: true
+ type: string
+ token:
+ type: string
+ required:
+ - id
+ - policy_id
+ - created_at
+ - token
+ required:
+ - item
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ description: Generic Error
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ required:
+ - message
+ summary: Get a decrypted uninstall token
+ tags:
+ - Fleet uninstall tokens
+ x-beta: true
+ /api/lists:
+ delete:
+ description: |
+ Delete a list using the list ID.
+ > info
+ > When you delete a list, all of its list items are also deleted.
+ operationId: DeleteList
+ parameters:
+ - description: List's `id` value
+ in: query
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ - in: query
+ name: deleteReferences
+ required: false
+ schema:
+ default: false
+ type: boolean
+ - in: query
+ name: ignoreReferences
+ required: false
+ schema:
+ default: false
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_List'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Delete a list
+ tags:
+ - Security Lists API
+ x-beta: true
+ get:
+ description: Get the details of a list using the list ID.
+ operationId: ReadList
+ parameters:
+ - description: List's `id` value
+ in: query
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_List'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Get list details
+ tags:
+ - Security Lists API
+ x-beta: true
+ patch:
+ description: Update specific fields of an existing list using the list ID.
+ operationId: PatchList
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ _version:
+ type: string
+ description:
+ $ref: '#/components/schemas/Security_Lists_API_ListDescription'
+ id:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ meta:
+ $ref: '#/components/schemas/Security_Lists_API_ListMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Lists_API_ListName'
+ version:
+ minimum: 1
+ type: integer
+ required:
+ - id
+ description: List's properties
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_List'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Patch a list
+ tags:
+ - Security Lists API
+ x-beta: true
+ post:
+ description: Create a new list.
+ operationId: CreateList
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ description:
+ $ref: '#/components/schemas/Security_Lists_API_ListDescription'
+ deserializer:
+ type: string
+ id:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ meta:
+ $ref: '#/components/schemas/Security_Lists_API_ListMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Lists_API_ListName'
+ serializer:
+ type: string
+ type:
+ $ref: '#/components/schemas/Security_Lists_API_ListType'
+ version:
+ default: 1
+ minimum: 1
+ type: integer
+ required:
+ - name
+ - description
+ - type
+ description: List's properties
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_List'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '409':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List already exists response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Create a list
+ tags:
+ - Security Lists API
+ x-beta: true
+ put:
+ description: |
+ Update a list using the list ID. The original list is replaced, and all unspecified fields are deleted.
+ > info
+ > You cannot modify the `id` value.
+ operationId: UpdateList
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ _version:
+ type: string
+ description:
+ $ref: '#/components/schemas/Security_Lists_API_ListDescription'
+ id:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ meta:
+ $ref: '#/components/schemas/Security_Lists_API_ListMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Lists_API_ListName'
+ version:
+ minimum: 1
+ type: integer
+ required:
+ - id
+ - name
+ - description
+ description: List's properties
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_List'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Update a list
+ tags:
+ - Security Lists API
+ x-beta: true
+ /api/lists/_find:
+ get:
+ description: Get a paginated subset of lists. By default, the first page is returned, with 20 results per page.
+ operationId: FindLists
+ parameters:
+ - description: The page number to return
+ in: query
+ name: page
+ required: false
+ schema:
+ type: integer
+ - description: The number of lists to return per page
+ in: query
+ name: per_page
+ required: false
+ schema:
+ type: integer
+ - description: Determines which field is used to sort the results
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_NonEmptyString'
+ - description: Determines the sort order, which can be `desc` or `asc`
+ in: query
+ name: sort_order
+ required: false
+ schema:
+ enum:
+ - desc
+ - asc
+ type: string
+ - description: |
+ Returns the list that come after the last list returned in the previous call
+ (use the cursor value returned in the previous call). This parameter uses
+ the `tie_breaker_id` field to ensure all lists are sorted and returned correctly.
+ in: query
+ name: cursor
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_FindListsCursor'
+ - description: |
+ Filters the returned results according to the value of the specified field,
+ using the : syntax.
+ in: query
+ name: filter
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_FindListsFilter'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ cursor:
+ $ref: '#/components/schemas/Security_Lists_API_FindListsCursor'
+ data:
+ items:
+ $ref: '#/components/schemas/Security_Lists_API_List'
+ type: array
+ page:
+ minimum: 0
+ type: integer
+ per_page:
+ minimum: 0
+ type: integer
+ total:
+ minimum: 0
+ type: integer
+ required:
+ - data
+ - page
+ - per_page
+ - total
+ - cursor
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Get lists
+ tags:
+ - Security Lists API
+ x-beta: true
+ /api/lists/index:
+ delete:
+ description: Delete the `.lists` and `.items` data streams.
+ operationId: DeleteListIndex
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ acknowledged:
+ type: boolean
+ required:
+ - acknowledged
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List data stream not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Delete list data streams
+ tags:
+ - Security Lists API
+ x-beta: true
+ get:
+ description: Verify that `.lists` and `.items` data streams exist.
+ operationId: ReadListIndex
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ list_index:
+ type: boolean
+ list_item_index:
+ type: boolean
+ required:
+ - list_index
+ - list_item_index
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List data stream(s) not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Get status of list data streams
+ tags:
+ - Security Lists API
+ x-beta: true
+ post:
+ description: Create `.lists` and `.items` data streams in the relevant space.
+ operationId: CreateListIndex
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ acknowledged:
+ type: boolean
+ required:
+ - acknowledged
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '409':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List data stream exists response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Create list data streams
+ tags:
+ - Security Lists API
+ x-beta: true
+ /api/lists/items:
+ delete:
+ description: Delete a list item using its `id`, or its `list_id` and `value` fields.
+ operationId: DeleteListItem
+ parameters:
+ - description: Required if `list_id` and `value` are not specified
+ in: query
+ name: id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ - description: Required if `id` is not specified
+ in: query
+ name: list_id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ - description: Required if `id` is not specified
+ in: query
+ name: value
+ required: false
+ schema:
+ type: string
+ - description: Determines when changes made by the request are made visible to search
+ in: query
+ name: refresh
+ required: false
+ schema:
+ default: 'false'
+ enum:
+ - 'true'
+ - 'false'
+ - wait_for
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_ListItem'
+ - items:
+ $ref: '#/components/schemas/Security_Lists_API_ListItem'
+ type: array
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List item not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Delete a list item
+ tags:
+ - Security Lists API
+ x-beta: true
+ get:
+ description: Get the details of a list item.
+ operationId: ReadListItem
+ parameters:
+ - description: Required if `list_id` and `value` are not specified
+ in: query
+ name: id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ - description: Required if `id` is not specified
+ in: query
+ name: list_id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ - description: Required if `id` is not specified
+ in: query
+ name: value
+ required: false
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_ListItem'
+ - items:
+ $ref: '#/components/schemas/Security_Lists_API_ListItem'
+ type: array
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List item not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Get a list item
+ tags:
+ - Security Lists API
+ x-beta: true
+ patch:
+ description: Update specific fields of an existing list item using the list item ID.
+ operationId: PatchListItem
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ _version:
+ type: string
+ id:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemId'
+ meta:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata'
+ refresh:
+ description: Determines when changes made by the request are made visible to search
+ enum:
+ - 'true'
+ - 'false'
+ - wait_for
+ type: string
+ value:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemValue'
+ required:
+ - id
+ description: List item's properties
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListItem'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List item not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Patch a list item
+ tags:
+ - Security Lists API
+ x-beta: true
+ post:
+ description: |
+ Create a list item and associate it with the specified list.
+
+ All list items in the same list must be the same type. For example, each list item in an `ip` list must define a specific IP address.
+ > info
+ > Before creating a list item, you must create a list.
+ operationId: CreateListItem
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ id:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemId'
+ list_id:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ meta:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata'
+ refresh:
+ description: Determines when changes made by the request are made visible to search
+ enum:
+ - 'true'
+ - 'false'
+ - wait_for
+ type: string
+ value:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemValue'
+ required:
+ - list_id
+ - value
+ description: List item's properties
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListItem'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '409':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List item already exists response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Create a list item
+ tags:
+ - Security Lists API
+ x-beta: true
+ put:
+ description: |
+ Update a list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted.
+ > info
+ > You cannot modify the `id` value.
+ operationId: UpdateListItem
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ _version:
+ type: string
+ id:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemId'
+ meta:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata'
+ value:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemValue'
+ required:
+ - id
+ - value
+ description: List item's properties
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListItem'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List item not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Update a list item
+ tags:
+ - Security Lists API
+ x-beta: true
+ /api/lists/items/_export:
+ post:
+ description: Export list item values from the specified list.
+ operationId: ExportListItems
+ parameters:
+ - description: List's id to export
+ in: query
+ name: list_id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ responses:
+ '200':
+ content:
+ application/ndjson; Elastic-Api-Version=2023-10-31:
+ schema:
+ description: A `.txt` file containing list items from the specified list
+ format: binary
+ type: string
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List not found response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Export list items
+ tags:
+ - Security Lists API
+ x-beta: true
+ /api/lists/items/_find:
+ get:
+ description: Get all list items in the specified list.
+ operationId: FindListItems
+ parameters:
+ - description: List's id
+ in: query
+ name: list_id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ - description: The page number to return
+ in: query
+ name: page
+ required: false
+ schema:
+ type: integer
+ - description: The number of list items to return per page
+ in: query
+ name: per_page
+ required: false
+ schema:
+ type: integer
+ - description: Determines which field is used to sort the results
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_NonEmptyString'
+ - description: Determines the sort order, which can be `desc` or `asc`
+ in: query
+ name: sort_order
+ required: false
+ schema:
+ enum:
+ - desc
+ - asc
+ type: string
+ - description: |
+ Returns the list that come after the last list returned in the previous call
+ (use the cursor value returned in the previous call). This parameter uses
+ the `tie_breaker_id` field to ensure all lists are sorted and returned correctly.
+ in: query
+ name: cursor
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor'
+ - description: |
+ Filters the returned results according to the value of the specified field,
+ using the : syntax.
+ in: query
+ name: filter
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ cursor:
+ $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor'
+ data:
+ items:
+ $ref: '#/components/schemas/Security_Lists_API_ListItem'
+ type: array
+ page:
+ minimum: 0
+ type: integer
+ per_page:
+ minimum: 0
+ type: integer
+ total:
+ minimum: 0
+ type: integer
+ required:
+ - data
+ - page
+ - per_page
+ - total
+ - cursor
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Get list items
+ tags:
+ - Security Lists API
+ x-beta: true
+ /api/lists/items/_import:
+ post:
+ description: |
+ Import list items from a TXT or CSV file. The maximum file size is 9 million bytes.
+
+ You can import items to a new or existing list.
+ operationId: ImportListItems
+ parameters:
+ - description: |
+ List's id.
+
+ Required when importing to an existing list.
+ in: query
+ name: list_id
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ - description: |
+ Type of the importing list.
+
+ Required when importing a new list that is `list_id` is not specified.
+ in: query
+ name: type
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_ListType'
+ - in: query
+ name: serializer
+ required: false
+ schema:
+ type: string
+ - in: query
+ name: deserializer
+ required: false
+ schema:
+ type: string
+ - description: Determines when changes made by the request are made visible to search
+ in: query
+ name: refresh
+ required: false
+ schema:
+ enum:
+ - 'true'
+ - 'false'
+ - wait_for
+ type: string
+ requestBody:
+ content:
+ multipart/form-data; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ file:
+ description: A `.txt` or `.csv` file containing newline separated list items
+ format: binary
+ type: string
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_List'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '409':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: List with specified list_id does not exist response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Import list items
+ tags:
+ - Security Lists API
+ x-beta: true
+ /api/lists/privileges:
+ get:
+ operationId: ReadListPrivileges
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ is_authenticated:
+ type: boolean
+ listItems:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges'
+ lists:
+ $ref: '#/components/schemas/Security_Lists_API_ListPrivileges'
+ required:
+ - lists
+ - listItems
+ - is_authenticated
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Invalid input data response
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Unsuccessful authentication response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse'
+ description: Not enough privileges response
+ '500':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse'
+ description: Internal server error response
+ summary: Get list privileges
+ tags:
+ - Security Lists API
+ x-beta: true
+ /api/ml/saved_objects/sync:
+ get:
+ description: |
+ Synchronizes Kibana saved objects for machine learning jobs and trained models. This API runs automatically when you start Kibana and periodically thereafter.
+ operationId: mlSync
+ parameters:
+ - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ syncExample:
+ $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample'
+ schema:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response'
+ description: Indicates a successful call
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse'
+ description: Authorization information is missing or invalid.
+ summary: Sync machine learning saved objects
+ tags:
+ - ml
+ x-beta: true
+ /api/note:
+ delete:
+ description: Delete a note from a Timeline using the note ID.
+ operationId: DeleteNote
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ oneOf:
+ - nullable: true
+ type: object
+ properties:
+ noteId:
+ type: string
+ required:
+ - noteId
+ - nullable: true
+ type: object
+ properties:
+ noteIds:
+ items:
+ type: string
+ nullable: true
+ type: array
+ required:
+ - noteIds
+ description: The ID of the note to delete.
+ required: true
+ responses:
+ '200':
+ description: Indicates the note was successfully deleted.
+ summary: Delete a note
+ tags:
+ - Security Timeline API
+ x-beta: true
+ get:
+ description: Get all notes for a given document.
+ operationId: GetNotes
+ parameters:
+ - in: query
+ name: documentIds
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_DocumentIds'
+ - in: query
+ name: savedObjectIds
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds'
+ - in: query
+ name: page
+ schema:
+ nullable: true
+ type: string
+ - in: query
+ name: perPage
+ schema:
+ nullable: true
+ type: string
+ - in: query
+ name: search
+ schema:
+ nullable: true
+ type: string
+ - in: query
+ name: sortField
+ schema:
+ nullable: true
+ type: string
+ - in: query
+ name: sortOrder
+ schema:
+ nullable: true
+ type: string
+ - in: query
+ name: filter
+ schema:
+ nullable: true
+ type: string
+ - in: query
+ name: createdByFilter
+ schema:
+ nullable: true
+ type: string
+ - in: query
+ name: associatedFilter
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult'
+ description: Indicates the requested notes were returned.
+ summary: Get notes
+ tags:
+ - Security Timeline API
+ x-beta: true
+ patch:
+ description: Add a note to a Timeline or update an existing note.
+ operationId: PersistNoteRoute
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ eventDataView:
+ nullable: true
+ type: string
+ eventIngested:
+ nullable: true
+ type: string
+ eventTimestamp:
+ nullable: true
+ type: string
+ note:
+ $ref: '#/components/schemas/Security_Timeline_API_BareNote'
+ noteId:
+ nullable: true
+ type: string
+ overrideOwner:
+ nullable: true
+ type: boolean
+ version:
+ nullable: true
+ type: string
+ required:
+ - note
+ description: The note to add or update, along with additional metadata.
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_ResponseNote'
+ description: Indicates the note was successfully created.
+ summary: Add or update a note
+ tags:
+ - Security Timeline API
+ x-beta: true
+ /api/osquery/live_queries:
+ get:
+ description: Get a list of all live queries.
+ operationId: OsqueryFindLiveQueries
+ parameters:
+ - in: query
+ name: query
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_FindLiveQueryRequestQuery'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Get live queries
+ tags:
+ - Security Osquery API
+ x-beta: true
+ post:
+ description: Create and run a live query.
+ operationId: OsqueryCreateLiveQuery
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Create a live query
+ tags:
+ - Security Osquery API
+ x-beta: true
+ /api/osquery/live_queries/{id}:
+ get:
+ description: Get the details of a live query using the query ID.
+ operationId: OsqueryGetLiveQueryDetails
+ parameters:
+ - in: path
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_Id'
+ - in: query
+ name: query
+ schema:
+ additionalProperties: true
+ type: object
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Get live query details
+ tags:
+ - Security Osquery API
+ x-beta: true
+ /api/osquery/live_queries/{id}/results/{actionId}:
+ get:
+ description: Get the results of a live query using the query action ID.
+ operationId: OsqueryGetLiveQueryResults
+ parameters:
+ - in: path
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_Id'
+ - in: path
+ name: actionId
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_Id'
+ - in: query
+ name: query
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_GetLiveQueryResultsRequestQuery'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Get live query results
+ tags:
+ - Security Osquery API
+ x-beta: true
+ /api/osquery/packs:
+ get:
+ description: Get a list of all query packs.
+ operationId: OsqueryFindPacks
+ parameters:
+ - in: query
+ name: query
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_FindPacksRequestQuery'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Get packs
+ tags:
+ - Security Osquery API
+ x-beta: true
+ post:
+ description: Create a query pack.
+ operationId: OsqueryCreatePacks
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Create a pack
+ tags:
+ - Security Osquery API
+ x-beta: true
+ /api/osquery/packs/{id}:
+ delete:
+ description: Delete a query pack using the pack ID.
+ operationId: OsqueryDeletePacks
+ parameters:
+ - in: path
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_PackId'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Delete a pack
+ tags:
+ - Security Osquery API
+ x-beta: true
+ get:
+ description: Get the details of a query pack using the pack ID.
+ operationId: OsqueryGetPacksDetails
+ parameters:
+ - in: path
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_PackId'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Get pack details
+ tags:
+ - Security Osquery API
+ x-beta: true
+ put:
+ description: |
+ Update a query pack using the pack ID.
+ > info
+ > You cannot update a prebuilt pack.
+ operationId: OsqueryUpdatePacks
+ parameters:
+ - in: path
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_PackId'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Update a pack
+ tags:
+ - Security Osquery API
+ x-beta: true
+ /api/osquery/saved_queries:
+ get:
+ description: Get a list of all saved queries.
+ operationId: OsqueryFindSavedQueries
+ parameters:
+ - in: query
+ name: query
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_FindSavedQueryRequestQuery'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Get saved queries
+ tags:
+ - Security Osquery API
+ x-beta: true
+ post:
+ description: Create and run a saved query.
+ operationId: OsqueryCreateSavedQuery
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Create a saved query
+ tags:
+ - Security Osquery API
+ x-beta: true
+ /api/osquery/saved_queries/{id}:
+ delete:
+ description: Delete a saved query using the query ID.
+ operationId: OsqueryDeleteSavedQuery
+ parameters:
+ - in: path
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Delete a saved query
+ tags:
+ - Security Osquery API
+ x-beta: true
+ get:
+ description: Get the details of a saved query using the query ID.
+ operationId: OsqueryGetSavedQueryDetails
+ parameters:
+ - in: path
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Get saved query details
+ tags:
+ - Security Osquery API
+ x-beta: true
+ put:
+ description: |
+ Update a saved query using the query ID.
+ > info
+ > You cannot update a prebuilt saved query.
+ operationId: OsqueryUpdateSavedQuery
+ parameters:
+ - in: path
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Osquery_API_DefaultSuccessResponse'
+ description: OK
+ summary: Update a saved query
+ tags:
+ - Security Osquery API
+ x-beta: true
+ /api/pinned_event:
+ patch:
+ description: Pin an event to an existing Timeline.
+ operationId: PersistPinnedEventRoute
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ eventId:
+ type: string
+ pinnedEventId:
+ nullable: true
+ type: string
+ timelineId:
+ type: string
+ required:
+ - eventId
+ - timelineId
+ description: The pinned event to add or update, along with additional metadata.
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_PersistPinnedEventResponse'
+ description: Indicates the event was successfully pinned to the Timeline.
+ summary: Pin an event
+ tags:
+ - Security Timeline API
+ x-beta: true
+ /api/risk_score/engine/dangerously_delete_data:
+ delete:
+ description: Cleaning up the the Risk Engine by removing the indices, mapping and transforms
+ operationId: CleanUpRiskEngine
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ cleanup_successful:
+ type: boolean
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse'
+ description: Task manager is unavailable
+ default:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse'
+ description: Unexpected error
+ summary: Cleanup the Risk Engine
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/risk_score/engine/schedule_now:
+ post:
+ description: Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality.
+ operationId: ScheduleRiskEngineNow
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31: {}
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse'
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse'
+ description: Task manager is unavailable
+ default:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse'
+ description: Unexpected error
+ summary: Run the risk scoring engine
+ tags:
+ - Security Entity Analytics API
+ x-beta: true
+ /api/saved_objects/_export:
+ post:
+ description: |
+ Retrieve sets of saved objects that you want to import into Kibana.
+ You must include `type` or `objects` in the request body.
+
+ Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.
+
+ NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be exported.
+ operationId: exportSavedObjectsDefault
+ parameters:
+ - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ exportSavedObjectsRequest:
+ $ref: '#/components/examples/Serverless_saved_objects_export_objects_request'
+ schema:
+ type: object
+ properties:
+ excludeExportDetails:
+ default: false
+ description: Do not add export details entry at the end of the stream.
+ type: boolean
+ includeReferencesDeep:
+ description: Includes all of the referenced objects in the exported objects.
+ type: boolean
+ objects:
+ description: A list of objects to export.
+ items:
+ type: object
+ type: array
+ type:
+ description: The saved object types to include in the export. Use `*` to export all the types.
+ oneOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ required: true
+ responses:
+ '200':
+ content:
+ application/x-ndjson; Elastic-Api-Version=2023-10-31:
+ examples:
+ exportSavedObjectsResponse:
+ $ref: '#/components/examples/Serverless_saved_objects_export_objects_response'
+ schema:
+ additionalProperties: true
+ type: object
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Serverless_saved_objects_400_response'
+ description: Bad request.
+ summary: Export saved objects
+ tags:
+ - saved objects
+ x-beta: true
+ /api/saved_objects/_import:
+ post:
+ description: |
+ Create sets of Kibana saved objects from a file created by the export API.
+ Saved objects can be imported only into the same version, a newer minor on the same major, or the next major. Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.
+ operationId: importSavedObjectsDefault
+ parameters:
+ - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf'
+ - description: |
+ Creates copies of saved objects, regenerates each object ID, and resets the origin. When used, potential conflict errors are avoided. NOTE: This option cannot be used with the `overwrite` and `compatibilityMode` options.
+ in: query
+ name: createNewCopies
+ required: false
+ schema:
+ type: boolean
+ - description: |
+ Overwrites saved objects when they already exist. When used, potential conflict errors are automatically resolved by overwriting the destination object. NOTE: This option cannot be used with the `createNewCopies` option.
+ in: query
+ name: overwrite
+ required: false
+ schema:
+ type: boolean
+ - description: |
+ Applies various adjustments to the saved objects that are being imported to maintain compatibility between different Kibana versions. Use this option only if you encounter issues with imported saved objects. NOTE: This option cannot be used with the `createNewCopies` option.
+ in: query
+ name: compatibilityMode
+ required: false
+ schema:
+ type: boolean
+ requestBody:
+ content:
+ multipart/form-data; Elastic-Api-Version=2023-10-31:
+ examples:
+ importObjectsRequest:
+ $ref: '#/components/examples/Serverless_saved_objects_import_objects_request'
+ schema:
+ type: object
+ properties:
+ file:
+ description: |
+ A file exported using the export API. NOTE: The `savedObjects.maxImportExportSize` configuration setting limits the number of saved objects which may be included in this file. Similarly, the `savedObjects.maxImportPayloadBytes` setting limits the overall size of the file that can be imported.
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ importObjectsResponse:
+ $ref: '#/components/examples/Serverless_saved_objects_import_objects_response'
+ schema:
+ type: object
+ properties:
+ errors:
+ description: |
+ Indicates the import was unsuccessful and specifies the objects that failed to import.
+
+ NOTE: One object may result in multiple errors, which requires separate steps to resolve. For instance, a `missing_references` error and conflict error.
+ items:
+ type: object
+ type: array
+ success:
+ description: |
+ Indicates when the import was successfully completed. When set to false, some objects may not have been created. For additional information, refer to the `errors` and `successResults` properties.
+ type: boolean
+ successCount:
+ description: Indicates the number of successfully imported records.
+ type: integer
+ successResults:
+ description: |
+ Indicates the objects that are successfully imported, with any metadata if applicable.
+
+ NOTE: Objects are created only when all resolvable errors are addressed, including conflicts and missing references. If objects are created as new copies, each entry in the `successResults` array includes a `destinationId` attribute.
+ items:
+ type: object
+ type: array
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Serverless_saved_objects_400_response'
+ description: Bad request.
+ summary: Import saved objects
+ tags:
+ - saved objects
+ x-codeSamples:
+ - label: Import with createNewCopies
+ lang: cURL
+ source: |
+ curl \
+ -X POST api/saved_objects/_import?createNewCopies=true
+ -H "kbn-xsrf: true"
+ --form file=@file.ndjson
+ x-beta: true
+ /api/security_ai_assistant/anonymization_fields/_bulk_action:
+ post:
+ description: Apply a bulk action to multiple anonymization fields. The bulk action is applied to all anonymization fields that match the filter or to the list of anonymization fields by their IDs.
+ operationId: PerformAnonymizationFieldsBulkAction
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ create:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps'
+ type: array
+ delete:
+ type: object
+ properties:
+ ids:
+ description: Array of anonymization fields IDs
+ items:
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: Query to filter anonymization fields
+ type: string
+ update:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps'
+ type: array
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse'
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ description: Generic Error
+ summary: Apply a bulk action to anonymization fields
+ tags:
+ - Security AI Assistant API
+ x-beta: true
+ /api/security_ai_assistant/anonymization_fields/_find:
+ get:
+ description: Get a list of all anonymization fields.
+ operationId: FindAnonymizationFields
+ parameters:
+ - in: query
+ name: fields
+ required: false
+ schema:
+ items:
+ type: string
+ type: array
+ - description: Search query
+ in: query
+ name: filter
+ required: false
+ schema:
+ type: string
+ - description: Field to sort by
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField'
+ - description: Sort order
+ in: query
+ name: sort_order
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder'
+ - description: Page number
+ in: query
+ name: page
+ required: false
+ schema:
+ default: 1
+ minimum: 1
+ type: integer
+ - description: AnonymizationFields per page
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 20
+ minimum: 0
+ type: integer
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ data:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse'
+ type: array
+ page:
+ type: integer
+ perPage:
+ type: integer
+ total:
+ type: integer
+ required:
+ - page
+ - perPage
+ - total
+ - data
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ description: Generic Error
+ summary: Get anonymization fields
+ tags:
+ - Security AI Assistant API
+ x-beta: true
+ /api/security_ai_assistant/chat/complete:
+ post:
+ description: Create a model response for the given chat conversation.
+ operationId: ChatComplete
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps'
+ required: true
+ responses:
+ '200':
+ content:
+ application/octet-stream; Elastic-Api-Version=2023-10-31:
+ schema:
+ format: binary
+ type: string
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ description: Generic Error
+ summary: Create a model response
+ tags:
+ - Security AI Assistant API
+ x-beta: true
+ /api/security_ai_assistant/current_user/conversations:
+ post:
+ description: Create a new Security AI Assistant conversation.
+ operationId: CreateConversation
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCreateProps'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse'
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ description: Generic Error
+ summary: Create a conversation
+ tags:
+ - Security AI Assistant API
+ x-beta: true
+ /api/security_ai_assistant/current_user/conversations/_find:
+ get:
+ description: Get a list of all conversations for the current user.
+ operationId: FindConversations
+ parameters:
+ - in: query
+ name: fields
+ required: false
+ schema:
+ items:
+ type: string
+ type: array
+ - description: Search query
+ in: query
+ name: filter
+ required: false
+ schema:
+ type: string
+ - description: Field to sort by
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_FindConversationsSortField'
+ - description: Sort order
+ in: query
+ name: sort_order
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder'
+ - description: Page number
+ in: query
+ name: page
+ required: false
+ schema:
+ default: 1
+ minimum: 1
+ type: integer
+ - description: Conversations per page
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 20
+ minimum: 0
+ type: integer
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ data:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse'
+ type: array
+ page:
+ type: integer
+ perPage:
+ type: integer
+ total:
+ type: integer
+ required:
+ - page
+ - perPage
+ - total
+ - data
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ description: Generic Error
+ summary: Get conversations
+ tags:
+ - Security AI Assistant API
+ x-beta: true
+ /api/security_ai_assistant/current_user/conversations/{id}:
+ delete:
+ description: Delete an existing conversation using the conversation ID.
+ operationId: DeleteConversation
+ parameters:
+ - description: The conversation's `id` value.
+ in: path
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse'
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ description: Generic Error
+ summary: Delete a conversation
+ tags:
+ - Security AI Assistant API
+ x-beta: true
+ get:
+ description: Get the details of an existing conversation using the conversation ID.
+ operationId: ReadConversation
+ parameters:
+ - description: The conversation's `id` value.
+ in: path
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse'
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ description: Generic Error
+ summary: Get a conversation
+ tags:
+ - Security AI Assistant API
+ x-beta: true
+ put:
+ description: Update an existing conversation using the conversation ID.
+ operationId: UpdateConversation
+ parameters:
+ - description: The conversation's `id` value.
+ in: path
+ name: id
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationResponse'
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ description: Generic Error
+ summary: Update a conversation
+ tags:
+ - Security AI Assistant API
+ x-beta: true
+ /api/security_ai_assistant/prompts/_bulk_action:
+ post:
+ description: Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs.
+ operationId: PerformPromptsBulkAction
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ create:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_PromptCreateProps'
+ type: array
+ delete:
+ type: object
+ properties:
+ ids:
+ description: Array of prompts IDs
+ items:
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: Query to filter promps
+ type: string
+ update:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_PromptUpdateProps'
+ type: array
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse'
+ description: Indicates a successful call.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ description: Generic Error
+ summary: Apply a bulk action to prompts
+ tags:
+ - Security AI Assistant API
+ x-beta: true
+ /api/security_ai_assistant/prompts/_find:
+ get:
+ description: Get a list of all prompts.
+ operationId: FindPrompts
+ parameters:
+ - in: query
+ name: fields
+ required: false
+ schema:
+ items:
+ type: string
+ type: array
+ - description: Search query
+ in: query
+ name: filter
+ required: false
+ schema:
+ type: string
+ - description: Field to sort by
+ in: query
+ name: sort_field
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_FindPromptsSortField'
+ - description: Sort order
+ in: query
+ name: sort_order
+ required: false
+ schema:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder'
+ - description: Page number
+ in: query
+ name: page
+ required: false
+ schema:
+ default: 1
+ minimum: 1
+ type: integer
+ - description: Prompts per page
+ in: query
+ name: per_page
+ required: false
+ schema:
+ default: 20
+ minimum: 0
+ type: integer
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ data:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse'
+ type: array
+ page:
+ type: integer
+ perPage:
+ type: integer
+ total:
+ type: integer
+ required:
+ - page
+ - perPage
+ - total
+ - data
+ description: Successful response
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: number
+ description: Generic Error
+ summary: Get prompts
+ tags:
+ - Security AI Assistant API
+ x-beta: true
+ /api/security/role:
+ get:
+ operationId: get-security-role
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.
+ in: query
+ name: replaceDeprecatedPrivileges
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ description: Indicates a successful call.
+ summary: Get all roles
+ tags:
+ - roles
+ x-beta: true
+ /api/security/role/{name}:
+ delete:
+ operationId: delete-security-role-name
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - in: path
+ name: name
+ required: true
+ schema:
+ minLength: 1
+ type: string
+ responses:
+ '204':
+ description: Indicates a successful call.
+ summary: Delete a role
+ tags:
+ - roles
+ x-beta: true
+ get:
+ operationId: get-security-role-name
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: The role name.
+ in: path
+ name: name
+ required: true
+ schema:
+ minLength: 1
+ type: string
+ - description: If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.
+ in: query
+ name: replaceDeprecatedPrivileges
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ description: Indicates a successful call.
+ summary: Get a role
+ tags:
+ - roles
+ x-beta: true
+ put:
+ description: Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.
+ operationId: put-security-role-name
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The role name.
+ in: path
+ name: name
+ required: true
+ schema:
+ maxLength: 1024
+ minLength: 1
+ type: string
+ - description: When true, a role is not overwritten if it already exists.
+ in: query
+ name: createOnly
+ required: false
+ schema:
+ default: false
+ type: boolean
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ description:
+ description: A description for the role.
+ maxLength: 2048
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ cluster:
+ items:
+ description: Cluster privileges that define the cluster level actions that users can perform.
+ type: string
+ type: array
+ indices:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ allow_restricted_indices:
+ description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.
+ type: boolean
+ field_security:
+ additionalProperties:
+ items:
+ description: The document fields that the role members have read access to.
+ type: string
+ type: array
+ type: object
+ names:
+ items:
+ description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).
+ type: string
+ minItems: 1
+ type: array
+ privileges:
+ items:
+ description: The index level privileges that the role members have for the data streams and indices.
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.
+ type: string
+ required:
+ - names
+ - privileges
+ type: array
+ remote_cluster:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ clusters:
+ items:
+ description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.
+ type: string
+ minItems: 1
+ type: array
+ privileges:
+ items:
+ description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.
+ type: string
+ minItems: 1
+ type: array
+ required:
+ - privileges
+ - clusters
+ type: array
+ remote_indices:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ allow_restricted_indices:
+ description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.
+ type: boolean
+ clusters:
+ items:
+ description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.
+ type: string
+ minItems: 1
+ type: array
+ field_security:
+ additionalProperties:
+ items:
+ description: The document fields that the role members have read access to.
+ type: string
+ type: array
+ type: object
+ names:
+ items:
+ description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).
+ type: string
+ minItems: 1
+ type: array
+ privileges:
+ items:
+ description: The index level privileges that role members have for the specified indices.
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. '
+ type: string
+ required:
+ - clusters
+ - names
+ - privileges
+ type: array
+ run_as:
+ items:
+ description: A user name that the role member can impersonate.
+ type: string
+ type: array
+ kibana:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ base:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - items:
+ description: A base privilege that grants applies to all spaces.
+ type: string
+ type: array
+ - items:
+ description: A base privilege that applies to specific spaces.
+ type: string
+ type: array
+ feature:
+ additionalProperties:
+ items:
+ description: The privileges that the role member has for the feature.
+ type: string
+ type: array
+ type: object
+ spaces:
+ anyOf:
+ - items:
+ enum:
+ - '*'
+ type: string
+ maxItems: 1
+ minItems: 1
+ type: array
+ - items:
+ description: A space that the privilege applies to.
+ type: string
+ type: array
+ default:
+ - '*'
+ required:
+ - base
+ type: array
+ metadata:
+ additionalProperties: {}
+ type: object
+ required:
+ - elasticsearch
+ responses:
+ '204':
+ description: Indicates a successful call.
+ summary: Create or update a role
+ tags:
+ - roles
+ x-beta: true
+ /api/security/roles:
+ post:
+ operationId: post-security-roles
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ roles:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ description:
+ description: A description for the role.
+ maxLength: 2048
+ type: string
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ cluster:
+ items:
+ description: Cluster privileges that define the cluster level actions that users can perform.
+ type: string
+ type: array
+ indices:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ allow_restricted_indices:
+ description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.
+ type: boolean
+ field_security:
+ additionalProperties:
+ items:
+ description: The document fields that the role members have read access to.
+ type: string
+ type: array
+ type: object
+ names:
+ items:
+ description: The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).
+ type: string
+ minItems: 1
+ type: array
+ privileges:
+ items:
+ description: The index level privileges that the role members have for the data streams and indices.
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.
+ type: string
+ required:
+ - names
+ - privileges
+ type: array
+ remote_cluster:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ clusters:
+ items:
+ description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.
+ type: string
+ minItems: 1
+ type: array
+ privileges:
+ items:
+ description: The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.
+ type: string
+ minItems: 1
+ type: array
+ required:
+ - privileges
+ - clusters
+ type: array
+ remote_indices:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ allow_restricted_indices:
+ description: Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.
+ type: boolean
+ clusters:
+ items:
+ description: A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.
+ type: string
+ minItems: 1
+ type: array
+ field_security:
+ additionalProperties:
+ items:
+ description: The document fields that the role members have read access to.
+ type: string
+ type: array
+ type: object
+ names:
+ items:
+ description: A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).
+ type: string
+ minItems: 1
+ type: array
+ privileges:
+ items:
+ description: The index level privileges that role members have for the specified indices.
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. '
+ type: string
+ required:
+ - clusters
+ - names
+ - privileges
+ type: array
+ run_as:
+ items:
+ description: A user name that the role member can impersonate.
+ type: string
+ type: array
+ kibana:
+ items:
+ additionalProperties: false
+ type: object
+ properties:
+ base:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - items:
+ description: A base privilege that grants applies to all spaces.
+ type: string
+ type: array
+ - items:
+ description: A base privilege that applies to specific spaces.
+ type: string
+ type: array
+ feature:
+ additionalProperties:
+ items:
+ description: The privileges that the role member has for the feature.
+ type: string
+ type: array
+ type: object
+ spaces:
+ anyOf:
+ - items:
+ enum:
+ - '*'
+ type: string
+ maxItems: 1
+ minItems: 1
+ type: array
+ - items:
+ description: A space that the privilege applies to.
+ type: string
+ type: array
+ default:
+ - '*'
+ required:
+ - base
+ type: array
+ metadata:
+ additionalProperties: {}
+ type: object
+ required:
+ - elasticsearch
+ type: object
+ required:
+ - roles
+ responses:
+ '200':
+ description: Indicates a successful call.
+ summary: Create or update roles
+ tags:
+ - roles
+ x-beta: true
+ /api/spaces/space:
+ get:
+ operationId: get-spaces-space
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: Specifies which authorization checks are applied to the API call. The default value is `any`.
+ in: query
+ name: purpose
+ required: false
+ schema:
+ enum:
+ - any
+ - copySavedObjectsIntoSpace
+ - shareSavedObjectsIntoSpace
+ type: string
+ - description: When enabled, the API returns any spaces that the user is authorized to access in any capacity and each space will contain the purposes for which the user is authorized. This can be useful to determine which spaces a user can read but not take a specific action in. If the security plugin is not enabled, this parameter has no effect, since no authorization checks take place. This parameter cannot be used in with the `purpose` parameter.
+ in: query
+ name: include_authorized_purposes
+ required: true
+ schema:
+ anyOf:
+ - items: {}
+ type: array
+ - type: boolean
+ - type: number
+ - type: object
+ - type: string
+ nullable: true
+ oneOf:
+ - enum:
+ - false
+ type: boolean
+ x-oas-optional: true
+ - type: boolean
+ x-oas-optional: true
+ responses:
+ '200':
+ description: Indicates a successful call.
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ getSpacesResponseExample1:
+ $ref: '#/components/examples/get_spaces_response1'
+ getSpacesResponseExample2:
+ $ref: '#/components/examples/get_spaces_response2'
+ summary: Get all spaces
+ tags:
+ - spaces
+ x-beta: true
+ post:
+ operationId: post-spaces-space
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ _reserved:
+ type: boolean
+ color:
+ description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.
+ type: string
+ description:
+ description: A description for the space.
+ type: string
+ disabledFeatures:
+ default: []
+ items:
+ description: The list of features that are turned off in the space.
+ type: string
+ type: array
+ id:
+ description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.
+ type: string
+ imageUrl:
+ description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.
+ type: string
+ initials:
+ description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.
+ maxLength: 2
+ type: string
+ name:
+ description: 'The display name for the space. '
+ minLength: 1
+ type: string
+ required:
+ - id
+ - name
+ examples:
+ createSpaceRequest:
+ $ref: '#/components/examples/create_space_request'
+ responses:
+ '200':
+ description: Indicates a successful call.
+ summary: Create a space
+ tags:
+ - spaces
+ x-beta: true
+ /api/spaces/space/{id}:
+ delete:
+ description: When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone.
+ operationId: delete-spaces-space-id
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The space identifier.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ responses:
+ '204':
+ description: Indicates a successful call.
+ '404':
+ description: Indicates that the request failed.
+ summary: Delete a space
+ tags:
+ - spaces
+ x-beta: true
+ get:
+ operationId: get-spaces-space-id
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: The space identifier.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ responses:
+ '200':
+ description: Indicates a successful call.
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ examples:
+ getSpaceResponseExample:
+ $ref: '#/components/examples/get_space_response'
+ summary: Get a space
+ tags:
+ - spaces
+ x-beta: true
+ put:
+ operationId: put-spaces-space-id
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ - description: The space identifier. You are unable to change the ID with the update operation.
+ in: path
+ name: id
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ additionalProperties: false
+ type: object
+ properties:
+ _reserved:
+ type: boolean
+ color:
+ description: The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.
+ type: string
+ description:
+ description: A description for the space.
+ type: string
+ disabledFeatures:
+ default: []
+ items:
+ description: The list of features that are turned off in the space.
+ type: string
+ type: array
+ id:
+ description: The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.
+ type: string
+ imageUrl:
+ description: The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.
+ type: string
+ initials:
+ description: One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.
+ maxLength: 2
+ type: string
+ name:
+ description: 'The display name for the space. '
+ minLength: 1
+ type: string
+ required:
+ - id
+ - name
+ examples:
+ updateSpaceRequest:
+ $ref: '#/components/examples/update_space_request'
+ responses:
+ '200':
+ description: Indicates a successful call.
+ summary: Update a space
+ tags:
+ - spaces
+ x-beta: true
+ /api/status:
+ get:
+ operationId: get-status
+ parameters:
+ - description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ - description: Set to "true" to get the response in v7 format.
+ in: query
+ name: v7format
+ required: false
+ schema:
+ type: boolean
+ - description: Set to "true" to get the response in v8 format.
+ in: query
+ name: v8format
+ required: false
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ anyOf:
+ - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response'
+ - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse'
+ description: Kibana's operational status. A minimal response is sent for unauthorized users.
+ description: Overall status is OK and Kibana should be functioning normally.
+ '503':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ anyOf:
+ - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response'
+ - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse'
+ description: Kibana's operational status. A minimal response is sent for unauthorized users.
+ description: Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable.
+ summary: Get Kibana's current status
+ tags:
+ - system
+ x-beta: true
+ /api/timeline:
+ delete:
+ description: Delete one or more Timelines or Timeline templates.
+ operationId: DeleteTimelines
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ savedObjectIds:
+ items:
+ type: string
+ type: array
+ searchIds:
+ description: Saved search ids that should be deleted alongside the timelines
+ items:
+ type: string
+ type: array
+ required:
+ - savedObjectIds
+ description: The IDs of the Timelines or Timeline templates to delete.
+ required: true
+ responses:
+ '200':
+ description: Indicates the Timeline was successfully deleted.
+ summary: Delete Timelines or Timeline templates
+ tags:
+ - Security Timeline API
+ x-beta: true
+ get:
+ description: Get the details of an existing saved Timeline or Timeline template.
+ operationId: GetTimeline
+ parameters:
+ - description: The ID of the template timeline to retrieve
+ in: query
+ name: template_timeline_id
+ schema:
+ type: string
+ - description: The ID of the Timeline to retrieve.
+ in: query
+ name: id
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
+ description: Indicates that the (template) Timeline was found and returned.
+ summary: Get Timeline or Timeline template details
+ tags:
+ - Security Timeline API
+ x-beta: true
+ patch:
+ description: Update an existing Timeline. You can update the title, description, date range, pinned events, pinned queries, and/or pinned saved queries of an existing Timeline.
+ operationId: PatchTimeline
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ timeline:
+ $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
+ timelineId:
+ nullable: true
+ type: string
+ version:
+ nullable: true
+ type: string
+ required:
+ - timelineId
+ - version
+ - timeline
+ description: The Timeline updates, along with the Timeline ID and version.
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse'
+ description: Indicates that the draft Timeline was successfully created. In the event the user already has a draft Timeline, the existing draft Timeline is cleared and returned.
+ '405':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ body:
+ type: string
+ statusCode:
+ type: number
+ description: Indicates that the user does not have the required access to create a draft Timeline.
+ summary: Update a Timeline
+ tags:
+ - Security Timeline API
+ x-beta: true
+ post:
+ description: Create a new Timeline or Timeline template.
+ operationId: CreateTimelines
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ status:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus'
+ nullable: true
+ templateTimelineId:
+ nullable: true
+ type: string
+ templateTimelineVersion:
+ nullable: true
+ type: number
+ timeline:
+ $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
+ timelineId:
+ nullable: true
+ type: string
+ timelineType:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineType'
+ nullable: true
+ version:
+ nullable: true
+ type: string
+ required:
+ - timeline
+ description: The required Timeline fields used to create a new Timeline, along with optional fields that will be created if not provided.
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse'
+ description: Indicates the Timeline was successfully created.
+ '405':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ body:
+ type: string
+ statusCode:
+ type: number
+ description: Indicates that there was an error in the Timeline creation.
+ summary: Create a Timeline or Timeline template
+ tags:
+ - Security Timeline API
+ x-beta: true
+ /api/timeline/_copy:
+ get:
+ description: |
+ Copies and returns a timeline or timeline template.
+ operationId: CopyTimeline
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ timeline:
+ $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
+ timelineIdToCopy:
+ type: string
+ required:
+ - timeline
+ - timelineIdToCopy
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse'
+ description: Indicates that the timeline has been successfully copied.
+ summary: Copies timeline or timeline template
+ tags:
+ - Security Timeline API
+ x-beta: true
+ /api/timeline/_draft:
+ get:
+ description: Get the details of the draft Timeline or Timeline template for the current user. If the user doesn't have a draft Timeline, an empty Timeline is returned.
+ operationId: GetDraftTimelines
+ parameters:
+ - in: query
+ name: timelineType
+ required: true
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineType'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse'
+ description: Indicates that the draft Timeline was successfully retrieved.
+ '403':
+ content:
+ application:json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ message:
+ type: string
+ status_code:
+ type: number
+ description: If a draft Timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to create a draft Timeline.
+ '409':
+ content:
+ application:json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ message:
+ type: string
+ status_code:
+ type: number
+ description: This should never happen, but if a draft Timeline was not found and we attempted to create one, it indicates that there is already a draft Timeline with the given `timelineId`.
+ summary: Get draft Timeline or Timeline template details
+ tags:
+ - Security Timeline API
+ x-beta: true
+ post:
+ description: |
+ Create a clean draft Timeline or Timeline template for the current user.
+ > info
+ > If the user already has a draft Timeline, the existing draft Timeline is cleared and returned.
+ operationId: CleanDraftTimelines
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ timelineType:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineType'
+ required:
+ - timelineType
+ description: The type of Timeline to create. Valid values are `default` and `template`.
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_PersistTimelineResponse'
+ description: Indicates that the draft Timeline was successfully created. In the event the user already has a draft Timeline, the existing draft Timeline is cleared and returned.
+ '403':
+ content:
+ application:json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ message:
+ type: string
+ status_code:
+ type: number
+ description: Indicates that the user does not have the required permissions to create a draft Timeline.
+ '409':
+ content:
+ application:json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ message:
+ type: string
+ status_code:
+ type: number
+ description: Indicates that there is already a draft Timeline with the given `timelineId`.
+ summary: Create a clean draft Timeline or Timeline template
+ tags:
+ - Security Timeline API
+ x-beta: true
+ /api/timeline/_export:
+ post:
+ description: Export Timelines as an NDJSON file.
+ operationId: ExportTimelines
+ parameters:
+ - description: The name of the file to export
+ in: query
+ name: file_name
+ required: true
+ schema:
+ type: string
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ ids:
+ items:
+ type: string
+ nullable: true
+ type: array
+ description: The IDs of the Timelines to export.
+ required: true
+ responses:
+ '200':
+ content:
+ application/ndjson; Elastic-Api-Version=2023-10-31:
+ schema:
+ description: NDJSON of the exported Timelines
+ type: string
+ description: Indicates the Timelines were successfully exported.
+ '400':
+ content:
+ application/ndjson; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ body:
+ type: string
+ statusCode:
+ type: number
+ description: Indicates that the export size limit was exceeded.
+ summary: Export Timelines
+ tags:
+ - Security Timeline API
+ x-beta: true
+ /api/timeline/_favorite:
+ patch:
+ description: Favorite a Timeline or Timeline template for the current user.
+ operationId: PersistFavoriteRoute
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ templateTimelineId:
+ nullable: true
+ type: string
+ templateTimelineVersion:
+ nullable: true
+ type: number
+ timelineId:
+ nullable: true
+ type: string
+ timelineType:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineType'
+ nullable: true
+ required:
+ - timelineId
+ - templateTimelineId
+ - templateTimelineVersion
+ - timelineType
+ description: The required fields used to favorite a (template) Timeline.
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResponse'
+ description: Indicates the favorite status was successfully updated.
+ '403':
+ content:
+ application:json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ body:
+ type: string
+ statusCode:
+ type: number
+ description: Indicates the user does not have the required permissions to persist the favorite status.
+ summary: Favorite a Timeline or Timeline template
+ tags:
+ - Security Timeline API
+ x-beta: true
+ /api/timeline/_import:
+ post:
+ description: Import Timelines.
+ operationId: ImportTimelines
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ file: {}
+ isImmutable:
+ enum:
+ - 'true'
+ - 'false'
+ type: string
+ required:
+ - file
+ description: The Timelines to import as a readable stream.
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult'
+ description: Indicates the import of Timelines was successful.
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ body:
+ type: string
+ id:
+ type: string
+ statusCode:
+ type: number
+ description: Indicates the import of Timelines was unsuccessful because of an invalid file extension.
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ id:
+ type: string
+ statusCode:
+ type: number
+ description: Indicates that we were unable to locate the saved object client necessary to handle the import.
+ '409':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ body:
+ type: string
+ id:
+ type: string
+ statusCode:
+ type: number
+ description: Indicates the import of Timelines was unsuccessful.
+ summary: Import Timelines
+ tags:
+ - Security Timeline API
+ x-beta: true
+ /api/timeline/_prepackaged:
+ post:
+ description: Install or update prepackaged Timelines.
+ operationId: InstallPrepackedTimelines
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ prepackagedTimelines:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject'
+ nullable: true
+ type: array
+ timelinesToInstall:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines'
+ nullable: true
+ type: array
+ timelinesToUpdate:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines'
+ nullable: true
+ type: array
+ required:
+ - timelinesToInstall
+ - timelinesToUpdate
+ - prepackagedTimelines
+ description: The Timelines to install or update.
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_ImportTimelineResult'
+ description: Indicates the installation of prepackaged Timelines was successful.
+ '500':
+ content:
+ application:json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ body:
+ type: string
+ statusCode:
+ type: number
+ description: Indicates the installation of prepackaged Timelines was unsuccessful.
+ summary: Install prepackaged Timelines
+ tags:
+ - Security Timeline API
+ x-beta: true
+ /api/timeline/resolve:
+ get:
+ operationId: ResolveTimeline
+ parameters:
+ - description: The ID of the template timeline to resolve
+ in: query
+ name: template_timeline_id
+ schema:
+ type: string
+ - description: The ID of the timeline to resolve
+ in: query
+ name: id
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_ResolvedTimeline'
+ description: The (template) Timeline has been found
+ '400':
+ description: The request is missing parameters
+ '404':
+ description: The (template) Timeline was not found
+ summary: Get an existing saved Timeline or Timeline template
+ tags:
+ - Security Timeline API
+ x-beta: true
+ /api/timelines:
+ get:
+ description: Get a list of all saved Timelines or Timeline templates.
+ operationId: GetTimelines
+ parameters:
+ - description: If true, only timelines that are marked as favorites by the user are returned.
+ in: query
+ name: only_user_favorite
+ schema:
+ enum:
+ - 'true'
+ - 'false'
+ nullable: true
+ type: string
+ - in: query
+ name: timeline_type
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineType'
+ nullable: true
+ - in: query
+ name: sort_field
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline'
+ - in: query
+ name: sort_order
+ schema:
+ enum:
+ - asc
+ - desc
+ type: string
+ - in: query
+ name: page_size
+ schema:
+ nullable: true
+ type: string
+ - in: query
+ name: page_index
+ schema:
+ nullable: true
+ type: string
+ - in: query
+ name: search
+ schema:
+ nullable: true
+ type: string
+ - in: query
+ name: status
+ schema:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus'
+ nullable: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ customTemplateTimelineCount:
+ type: number
+ defaultTimelineCount:
+ type: number
+ elasticTemplateTimelineCount:
+ type: number
+ favoriteCount:
+ type: number
+ templateTimelineCount:
+ type: number
+ timeline:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
+ type: array
+ totalCount:
+ type: number
+ required:
+ - timeline
+ - totalCount
+ description: Indicates that the (template) Timelines were found and returned.
+ '400':
+ content:
+ application:json; Elastic-Api-Version=2023-10-31:
+ schema:
+ type: object
+ properties:
+ body:
+ type: string
+ statusCode:
+ type: number
+ description: Bad request. The user supplied invalid data.
+ summary: Get Timelines or Timeline templates
+ tags:
+ - Security Timeline API
+ x-beta: true
+ /s/{spaceId}/api/observability/slos:
+ get:
+ description: |
+ You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
+ operationId: findSlosOp
+ parameters:
+ - $ref: '#/components/parameters/SLOs_kbn_xsrf'
+ - $ref: '#/components/parameters/SLOs_space_id'
+ - description: A valid kql query to filter the SLO with
+ example: 'slo.name:latency* and slo.tags : "prod"'
+ in: query
+ name: kqlQuery
+ schema:
+ type: string
+ - description: The page to use for pagination, must be greater or equal than 1
+ example: 1
+ in: query
+ name: page
+ schema:
+ default: 1
+ type: integer
+ - description: Number of SLOs returned by page
+ example: 25
+ in: query
+ name: perPage
+ schema:
+ default: 25
+ maximum: 5000
+ type: integer
+ - description: Sort by field
+ example: status
+ in: query
+ name: sortBy
+ schema:
+ default: status
+ enum:
+ - sli_value
+ - status
+ - error_budget_consumed
+ - error_budget_remaining
+ type: string
+ - description: Sort order
+ example: asc
+ in: query
+ name: sortDirection
+ schema:
+ default: asc
+ enum:
+ - asc
+ - desc
+ type: string
+ - description: Hide stale SLOs from the list as defined by stale SLO threshold in SLO settings
+ in: query
+ name: hideStale
+ schema:
+ type: boolean
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_find_slo_response'
+ description: Successful request
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_400_response'
+ description: Bad request
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_403_response'
+ description: Unauthorized response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_404_response'
+ description: Not found response
+ summary: Get a paginated list of SLOs
+ tags:
+ - slo
+ x-beta: true
+ post:
+ description: |
+ You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
+ operationId: createSloOp
+ parameters:
+ - $ref: '#/components/parameters/SLOs_kbn_xsrf'
+ - $ref: '#/components/parameters/SLOs_space_id'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_create_slo_request'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_create_slo_response'
+ description: Successful request
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_400_response'
+ description: Bad request
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_403_response'
+ description: Unauthorized response
+ '409':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_409_response'
+ description: Conflict - The SLO id already exists
+ summary: Create an SLO
+ tags:
+ - slo
+ x-beta: true
+ /s/{spaceId}/api/observability/slos/_delete_instances:
+ post:
+ description: |
+ The deletion occurs for the specified list of `sloId` and `instanceId`. You must have `all` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
+ operationId: deleteSloInstancesOp
+ parameters:
+ - $ref: '#/components/parameters/SLOs_kbn_xsrf'
+ - $ref: '#/components/parameters/SLOs_space_id'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_delete_slo_instances_request'
+ required: true
+ responses:
+ '204':
+ description: Successful request
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_400_response'
+ description: Bad request
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_403_response'
+ description: Unauthorized response
+ summary: Batch delete rollup and summary data
+ tags:
+ - slo
+ x-beta: true
+ /s/{spaceId}/api/observability/slos/{sloId}:
+ delete:
+ description: |
+ You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
+ operationId: deleteSloOp
+ parameters:
+ - $ref: '#/components/parameters/SLOs_kbn_xsrf'
+ - $ref: '#/components/parameters/SLOs_space_id'
+ - $ref: '#/components/parameters/SLOs_slo_id'
+ responses:
+ '204':
+ description: Successful request
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_400_response'
+ description: Bad request
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_403_response'
+ description: Unauthorized response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_404_response'
+ description: Not found response
+ summary: Delete an SLO
+ tags:
+ - slo
+ x-beta: true
+ get:
+ description: |
+ You must have the `read` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
+ operationId: getSloOp
+ parameters:
+ - $ref: '#/components/parameters/SLOs_kbn_xsrf'
+ - $ref: '#/components/parameters/SLOs_space_id'
+ - $ref: '#/components/parameters/SLOs_slo_id'
+ - description: the specific instanceId used by the summary calculation
+ example: host-abcde
+ in: query
+ name: instanceId
+ schema:
+ type: string
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_slo_with_summary_response'
+ description: Successful request
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_400_response'
+ description: Bad request
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_403_response'
+ description: Unauthorized response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_404_response'
+ description: Not found response
+ summary: Get an SLO
+ tags:
+ - slo
+ x-beta: true
+ put:
+ description: |
+ You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
+ operationId: updateSloOp
+ parameters:
+ - $ref: '#/components/parameters/SLOs_kbn_xsrf'
+ - $ref: '#/components/parameters/SLOs_space_id'
+ - $ref: '#/components/parameters/SLOs_slo_id'
+ requestBody:
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_update_slo_request'
+ required: true
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_slo_definition_response'
+ description: Successful request
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_400_response'
+ description: Bad request
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_403_response'
+ description: Unauthorized response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_404_response'
+ description: Not found response
+ summary: Update an SLO
+ tags:
+ - slo
+ x-beta: true
+ /s/{spaceId}/api/observability/slos/{sloId}/_reset:
+ post:
+ description: |
+ You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
+ operationId: resetSloOp
+ parameters:
+ - $ref: '#/components/parameters/SLOs_kbn_xsrf'
+ - $ref: '#/components/parameters/SLOs_space_id'
+ - $ref: '#/components/parameters/SLOs_slo_id'
+ responses:
+ '200':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_slo_definition_response'
+ description: Successful request
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_400_response'
+ description: Bad request
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_403_response'
+ description: Unauthorized response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_404_response'
+ description: Not found response
+ summary: Reset an SLO
+ tags:
+ - slo
+ x-beta: true
+ /s/{spaceId}/api/observability/slos/{sloId}/disable:
+ post:
+ description: |
+ You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
+ operationId: disableSloOp
+ parameters:
+ - $ref: '#/components/parameters/SLOs_kbn_xsrf'
+ - $ref: '#/components/parameters/SLOs_space_id'
+ - $ref: '#/components/parameters/SLOs_slo_id'
+ responses:
+ '204':
+ description: Successful request
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_400_response'
+ description: Bad request
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_403_response'
+ description: Unauthorized response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_404_response'
+ description: Not found response
+ summary: Disable an SLO
+ tags:
+ - slo
+ x-beta: true
+ /s/{spaceId}/api/observability/slos/{sloId}/enable:
+ post:
+ description: |
+ You must have the `write` privileges for the **SLOs** feature in the **Observability** section of the Kibana feature privileges.
+ operationId: enableSloOp
+ parameters:
+ - $ref: '#/components/parameters/SLOs_kbn_xsrf'
+ - $ref: '#/components/parameters/SLOs_space_id'
+ - $ref: '#/components/parameters/SLOs_slo_id'
+ responses:
+ '204':
+ description: Successful request
+ '400':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_400_response'
+ description: Bad request
+ '401':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_401_response'
+ description: Unauthorized response
+ '403':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_403_response'
+ description: Unauthorized response
+ '404':
+ content:
+ application/json; Elastic-Api-Version=2023-10-31:
+ schema:
+ $ref: '#/components/schemas/SLOs_404_response'
+ description: Not found response
+ summary: Enable an SLO
+ tags:
+ - slo
+ x-beta: true
+components:
+ examples:
+ Data_views_create_data_view_request:
+ summary: Create a data view with runtime fields.
+ value:
+ data_view:
+ name: My Logstash data view
+ runtimeFieldMap:
+ runtime_shape_name:
+ script:
+ source: emit(doc['shape_name'].value)
+ type: keyword
+ title: logstash-*
+ Data_views_create_runtime_field_request:
+ summary: Create a runtime field.
+ value:
+ name: runtimeFoo
+ runtimeField:
+ script:
+ source: emit(doc["foo"].value)
+ type: long
+ Data_views_get_data_view_response:
+ summary: The get data view API returns a JSON object that contains information about the data view.
+ value:
+ data_view:
+ allowNoIndex: false
+ fieldAttrs:
+ products.manufacturer:
+ count: 1
+ products.price:
+ count: 1
+ products.product_name:
+ count: 1
+ total_quantity:
+ count: 1
+ fieldFormats:
+ products.base_price:
+ id: number
+ params:
+ pattern: $0,0.00
+ products.base_unit_price:
+ id: number
+ params:
+ pattern: $0,0.00
+ products.min_price:
+ id: number
+ params:
+ pattern: $0,0.00
+ products.price:
+ id: number
+ params:
+ pattern: $0,0.00
+ products.taxful_price:
+ id: number
+ params:
+ pattern: $0,0.00
+ products.taxless_price:
+ id: number
+ params:
+ pattern: $0,0.00
+ taxful_total_price:
+ id: number
+ params:
+ pattern: $0,0.[00]
+ taxless_total_price:
+ id: number
+ params:
+ pattern: $0,0.00
+ fields:
+ _id:
+ aggregatable: false
+ count: 0
+ esTypes:
+ - _id
+ format:
+ id: string
+ isMapped: true
+ name: _id
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ _index:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - _index
+ format:
+ id: string
+ isMapped: true
+ name: _index
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ _score:
+ aggregatable: false
+ count: 0
+ format:
+ id: number
+ isMapped: true
+ name: _score
+ readFromDocValues: false
+ scripted: false
+ searchable: false
+ shortDotsEnable: false
+ type: number
+ _source:
+ aggregatable: false
+ count: 0
+ esTypes:
+ - _source
+ format:
+ id: _source
+ isMapped: true
+ name: _source
+ readFromDocValues: false
+ scripted: false
+ searchable: false
+ shortDotsEnable: false
+ type: _source
+ category:
+ aggregatable: false
+ count: 0
+ esTypes:
+ - text
+ format:
+ id: string
+ isMapped: true
+ name: category
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ category.keyword:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: category.keyword
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ subType:
+ multi:
+ parent: category
+ type: string
+ currency:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: currency
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ customer_birth_date:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - date
+ format:
+ id: date
+ isMapped: true
+ name: customer_birth_date
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: date
+ customer_first_name:
+ aggregatable: false
+ count: 0
+ esTypes:
+ - text
+ format:
+ id: string
+ isMapped: true
+ name: customer_first_name
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ customer_first_name.keyword:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: customer_first_name.keyword
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ subType:
+ multi:
+ parent: customer_first_name
+ type: string
+ customer_full_name:
+ aggregatable: false
+ count: 0
+ esTypes:
+ - text
+ format:
+ id: string
+ isMapped: true
+ name: customer_full_name
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ customer_full_name.keyword:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: customer_full_name.keyword
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ subType:
+ multi:
+ parent: customer_full_name
+ type: string
+ customer_gender:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: customer_gender
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ customer_id:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: customer_id
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ customer_last_name:
+ aggregatable: false
+ count: 0
+ esTypes:
+ - text
+ format:
+ id: string
+ isMapped: true
+ name: customer_last_name
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ customer_last_name.keyword:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: customer_last_name.keyword
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ subType:
+ multi:
+ parent: customer_last_name
+ type: string
+ customer_phone:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: customer_phone
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ day_of_week:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: day_of_week
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ day_of_week_i:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - integer
+ format:
+ id: number
+ isMapped: true
+ name: day_of_week_i
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ email:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: email
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ event.dataset:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: event.dataset
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ geoip.city_name:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: geoip.city_name
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ geoip.continent_name:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: geoip.continent_name
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ geoip.country_iso_code:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: geoip.country_iso_code
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ geoip.location:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - geo_point
+ format:
+ id: geo_point
+ params:
+ transform: wkt
+ isMapped: true
+ name: geoip.location
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: geo_point
+ geoip.region_name:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: geoip.region_name
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ manufacturer:
+ aggregatable: false
+ count: 0
+ esTypes:
+ - text
+ format:
+ id: string
+ isMapped: true
+ name: manufacturer
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ manufacturer.keyword:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: manufacturer.keyword
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ subType:
+ multi:
+ parent: manufacturer
+ type: string
+ order_date:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - date
+ format:
+ id: date
+ isMapped: true
+ name: order_date
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: date
+ order_id:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: order_id
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ products._id:
+ aggregatable: false
+ count: 0
+ esTypes:
+ - text
+ format:
+ id: string
+ isMapped: true
+ name: products._id
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ products._id.keyword:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: products._id.keyword
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ subType:
+ multi:
+ parent: products._id
+ type: string
+ products.base_price:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - half_float
+ format:
+ id: number
+ params:
+ pattern: $0,0.00
+ isMapped: true
+ name: products.base_price
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ products.base_unit_price:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - half_float
+ format:
+ id: number
+ params:
+ pattern: $0,0.00
+ isMapped: true
+ name: products.base_unit_price
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ products.category:
+ aggregatable: false
+ count: 0
+ esTypes:
+ - text
+ format:
+ id: string
+ isMapped: true
+ name: products.category
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ products.category.keyword:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: products.category.keyword
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ subType:
+ multi:
+ parent: products.category
+ type: string
+ products.created_on:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - date
+ format:
+ id: date
+ isMapped: true
+ name: products.created_on
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: date
+ products.discount_amount:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - half_float
+ format:
+ id: number
+ isMapped: true
+ name: products.discount_amount
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ products.discount_percentage:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - half_float
+ format:
+ id: number
+ isMapped: true
+ name: products.discount_percentage
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ products.manufacturer:
+ aggregatable: false
+ count: 1
+ esTypes:
+ - text
+ format:
+ id: string
+ isMapped: true
+ name: products.manufacturer
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ products.manufacturer.keyword:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: products.manufacturer.keyword
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ subType:
+ multi:
+ parent: products.manufacturer
+ type: string
+ products.min_price:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - half_float
+ format:
+ id: number
+ params:
+ pattern: $0,0.00
+ isMapped: true
+ name: products.min_price
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ products.price:
+ aggregatable: true
+ count: 1
+ esTypes:
+ - half_float
+ format:
+ id: number
+ params:
+ pattern: $0,0.00
+ isMapped: true
+ name: products.price
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ products.product_id:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - long
+ format:
+ id: number
+ isMapped: true
+ name: products.product_id
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ products.product_name:
+ aggregatable: false
+ count: 1
+ esTypes:
+ - text
+ format:
+ id: string
+ isMapped: true
+ name: products.product_name
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ products.product_name.keyword:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: products.product_name.keyword
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ subType:
+ multi:
+ parent: products.product_name
+ type: string
+ products.quantity:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - integer
+ format:
+ id: number
+ isMapped: true
+ name: products.quantity
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ products.sku:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: products.sku
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ products.tax_amount:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - half_float
+ format:
+ id: number
+ isMapped: true
+ name: products.tax_amount
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ products.taxful_price:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - half_float
+ format:
+ id: number
+ params:
+ pattern: $0,0.00
+ isMapped: true
+ name: products.taxful_price
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ products.taxless_price:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - half_float
+ format:
+ id: number
+ params:
+ pattern: $0,0.00
+ isMapped: true
+ name: products.taxless_price
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ products.unit_discount_amount:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - half_float
+ format:
+ id: number
+ isMapped: true
+ name: products.unit_discount_amount
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ sku:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: sku
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ taxful_total_price:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - half_float
+ format:
+ id: number
+ params:
+ pattern: $0,0.[00]
+ isMapped: true
+ name: taxful_total_price
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ taxless_total_price:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - half_float
+ format:
+ id: number
+ params:
+ pattern: $0,0.00
+ isMapped: true
+ name: taxless_total_price
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ total_quantity:
+ aggregatable: true
+ count: 1
+ esTypes:
+ - integer
+ format:
+ id: number
+ isMapped: true
+ name: total_quantity
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ total_unique_products:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - integer
+ format:
+ id: number
+ isMapped: true
+ name: total_unique_products
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ type:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: type
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ user:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: user
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ id: ff959d40-b880-11e8-a6d9-e546fe2bba5f
+ name: Kibana Sample Data eCommerce
+ namespaces:
+ - default
+ runtimeFieldMap: {}
+ sourceFilters: []
+ timeFieldName: order_date
+ title: kibana_sample_data_ecommerce
+ typeMeta: {}
+ version: WzUsMV0=
+ Data_views_get_data_views_response:
+ summary: The get all data views API returns a list of data views.
+ value:
+ data_view:
+ - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f
+ name: Kibana Sample Data eCommerce
+ namespaces:
+ - default
+ title: kibana_sample_data_ecommerce
+ typeMeta: {}
+ - id: d3d7af60-4c81-11e8-b3d7-01146121b73d
+ name: Kibana Sample Data Flights
+ namespaces:
+ - default
+ title: kibana_sample_data_flights
+ - id: 90943e30-9a47-11e8-b64d-95841ca0b247
+ name: Kibana Sample Data Logs
+ namespaces:
+ - default
+ title: kibana_sample_data_logs
+ Data_views_get_default_data_view_response:
+ summary: The get default data view API returns the default data view identifier.
+ value:
+ data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f
+ Data_views_get_runtime_field_response:
+ summary: The get runtime field API returns a JSON object that contains information about the runtime field (`hour_of_day`) and the data view (`d3d7af60-4c81-11e8-b3d7-01146121b73d`).
+ value:
+ data_view:
+ allowNoIndex: false
+ fieldAttrs: {}
+ fieldFormats:
+ AvgTicketPrice:
+ id: number
+ params:
+ pattern: $0,0.[00]
+ hour_of_day:
+ id: number
+ params:
+ pattern: '00'
+ fields:
+ _id:
+ aggregatable: false
+ count: 0
+ esTypes:
+ - _id
+ format:
+ id: string
+ isMapped: true
+ name: _id
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ _index:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - _index
+ format:
+ id: string
+ isMapped: true
+ name: _index
+ readFromDocValues: false
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ _score:
+ aggregatable: false
+ count: 0
+ format:
+ id: number
+ isMapped: true
+ name: _score
+ readFromDocValues: false
+ scripted: false
+ searchable: false
+ shortDotsEnable: false
+ type: number
+ _source:
+ aggregatable: false
+ count: 0
+ esTypes:
+ - _source
+ format:
+ id: _source
+ isMapped: true
+ name: _source
+ readFromDocValues: false
+ scripted: false
+ searchable: false
+ shortDotsEnable: false
+ type: _source
+ AvgTicketPrice:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - float
+ format:
+ id: number
+ params:
+ pattern: $0,0.[00]
+ isMapped: true
+ name: AvgTicketPrice
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ Cancelled:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - boolean
+ format:
+ id: boolean
+ isMapped: true
+ name: Cancelled
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: boolean
+ Carrier:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: Carrier
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ dayOfWeek:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - integer
+ format:
+ id: number
+ isMapped: true
+ name: dayOfWeek
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ Dest:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: Dest
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ DestAirportID:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: DestAirportID
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ DestCityName:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: DestCityName
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ DestCountry:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: DestCountry
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ DestLocation:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - geo_point
+ format:
+ id: geo_point
+ params:
+ transform: wkt
+ isMapped: true
+ name: DestLocation
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: geo_point
+ DestRegion:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: DestRegion
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ DestWeather:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: DestWeather
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ DistanceKilometers:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - float
+ format:
+ id: number
+ isMapped: true
+ name: DistanceKilometers
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ DistanceMiles:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - float
+ format:
+ id: number
+ isMapped: true
+ name: DistanceMiles
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ FlightDelay:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - boolean
+ format:
+ id: boolean
+ isMapped: true
+ name: FlightDelay
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: boolean
+ FlightDelayMin:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - integer
+ format:
+ id: number
+ isMapped: true
+ name: FlightDelayMin
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ FlightDelayType:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: FlightDelayType
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ FlightNum:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: FlightNum
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ FlightTimeHour:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: FlightTimeHour
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ FlightTimeMin:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - float
+ format:
+ id: number
+ isMapped: true
+ name: FlightTimeMin
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ hour_of_day:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - long
+ format:
+ id: number
+ params:
+ pattern: '00'
+ name: hour_of_day
+ readFromDocValues: false
+ runtimeField:
+ script:
+ source: emit(doc['timestamp'].value.getHour());
+ type: long
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ Origin:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: Origin
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ OriginAirportID:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: OriginAirportID
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ OriginCityName:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: OriginCityName
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ OriginCountry:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: OriginCountry
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ OriginLocation:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - geo_point
+ format:
+ id: geo_point
+ params:
+ transform: wkt
+ isMapped: true
+ name: OriginLocation
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: geo_point
+ OriginRegion:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: OriginRegion
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ OriginWeather:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - keyword
+ format:
+ id: string
+ isMapped: true
+ name: OriginWeather
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: string
+ timestamp:
+ aggregatable: true
+ count: 0
+ esTypes:
+ - date
+ format:
+ id: date
+ isMapped: true
+ name: timestamp
+ readFromDocValues: true
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: date
+ id: d3d7af60-4c81-11e8-b3d7-01146121b73d
+ name: Kibana Sample Data Flights
+ runtimeFieldMap:
+ hour_of_day:
+ script:
+ source: emit(doc['timestamp'].value.getHour());
+ type: long
+ sourceFilters: []
+ timeFieldName: timestamp
+ title: kibana_sample_data_flights
+ version: WzM2LDJd
+ fields:
+ - aggregatable: true
+ count: 0
+ esTypes:
+ - long
+ name: hour_of_day
+ readFromDocValues: false
+ runtimeField:
+ script:
+ source: emit(doc['timestamp'].value.getHour());
+ type: long
+ scripted: false
+ searchable: true
+ shortDotsEnable: false
+ type: number
+ Data_views_preview_swap_data_view_request:
+ summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123".
+ value:
+ fromId: abcd-efg
+ toId: xyz-123
+ Data_views_set_default_data_view_request:
+ summary: Set the default data view identifier.
+ value:
+ data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f
+ force: true
+ Data_views_swap_data_view_request:
+ summary: Swap references from data view ID "abcd-efg" to "xyz-123" and remove the data view that is no longer referenced.
+ value:
+ delete: true
+ fromId: abcd-efg
+ toId: xyz-123
+ Data_views_update_data_view_request:
+ summary: Update some properties for a data view.
+ value:
+ data_view:
+ allowNoIndex: false
+ name: Kibana Sample Data eCommerce
+ timeFieldName: order_date
+ title: kibana_sample_data_ecommerce
+ refresh_fields: true
+ Data_views_update_field_metadata_request:
+ summary: Update metadata for multiple fields.
+ value:
+ fields:
+ field1:
+ count: 123
+ customLabel: Field 1 label
+ field2:
+ customDescription: Field 2 description
+ customLabel: Field 2 label
+ Data_views_update_runtime_field_request:
+ summary: Update an existing runtime field on a data view.
+ value:
+ runtimeField:
+ script:
+ source: emit(doc["bar"].value)
+ Machine_learning_APIs_mlSyncExample:
+ summary: Two anomaly detection jobs required synchronization in this example.
+ value:
+ datafeedsAdded: {}
+ datafeedsRemoved: {}
+ savedObjectsCreated:
+ anomaly-detector:
+ myjob1:
+ success: true
+ myjob2:
+ success: true
+ savedObjectsDeleted: {}
+ Serverless_saved_objects_export_objects_request:
+ summary: Export a specific saved object.
+ value:
+ excludeExportDetails: true
+ includeReferencesDeep: false
+ objects:
+ - id: de71f4f0-1902-11e9-919b-ffe5949a18d2
+ type: map
+ Serverless_saved_objects_export_objects_response:
+ summary: The export objects API response contains a JSON record for each exported object.
+ value:
+ attributes:
+ description: ''
+ layerListJSON: '[{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total Requests by Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web logs count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total Requests and Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web logs count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}]'
+ mapStateJSON: '{"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}}'
+ title: '[Logs] Total Requests and Bytes'
+ uiStateJSON: '{"isDarkMode":false}'
+ coreMigrationVersion: 8.8.0
+ created_at: '2023-08-23T20:03:32.204Z'
+ id: de71f4f0-1902-11e9-919b-ffe5949a18d2
+ managed: false
+ references:
+ - id: 90943e30-9a47-11e8-b64d-95841ca0b247
+ name: layer_1_join_0_index_pattern
+ type: index-pattern
+ - id: 90943e30-9a47-11e8-b64d-95841ca0b247
+ name: layer_2_source_index_pattern
+ type: index-pattern
+ - id: 90943e30-9a47-11e8-b64d-95841ca0b247
+ name: layer_3_source_index_pattern
+ type: index-pattern
+ type: map
+ typeMigrationVersion: 8.4.0
+ updated_at: '2023-08-23T20:03:32.204Z'
+ version: WzEzLDFd
+ Serverless_saved_objects_import_objects_request:
+ value:
+ file: file.ndjson
+ Serverless_saved_objects_import_objects_response:
+ summary: The import objects API response indicates a successful import and the objects are created. Since these objects are created as new copies, each entry in the successResults array includes a destinationId attribute.
+ value:
+ success: true
+ successCount: 1
+ successResults:
+ - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943
+ id: 90943e30-9a47-11e8-b64d-95841ca0b247
+ managed: false
+ meta:
+ icon: indexPatternApp
+ title: Kibana Sample Data Logs
+ type: index-pattern
+ get_connector_types_generativeai_response:
+ summary: A list of connector types for the `generativeAI` feature.
+ value:
+ - id: .gen-ai
+ name: OpenAI
+ enabled: true
+ enabled_in_config: true
+ enabled_in_license: true
+ minimum_license_required: enterprise
+ supported_feature_ids:
+ - generativeAIForSecurity
+ - generativeAIForObservability
+ - generativeAIForSearchPlayground
+ is_system_action_type: false
+ - id: .bedrock
+ name: AWS Bedrock
+ enabled: true
+ enabled_in_config: true
+ enabled_in_license: true
+ minimum_license_required: enterprise
+ supported_feature_ids:
+ - generativeAIForSecurity
+ - generativeAIForObservability
+ - generativeAIForSearchPlayground
+ is_system_action_type: false
+ - id: .gemini
+ name: Google Gemini
+ enabled: true
+ enabled_in_config: true
+ enabled_in_license: true
+ minimum_license_required: enterprise
+ supported_feature_ids:
+ - generativeAIForSecurity
+ is_system_action_type: false
+ get_connector_response:
+ summary: Get connector details.
+ value:
+ id: df770e30-8b8b-11ed-a780-3b746c987a81
+ name: my_server_log_connector
+ config: {}
+ connector_type_id: .server-log
+ is_preconfigured: false
+ is_deprecated: false
+ is_missing_secrets: false
+ is_system_action: false
+ update_index_connector_request:
+ summary: Update an index connector.
+ value:
+ name: updated-connector
+ config:
+ index: updated-index
+ create_email_connector_request:
+ summary: Create an email connector.
+ value:
+ name: email-connector-1
+ connector_type_id: .email
+ config:
+ from: tester@example.com
+ hasAuth: true
+ host: https://example.com
+ port: 1025
+ secure: false
+ service: other
+ secrets:
+ user: username
+ password: password
+ create_index_connector_request:
+ summary: Create an index connector.
+ value:
+ name: my-connector
+ connector_type_id: .index
+ config:
+ index: test-index
+ create_webhook_connector_request:
+ summary: Create a webhook connector with SSL authentication.
+ value:
+ name: my-webhook-connector
+ connector_type_id: .webhook
+ config:
+ method: post
+ url: https://example.com
+ authType: webhook-authentication-ssl
+ certType: ssl-crt-key
+ secrets:
+ crt: QmFnIEF0dH...
+ key: LS0tLS1CRUdJ...
+ password: my-passphrase
+ create_xmatters_connector_request:
+ summary: Create an xMatters connector with URL authentication.
+ value:
+ name: my-xmatters-connector
+ connector_type_id: .xmatters
+ config:
+ usesBasic: false
+ secrets:
+ secretsUrl: https://example.com?apiKey=xxxxx
+ create_email_connector_response:
+ summary: A new email connector.
+ value:
+ id: 90a82c60-478f-11ee-a343-f98a117c727f
+ connector_type_id: .email
+ name: email-connector-1
+ config:
+ from: tester@example.com
+ service: other
+ host: https://example.com
+ port: 1025
+ secure: false
+ hasAuth: true
+ tenantId: null
+ clientId: null
+ oauthTokenUrl: null
+ is_preconfigured: false
+ is_deprecated: false
+ is_missing_secrets: false
+ is_system_action: false
+ create_index_connector_response:
+ summary: A new index connector.
+ value:
+ id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad
+ connector_type_id: .index
+ name: my-connector
+ config:
+ index: test-index
+ refresh: false
+ executionTimeField: null
+ is_preconfigured: false
+ is_deprecated: false
+ is_missing_secrets: false
+ is_system_action: false
+ create_webhook_connector_response:
+ summary: A new webhook connector.
+ value:
+ id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd
+ name: my-webhook-connector
+ config:
+ method: post
+ url: https://example.com
+ authType: webhook-authentication-ssl
+ certType: ssl-crt-key
+ verificationMode: full
+ headers: null
+ hasAuth: true
+ connector_type_id: .webhook
+ is_preconfigured: false
+ is_deprecated: false
+ is_missing_secrets: false
+ is_system_action: false
+ run_index_connector_request:
+ summary: Run an index connector.
+ value:
+ params:
+ documents:
+ - id: my_doc_id
+ name: my_doc_name
+ message: hello, world
+ run_jira_connector_request:
+ summary: Run a Jira connector to retrieve the list of issue types.
+ value:
+ params:
+ subAction: issueTypes
+ run_servicenow_itom_connector_request:
+ summary: Run a ServiceNow ITOM connector to retrieve the list of choices.
+ value:
+ params:
+ subAction: getChoices
+ subActionParams:
+ fields:
+ - severity
+ - urgency
+ run_slack_api_connector_request:
+ summary: Run a Slack connector that uses the web API method to post a message on a channel.
+ value:
+ params:
+ subAction: postMessage
+ subActionParams:
+ channelIds:
+ - C123ABC456
+ text: A test message.
+ run_swimlane_connector_request:
+ summary: Run a Swimlane connector to create an incident.
+ value:
+ params:
+ subAction: pushToService
+ subActionParams:
+ comments:
+ - commentId: 1
+ comment: A comment about the incident.
+ incident:
+ caseId: '1000'
+ caseName: Case name
+ description: Description of the incident.
+ run_index_connector_response:
+ summary: Response from running an index connector.
+ value:
+ connector_id: fd38c600-96a5-11ed-bb79-353b74189cba
+ data:
+ errors: false
+ items:
+ - create:
+ _id: 4JtvwYUBrcyxt2NnfW3y
+ _index: my-index
+ _primary_term: 1
+ _seq_no: 0
+ _shards:
+ failed: 0
+ successful: 1
+ total: 2
+ _version: 1
+ result: created
+ status: 201
+ took: 135
+ status: ok
+ run_jira_connector_response:
+ summary: Response from retrieving the list of issue types for a Jira connector.
+ value:
+ connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6
+ data:
+ - id: 10024
+ name: Improvement
+ - id: 10006
+ name: Task
+ - id: 10007
+ name: Sub-task
+ - id: 10025
+ name: New Feature
+ - id: 10023
+ name: Bug
+ - id: 10000
+ name: Epic
+ status: ok
+ run_server_log_connector_response:
+ summary: Response from running a server log connector.
+ value:
+ connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907
+ status: ok
+ run_servicenow_itom_connector_response:
+ summary: Response from retrieving the list of choices for a ServiceNow ITOM connector.
+ value:
+ connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698
+ data:
+ - dependent_value: ''
+ element: severity
+ label: Critical
+ value: 1
+ - dependent_value: ''
+ element: severity
+ label: Major
+ value: 2
+ - dependent_value: ''
+ element: severity
+ label: Minor
+ value: 3
+ - dependent_value: ''
+ element: severity
+ label: Warning
+ value: 4
+ - dependent_value: ''
+ element: severity
+ label: OK
+ value: 5
+ - dependent_value: ''
+ element: severity
+ label: Clear
+ value: 0
+ - dependent_value: ''
+ element: urgency
+ label: 1 - High
+ value: 1
+ - dependent_value: ''
+ element: urgency
+ label: 2 - Medium
+ value: 2
+ - dependent_value: ''
+ element: urgency
+ label: 3 - Low
+ value: 3
+ status: ok
+ run_slack_api_connector_response:
+ summary: Response from posting a message with a Slack connector.
+ value:
+ status: ok
+ data:
+ ok: true
+ channel: C123ABC456
+ ts: '1234567890.123456'
+ message:
+ bot_id: B12BCDEFGHI
+ type: message
+ text: A test message
+ user: U12A345BC6D
+ ts: '1234567890.123456'
+ app_id: A01BC2D34EF
+ blocks:
+ - type: rich_text
+ block_id: /NXe
+ elements:
+ - type: rich_text_section
+ elements:
+ - type: text
+ text: A test message.
+ team: T01ABCDE2F
+ bot_profile:
+ id: B12BCDEFGHI
+ app_id: A01BC2D34EF
+ name: test
+ icons:
+ image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png
+ deleted: false
+ updated: 1672169705
+ team_id: T01ABCDE2F
+ connector_id: .slack_api
+ run_swimlane_connector_response:
+ summary: Response from creating a Swimlane incident.
+ value:
+ connector_id: a4746470-2f94-11ed-b0e0-87533c532698
+ data:
+ id: aKPmBHWzmdRQtx6Mx
+ title: TEST-457
+ url: https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx
+ pushedDate: '2022-09-08T16:52:27.866Z'
+ comments:
+ - commentId: 1
+ pushedDate: '2022-09-08T16:52:27.865Z'
+ status: ok
+ get_connectors_response:
+ summary: A list of connectors
+ value:
+ - id: preconfigured-email-connector
+ name: my-preconfigured-email-notification
+ connector_type_id: .email
+ is_preconfigured: true
+ is_deprecated: false
+ referenced_by_count: 0
+ is_system_action: false
+ - id: e07d0c80-8b8b-11ed-a780-3b746c987a81
+ name: my-index-connector
+ config:
+ index: test-index
+ refresh: false
+ executionTimeField: null
+ connector_type_id: .index
+ is_preconfigured: false
+ is_deprecated: false
+ referenced_by_count: 2
+ is_missing_secrets: false
+ is_system_action: false
+ update_rule_request:
+ summary: Index threshold rule
+ description: Update an index threshold rule that uses a server log connector to send notifications when the threshold is met.
+ value:
+ actions:
+ - frequency:
+ summary: false
+ notify_when: onActionGroupChange
+ group: threshold met
+ id: 96b668d0-a1b6-11ed-afdf-d39a49596974
+ params:
+ level: info
+ message: |-
+ Rule {{rule.name}} is active for group {{context.group}}:
+
+ - Value: {{context.value}}
+ - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
+ - Timestamp: {{context.date}}
+ params:
+ aggField: sheet.version
+ aggType: avg
+ index:
+ - .updated-index
+ groupBy: top
+ termField: name.keyword
+ termSize: 6
+ threshold:
+ - 1000
+ thresholdComparator: '>'
+ timeField: '@timestamp'
+ timeWindowSize: 5
+ timeWindowUnit: m
+ name: new name
+ schedule:
+ interval: 1m
+ tags: []
+ update_rule_response:
+ summary: Index threshold rule
+ description: The response for successfully updating an index threshold rule.
+ value:
+ id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74
+ consumer: alerts
+ tags: []
+ name: new name
+ enabled: true
+ throttle: null
+ revision: 1
+ running: false
+ schedule:
+ interval: 1m
+ params:
+ index:
+ - .updated-index
+ timeField: '@timestamp'
+ groupBy: top
+ aggType: avg
+ timeWindowSize: 5
+ timeWindowUnit: m
+ thresholdComparator: '>'
+ threshold:
+ - 1000
+ aggField: sheet.version
+ termField: name.keyword
+ termSize: 6
+ api_key_owner: elastic
+ created_by: elastic
+ updated_by: elastic
+ rule_type_id: .index-threshold
+ scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea
+ created_at: '2024-03-26T23:13:20.985Z'
+ updated_at: '2024-03-26T23:22:59.949Z'
+ mute_all: false
+ muted_alert_ids: []
+ execution_status:
+ status: ok
+ last_execution_date: '2024-03-26T23:22:51.390Z'
+ last_duration: 52
+ actions:
+ - group: threshold met
+ params:
+ level: info
+ message: |-
+ Rule {{rule.name}} is active for group {{context.group}}:
+
+ - Value: {{context.value}}
+ - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
+ - Timestamp: {{context.date}
+ id: 96b668d0-a1b6-11ed-afdf-d39a49596974
+ uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d
+ connector_type_id: .server-log
+ frequency:
+ summary: false
+ throttle: null
+ notify_when: onActionGroupChange
+ last_run:
+ alerts_count:
+ new: 0
+ ignored: 0
+ recovered: 0
+ active: 0
+ outcome_msg: null
+ warning: null
+ outcome: succeeded
+ next_run: '2024-03-26T23:23:51.316Z'
+ api_key_created_by_user: false
+ create_es_query_esql_rule_request:
+ summary: Elasticsearch query rule (ES|QL)
+ description: |
+ Create an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL) to define its query and a server log connector to send notifications.
+ value:
+ name: my Elasticsearch query ESQL rule
+ params:
+ searchType: esqlQuery
+ esqlQuery:
+ esql: FROM kibana_sample_data_logs | KEEP bytes, clientip, host, geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | LIMIT 10
+ timeField: '@timestamp'
+ timeWindowSize: 1
+ timeWindowUnit: d
+ size: 0
+ thresholdComparator: '>'
+ threshold:
+ - 0
+ consumer: stackAlerts
+ rule_type_id: .es-query
+ schedule:
+ interval: 1d
+ actions:
+ - group: query matched
+ id: d0db1fe0-78d6-11ee-9177-f7d404c8c945
+ params:
+ level: info
+ message: |-
+ Elasticsearch query rule '{{rule.name}}' is active:
+ - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}
+ frequency:
+ summary: false
+ notify_when: onActiveAlert
+ create_es_query_rule_request:
+ summary: Elasticsearch query rule (DSL)
+ description: |
+ Create an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL) to define its query and a server log connector to send notifications.
+ value:
+ actions:
+ - group: query matched
+ params:
+ level: info
+ message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts.
+ id: fdbece50-406c-11ee-850e-c71febc4ca7f
+ frequency:
+ throttle: 1d
+ summary: true
+ notify_when: onThrottleInterval
+ - group: recovered
+ params:
+ level: info
+ message: Recovered
+ id: fdbece50-406c-11ee-850e-c71febc4ca7f
+ frequency:
+ summary: false
+ notify_when: onActionGroupChange
+ consumer: alerts
+ name: my Elasticsearch query rule
+ params:
+ esQuery: '"""{"query":{"match_all" : {}}}"""'
+ index:
+ - kibana_sample_data_logs
+ size: 100
+ threshold:
+ - 100
+ thresholdComparator: '>'
+ timeField: '@timestamp'
+ timeWindowSize: 1
+ timeWindowUnit: d
+ rule_type_id: .es-query
+ schedule:
+ interval: 1d
+ create_es_query_kql_rule_request:
+ summary: Elasticsearch query rule (KQL)
+ description: Create an Elasticsearch query rule that uses Kibana query language (KQL).
+ value:
+ consumer: alerts
+ name: my Elasticsearch query KQL rule
+ params:
+ aggType: count
+ excludeHitsFromPreviousRun: true
+ groupBy: all
+ searchConfiguration:
+ query:
+ query: '""geo.src : "US" ""'
+ language: kuery
+ index: 90943e30-9a47-11e8-b64d-95841ca0b247
+ searchType: searchSource
+ size: 100
+ threshold:
+ - 1000
+ thresholdComparator: '>'
+ timeWindowSize: 5
+ timeWindowUnit: m
+ rule_type_id: .es-query
+ schedule:
+ interval: 1m
+ create_index_threshold_rule_request:
+ summary: Index threshold rule
+ description: |
+ Create an index threshold rule that uses a server log connector to send notifications when the threshold is met.
+ value:
+ actions:
+ - id: 48de3460-f401-11ed-9f8e-399c75a2deeb
+ frequency:
+ notify_when: onActionGroupChange
+ summary: false
+ group: threshold met
+ params:
+ level: info
+ message: |-
+ Rule '{{rule.name}}' is active for group '{{context.group}}':
+
+ - Value: {{context.value}}
+ - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
+ - Timestamp: {{context.date}}
+ alert_delay:
+ active: 3
+ consumer: alerts
+ name: my rule
+ params:
+ aggType: avg
+ termSize: 6
+ thresholdComparator: '>'
+ timeWindowSize: 5
+ timeWindowUnit: m
+ groupBy: top
+ threshold:
+ - 1000
+ index:
+ - .test-index
+ timeField: '@timestamp'
+ aggField: sheet.version
+ termField: name.keyword
+ rule_type_id: .index-threshold
+ schedule:
+ interval: 1m
+ tags:
+ - cpu
+ create_tracking_containment_rule_request:
+ summary: Tracking containment rule
+ description: |
+ Create a tracking containment rule that checks when an entity is contained or no longer contained within a boundary.
+ value:
+ consumer: alerts
+ name: my tracking rule
+ params:
+ index: kibana_sample_data_logs
+ dateField": '@timestamp'
+ geoField: geo.coordinates
+ entity: agent.keyword
+ boundaryType: entireIndex
+ boundaryIndexTitle: boundary*
+ boundaryGeoField: location
+ boundaryNameField: name
+ indexId: 90943e30-9a47-11e8-b64d-95841ca0b247
+ boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc
+ rule_type_id: .geo-containment
+ schedule:
+ interval: 1h
+ create_es_query_esql_rule_response:
+ summary: Elasticsearch query rule (ES|QL)
+ description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch Query Language (ES|QL).
+ value:
+ id: e0d62360-78e8-11ee-9177-f7d404c8c945
+ enabled: true
+ name: my Elasticsearch query ESQL rule
+ tags: []
+ rule_type_id: .es-query
+ consumer: stackAlerts
+ schedule:
+ interval: 1d
+ actions:
+ - group: query matched
+ id: d0db1fe0-78d6-11ee-9177-f7d404c8c945
+ params:
+ level: info
+ message: |-
+ Elasticsearch query rule '{{rule.name}}' is active:
+ - Value: {{context.value}} - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - Timestamp: {{context.date}} - Link: {{context.link}}
+ connector_type_id: .server-log
+ frequency:
+ summary: false
+ notify_when: onActiveAlert
+ throttle: null
+ uuid: bfe370a3-531b-4855-bbe6-ad739f578844
+ params:
+ searchType: esqlQuery
+ esqlQuery:
+ esql: FROM kibana_sample_data_logs | keep bytes, clientip, host, geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | limit 10
+ timeField: '@timestamp'
+ timeWindowSize: 1
+ timeWindowUnit: d
+ size: 0
+ thresholdComparator: '>'
+ threshold:
+ - 0
+ excludeHitsFromPreviousRun": true,
+ aggType: count
+ groupBy: all
+ scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945
+ created_by: elastic
+ updated_by: elastic",
+ created_at: '2023-11-01T19:00:10.453Z'
+ updated_at: '2023-11-01T19:00:10.453Z'
+ api_key_owner: elastic
+ api_key_created_by_user: false
+ throttle: null
+ mute_all: false
+ notify_when: null
+ muted_alert_ids: []
+ execution_status:
+ status: pending
+ last_execution_date: '2023-11-01T19:00:10.453Z'
+ revision: 0
+ running: false
+ create_es_query_rule_response:
+ summary: Elasticsearch query rule (DSL)
+ description: The response for successfully creating an Elasticsearch query rule that uses Elasticsearch query domain specific language (DSL).
+ value:
+ id: 58148c70-407f-11ee-850e-c71febc4ca7f
+ enabled: true
+ name: my Elasticsearch query rule
+ tags: []
+ rule_type_id: .es-query
+ consumer: alerts
+ schedule:
+ interval: 1d
+ actions:
+ - group: query matched
+ id: fdbece50-406c-11ee-850e-c71febc4ca7f
+ params:
+ level: info
+ message: The system has detected {{alerts.new.count}} new, {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} recovered alerts.
+ connector_type_id: .server-log
+ frequency:
+ summary: true
+ notify_when: onThrottleInterval
+ throttle: 1d
+ uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78
+ - group: recovered
+ id: fdbece50-406c-11ee-850e-c71febc4ca7f
+ params:
+ level: info
+ message: Recovered
+ connector_type_id: .server-log
+ frequency:
+ summary: false
+ notify_when: onActionGroupChange
+ throttle: null
+ uuid: 2324e45b-c0df-45c7-9d70-4993e30be758
+ params:
+ thresholdComparator: '>'
+ timeWindowSize: 1
+ timeWindowUnit: d
+ threshold:
+ - 100
+ size: 100
+ timeField: '@timestamp'
+ index:
+ - kibana_sample_data_logs
+ esQuery: '"""{"query":{"match_all" : {}}}"""'
+ excludeHitsFromPreviousRun: true
+ aggType: count
+ groupBy: all
+ searchType: esQuery
+ scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f
+ created_by: elastic
+ updated_by: elastic
+ created_at: '2023-08-22T00:03:38.263Z'
+ updated_at: '2023-08-22T00:03:38.263Z'
+ api_key_owner: elastic
+ api_key_created_by_user: false
+ throttle: null
+ mute_all: false
+ notify_when: null
+ muted_alert_ids: []
+ execution_status:
+ status: pending
+ last_execution_date: '2023-08-22T00:03:38.263Z'
+ revision: 0
+ running: false
+ create_es_query_kql_rule_response:
+ summary: Elasticsearch query rule (KQL)
+ description: The response for successfully creating an Elasticsearch query rule that uses Kibana query language (KQL).
+ value:
+ id: 7bd506d0-2284-11ee-8fad-6101956ced88
+ enabled: true
+ name: my Elasticsearch query KQL rule"
+ tags: []
+ rule_type_id: .es-query
+ consumer: alerts
+ schedule:
+ interval: 1m
+ actions: []
+ params:
+ searchConfiguration:
+ query:
+ query: '""geo.src : "US" ""'
+ language: kuery
+ index: 90943e30-9a47-11e8-b64d-95841ca0b247
+ searchType: searchSource
+ timeWindowSize: 5
+ timeWindowUnit: m
+ threshold:
+ - 1000
+ thresholdComparator: '>'
+ size: 100
+ aggType: count
+ groupBy: all
+ excludeHitsFromPreviousRun: true
+ created_by: elastic
+ updated_by: elastic
+ created_at: '2023-07-14T20:24:50.729Z'
+ updated_at: '2023-07-14T20:24:50.729Z'
+ api_key_owner: elastic
+ api_key_created_by_user: false
+ throttle: null
+ notify_when: null
+ mute_all: false
+ muted_alert_ids: []
+ scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88
+ execution_status:
+ status: pending
+ last_execution_date: '2023-07-14T20:24:50.729Z'
+ revision: 0
+ running: false
+ create_index_threshold_rule_response:
+ summary: Index threshold rule
+ description: The response for successfully creating an index threshold rule.
+ value:
+ actions:
+ - group: threshold met
+ id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2
+ uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d
+ connector_type_id: .server-log
+ frequency:
+ notify_when: onActionGroupChange
+ summary: false
+ throttle: null
+ params:
+ level: info
+ message: |-
+ Rule {{rule.name}} is active for group {{context.group} :
+
+ - Value: {{context.value}}
+ - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
+ - Timestamp: {{context.date}}
+ alert_delay:
+ active: 3
+ api_key_created_by_user: false
+ api_key_owner: elastic
+ consumer: alerts
+ created_at: '2022-06-08T17:20:31.632Z'
+ created_by: elastic
+ enabled: true
+ execution_status:
+ last_execution_date: '2022-06-08T17:20:31.632Z'
+ status: pending
+ id: 41893910-6bca-11eb-9e0d-85d233e3ee35
+ muted_alert_ids: []
+ mute_all: false
+ name: my rule
+ notify_when: null
+ params:
+ aggType: avg
+ termSize: 6
+ thresholdComparator: '>'
+ timeWindowSize: 5
+ timeWindowUnit: m
+ groupBy: top
+ threshold:
+ - 1000
+ index:
+ - .test-index
+ timeField: '@timestamp'
+ aggField: sheet.version
+ termField: name.keyword
+ revision: 0
+ rule_type_id: .index-threshold
+ running: false
+ schedule:
+ interval: 1m
+ scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35
+ tags:
+ - cpu
+ throttle: null
+ updated_at: '2022-06-08T17:20:31.632Z'
+ updated_by: elastic
+ create_tracking_containment_rule_response:
+ summary: Tracking containment rule
+ description: The response for successfully creating a tracking containment rule.
+ value:
+ id: b6883f9d-5f70-4758-a66e-369d7c26012f
+ name: my tracking rule
+ tags: []
+ enabled: true
+ consumer: alerts
+ throttle: null
+ revision: 1
+ running: false
+ schedule:
+ interval: 1h
+ params:
+ index: kibana_sample_data_logs
+ dateField: '@timestamp'
+ geoField: geo.coordinates
+ entity: agent.keyword
+ boundaryType: entireIndex
+ boundaryIndexTitle: boundary*
+ boundaryGeoField: location
+ boundaryNameField: name
+ indexId: 90943e30-9a47-11e8-b64d-95841ca0b247
+ boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc
+ rule_type_id: .geo-containment
+ created_by: elastic
+ updated_by: elastic
+ created_at: '2024-02-14T19:52:55.920Z'
+ updated_at: '2024-02-15T03:24:32.574Z'
+ api_key_owner: elastic
+ notify_when: null
+ mute_all: false
+ muted_alert_ids: []
+ scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f
+ execution_status:
+ status: ok
+ last_execution_date: '2024-02-15T03:25:38.125Z'
+ last_duration: 74
+ actions: []
+ last_run:
+ alerts_count:
+ active: 0
+ new: 0
+ recovered: 0
+ ignored: 0
+ outcome_msg: null
+ outcome_order: 0
+ outcome: succeeded
+ warning: null
+ next_run: '2024-02-15T03:26:38.033Z'
+ api_key_created_by_user: false
+ find_rules_response:
+ summary: Index threshold rule
+ description: A response that contains information about an index threshold rule.
+ value:
+ page: 1
+ total: 1
+ per_page: 10
+ data:
+ - id: 3583a470-74f6-11ed-9801-35303b735aef
+ consumer: alerts
+ tags:
+ - cpu
+ name: my alert
+ enabled: true
+ throttle: null
+ schedule:
+ interval: 1m
+ params:
+ aggType: avg
+ termSize: 6
+ thresholdComparator: '>'
+ timeWindowSize: 5
+ timeWindowUnit: m
+ groupBy: top
+ threshold:
+ - 1000
+ index:
+ - test-index
+ timeField: '@timestamp'
+ aggField: sheet.version
+ termField: name.keyword
+ revision: 1
+ rule_type_id: .index-threshold
+ created_by: elastic
+ updated_by: elastic
+ created_at: '2022-12-05T23:40:33.132Z'
+ updated_at: '2022-12-05T23:40:33.132Z'
+ api_key_owner: elastic
+ mute_all: false
+ muted_alert_ids: []
+ scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef
+ execution_status:
+ status: ok
+ last_execution_date: '2022-12-06T01:44:23.983Z'
+ last_duration: 48
+ actions:
+ - id: 9dca3e00-74f5-11ed-9801-35303b735aef
+ group: threshold met
+ uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61
+ params:
+ level: info
+ message: |-
+ Rule {{rule.name}} is active for group {{context.group}}:
+
+ - Value: {{context.value}}
+ - Conditions Met: {{context.conditions}} over {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}}
+ - Timestamp: {{context.date}}
+ connector_type_id: .server-log
+ frequency:
+ summary: false
+ notify_when: onActionGroupChange
+ throttle: null
+ last_run:
+ alerts_count:
+ new: 0
+ ignored: 0
+ recovered: 0
+ active: 0
+ outcome_msg: null
+ warning: null
+ outcome: succeeded
+ next_run: '2022-12-06T01:45:23.912Z'
+ api_key_created_by_user: false
+ find_rules_response_conditional_action:
+ summary: Security rule
+ description: A response that contains information about a security rule that has conditional actions.
+ value:
+ page: 1
+ total: 1
+ per_page: 10
+ data:
+ - id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb
+ name: security_rule
+ consumer: siem
+ enabled: true
+ tags: []
+ throttle: null
+ revision: 1
+ running: false
+ schedule:
+ interval: 1m
+ params:
+ author: []
+ description: A security threshold rule.
+ ruleId: an_internal_rule_id
+ falsePositives: []
+ from: now-3660s
+ immutable: false
+ license: ''
+ outputIndex: ''
+ meta:
+ from: 1h
+ kibana_siem_app_url: https://localhost:5601/app/security
+ maxSignals: 100
+ riskScore: 21
+ riskScoreMapping: []
+ severity: low
+ severityMapping: []
+ threat: []
+ to: now
+ references: []
+ version: 1
+ exceptionsList: []
+ type: threshold
+ language: kuery
+ index:
+ - kibana_sample_data_logs
+ query: '*'
+ filters: []
+ threshold:
+ field:
+ - bytes
+ value: 1
+ cardinality: []
+ rule_type_id: siem.thresholdRule
+ created_by: elastic
+ updated_by: elastic
+ created_at: '2023-05-16T15:50:28.358Z'
+ updated_at: '2023-05-16T20:25:42.559Z'
+ api_key_owner: elastic
+ notify_when: null
+ mute_all: false
+ muted_alert_ids: []
+ scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb
+ execution_status:
+ status: ok
+ last_execution_date: '2023-05-16T20:26:49.590Z'
+ last_duration: 166
+ actions:
+ - group: default
+ id: 49eae970-f401-11ed-9f8e-399c75a2deeb
+ params:
+ documents:
+ - rule_id:
+ '[object Object]': null
+ rule_name:
+ '[object Object]': null
+ alert_id:
+ '[object Object]': null
+ context_message:
+ '[object Object]': null
+ connector_type_id: .index
+ frequency:
+ summary: true
+ notify_when: onActiveAlert
+ throttle: null
+ uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61
+ alerts_filter:
+ timeframe:
+ days:
+ - 7
+ timezone: UTC
+ hours:
+ start: '08:00'
+ end: '17:00'
+ query:
+ kql: ''
+ filters:
+ - meta:
+ disabled: false
+ negate: false
+ alias: null
+ index: c4bdca79-e69e-4d80-82a1-e5192c621bea
+ key: client.geo.region_iso_code
+ field: client.geo.region_iso_code
+ params:
+ query: CA-QC
+ type: phrase
+ $state:
+ store: appState
+ query:
+ match_phrase:
+ client.geo.region_iso_code: CA-QC
+ last_run:
+ alerts_count:
+ new: 0
+ ignored: 0
+ recovered: 0
+ active: 0
+ outcome_msg:
+ - Rule execution completed successfully
+ outcome_order: 0
+ warning: null
+ outcome: succeeded
+ next_run: '2023-05-16T20:27:49.507Z'
+ api_key_created_by_user: false
+ get_spaces_response1:
+ summary: Get all spaces
+ description: Get all spaces without specifying any options.
+ value:
+ - id: default
+ name: Default
+ description: This is the Default Space
+ disabledFeatures: []
+ imageUrl: ''
+ _reserved: true
+ - id: marketing
+ name: Marketing
+ description: This is the Marketing Space
+ color: null
+ disabledFeatures:
+ - apm
+ initials: MK
+ imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU
+ - id: sales
+ name: Sales
+ initials: MK
+ disabledFeatures:
+ - discover
+ imageUr": ''
+ solution: oblt
+ get_spaces_response2:
+ summary: Get all spaces with custom options
+ description: |
+ The user has read-only access to the Sales space. Get all spaces with the following query parameters: "purpose=shareSavedObjectsIntoSpace&include_authorized_purposes=true"
+ value:
+ - id: default
+ name: Default
+ description: This is the Default Space
+ disabledFeatures: []
+ imageUrl: ''
+ _reserved: true
+ authorizedPurposes:
+ any: true
+ copySavedObjectsIntoSpace: true
+ findSavedObjects: true
+ shareSavedObjectsIntoSpace: true
+ - id: marketing
+ name: Marketing
+ description: This is the Marketing Space
+ color: null
+ disabledFeatures:
+ - apm
+ initials: MK
+ imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSU
+ authorizedPurposes:
+ any: true
+ copySavedObjectsIntoSpace: true
+ findSavedObjects: true
+ shareSavedObjectsIntoSpace: true
+ - id: sales
+ name: Sales
+ initials: MK
+ disabledFeatures:
+ - discover
+ imageUrl: ''
+ authorizedPurposes:
+ any: true
+ copySavedObjectsIntoSpace: false
+ findSavedObjects: true
+ shareSavedObjectsIntoSpace: false
+ create_space_request:
+ summary: Create a marketing space
+ value:
+ id: marketing
+ name: Marketing
+ description: This is the Marketing Space
+ color: null
+ initials: MK
+ disabledFeatures: []
+ imageUrl: data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAD4AAABACAYAAABC6cT1AAAGf0lEQVRoQ+3abYydRRUH8N882xYo0IqagEVjokQJKAiKBjXExC9G/aCkGowCIghCkRcrVSSKIu/FEiqgGL6gBIlAYrAqUTH6hZgQFVEMKlQFfItWoQWhZe8z5uzMLdvbfbkLxb13d+fbvfe588x/zpn/+Z9zJpmnI81T3BaAzzfLL1h8weLzZAcWXH2eGHo7zAWLL1h8nuzAjFw9G1N6Kzq8HnuM36MR8iibF3Fv4q+7cv8yDV6K13bYq2furSP8Ag8ncr/vnSnwRViJT2GfCV7yL1yHGxLb+l3EdM9lluNEnIC9xz+f2ZL4Er6Z2DrdXN3fZwp8CU7OfDHxggle8lTLbQ1nJ/7Z7yKmey5zYGZt4h2IzR8/trRc2PDlxJPTzfVcgJ+CC0wMPOa9F6cm7up3EVM9V9386MxliVdM8GwAv6hh/awCz/w7lY25OtF5ruBz4ZLP42NYNrDAFbC3YPWuILnMAfgq3oaRQQYea/stViV+sgssvjKzLvGySeaaNVfP4d7Btokgvxj/bblgpueuF1hmWcyTCmfE3J3M1lTcv0vMswM88zR+jpw4osu6me8kzkpsfLZWzxyRuabO22buxxOJ12FxnXfWgEe83pB5sOE47BsLymzscOoi7nw2JJfZreUjiUsTyzKPZm5NvBDvSuw268AzNzV8H5/Am+qCnsAXgpgSW2Zq9cyKlksbPlTd+te4quWNieMHBfiNDdciYnwsdI/MaOaWhnMTf54J8CqNj8x8JXFIZltYu+HqlmNT8YSBsHgAPw/vxvlVV4du/s0oaxbxg0TbL/jMni0nNcVjQq7+HZfgtpbzBg342TgQ63AkmsymxBW4IjE6A+D7Vzd/fyWxIM/VuCe+HzTgZ2Jpy/kNJ2FJLmLm24mPJ/42A+Bvrxt4SISwlhsaPodH26LZB8rVA3inwwebsrixJCZzX+KMxI/7AV61eVh3DV6Mx3EOvh4kN6jAg8nfUCXm4d1wE66OyxNPTQc+s3/o/MoXizL3JE5O3F3P/uBZPPF4Zr+Wi5uSO48ZPRdyCwn7YB/A35m5KhWNHox4fcNnIs0ddOCRSBxf8+cQG+Huf0l8NJVYP+nI7NXy2ar4QqIGm69JfKPOE2w/mBavCzwM11R2D+ChsUO7hyUfmwx55qDM1xJvqZ7y08TpifuGBfjeURVJnNIVGpkNiXNS0ds7jcySDitDCCWW56LJ10fRo8sNA+3qXUSZD2CtQlZh9T+1rB7h9oliembflnMbzqgSNZKbKGHdPm7OwXb1CvQ1metSETMpszmzvikCJNh/h5E5PHNl4qga/+/cxqrdeWDYgIe7X5L4cGJPJX2940lOX8pD41FnFnc4riluvQKbK0dcHJFi2IBHNTQSlguru4d2/wPOTNzRA3x5y+U1E1uqWDkETOT026XuUJzx6u7ReLhSYenQ7uHua0fKZmwfmcPqsQjxE5WVONcRxn7X89zgn/EKPMRMxOVQXmP18Mx3q3b/Y/0cQE/IhFtHESMsHFlZ1Ml3CH3DZPHImY+pxcKumNmYirtvqMBfhMuU6s3iqOQkTsMPe1tCQwO8Ajs0lxr7W+vnp1MJc9EgCNd/cy6x+9D4veXmprj5wxMw/3C4egW6zzgZOlYZzfwo3F2J7ael0pJamvlPKgWNKFft1AAcKotXoFEbD7kaoSoQPVKB35+5KHF0lai/rJo+up87jWEE/qqqwY+qrL21LWLm95lPJ16ppKw31XC3PXYPJauPEx7B6BHCgrSizRs18qiaRp8tlN3ueCTYPHH9RNaunjI8Z7wLYpT3jZSCYXQ8e9vTsRE/q+no3XMKeObgGtaintbb/AvXj4JDkNw/5hrwYPfIvlZFUbLn7G5q+eQIN09Vnho6cqvnM/Lt99RixH49wO8K0ZL41WTWHoQzvsNVkOheZqKhEGpsp3SzB+BBtZAYve7uOR9tuTaaB6l0XScdYfEQPpkTUyHEGP+XqyDBzu+NBCITUjNWHynkrbWKOuWFn1xKzqsyx0bdvS78odp0+N503Zao0uCsWuSIDku8/7EO60b41vN5+Ses9BKlTdvd8bhp9EBvJjWJAIn/vxwHe6b3tSk6JFPV4nq85oAOrx555v/x/rh3E6Lo+bnuNS4uB4Cuq0ZfvO8X1rM6q/+vnjLVqZq7v83onttc2oYF4HPJmv1gWbB4P7s0l55ZsPhcsmY/WBYs3s8uzaVn5q3F/wf70mRuBCtbjQAAAABJRU5ErkJggg==
+ get_space_response:
+ summary: Get details about a marketing space
+ value:
+ id: marketing
+ name: Marketing
+ description: This is the Marketing Space
+ color: null
+ initials: MK
+ disabledFeatures: []
+ imageUrl: ''
+ solution: es
+ update_space_request:
+ summary: Update a marketing space
+ description: Update the marketing space to remove the imageUrl.
+ value:
+ id: marketing
+ name: Marketing
+ description: This is the Marketing Space
+ color: null
+ initials: MK
+ disabledFeatures: []
+ imageUrl: ''
+ parameters:
+ APM_UI_elastic_api_version:
+ description: The version of the API to use
+ in: header
+ name: elastic-api-version
+ required: true
+ schema:
+ default: '2023-10-31'
+ enum:
+ - '2023-10-31'
+ type: string
+ APM_UI_kbn_xsrf:
+ description: A required header to protect against CSRF attacks
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ example: 'true'
+ type: string
+ Data_views_field_name:
+ description: The name of the runtime field.
+ in: path
+ name: fieldName
+ required: true
+ schema:
+ example: hour_of_day
+ type: string
+ Data_views_kbn_xsrf:
+ description: Cross-site request forgery protection
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ type: string
+ Data_views_view_id:
+ description: An identifier for the data view.
+ in: path
+ name: viewId
+ required: true
+ schema:
+ example: ff959d40-b880-11e8-a6d9-e546fe2bba5f
+ type: string
+ Machine_learning_APIs_simulateParam:
+ description: When true, simulates the synchronization by returning only the list of actions that would be performed.
+ example: 'true'
+ in: query
+ name: simulate
+ required: false
+ schema:
+ type: boolean
+ Serverless_saved_objects_kbn_xsrf:
+ description: Cross-site request forgery protection
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ type: string
+ SLOs_kbn_xsrf:
+ description: Cross-site request forgery protection
+ in: header
+ name: kbn-xsrf
+ required: true
+ schema:
+ type: string
+ SLOs_slo_id:
+ description: An identifier for the slo.
+ in: path
+ name: sloId
+ required: true
+ schema:
+ example: 9c235211-6834-11ea-a78c-6feb38a34414
+ type: string
+ SLOs_space_id:
+ description: An identifier for the space. If `/s/` and the identifier are omitted from the path, the default space is used.
+ in: path
+ name: spaceId
+ required: true
+ schema:
+ example: default
+ type: string
+ schemas:
+ APM_UI_400_response:
+ type: object
+ properties:
+ error:
+ description: Error type
+ example: Not Found
+ type: string
+ message:
+ description: Error message
+ example: Not Found
+ type: string
+ statusCode:
+ description: Error status code
+ example: 400
+ type: number
+ APM_UI_401_response:
+ type: object
+ properties:
+ error:
+ description: Error type
+ example: Unauthorized
+ type: string
+ message:
+ description: Error message
+ type: string
+ statusCode:
+ description: Error status code
+ example: 401
+ type: number
+ APM_UI_403_response:
+ type: object
+ properties:
+ error:
+ description: Error type
+ example: Forbidden
+ type: string
+ message:
+ description: Error message
+ type: string
+ statusCode:
+ description: Error status code
+ example: 403
+ type: number
+ APM_UI_404_response:
+ type: object
+ properties:
+ error:
+ description: Error type
+ example: Not Found
+ type: string
+ message:
+ description: Error message
+ example: Not Found
+ type: string
+ statusCode:
+ description: Error status code
+ example: 404
+ type: number
+ APM_UI_500_response:
+ type: object
+ properties:
+ error:
+ description: Error type
+ example: Internal Server Error
+ type: string
+ message:
+ description: Error message
+ type: string
+ statusCode:
+ description: Error status code
+ example: 500
+ type: number
+ APM_UI_501_response:
+ type: object
+ properties:
+ error:
+ description: Error type
+ example: Not Implemented
+ type: string
+ message:
+ description: Error message
+ example: Not Implemented
+ type: string
+ statusCode:
+ description: Error status code
+ example: 501
+ type: number
+ APM_UI_agent_configuration_intake_object:
+ type: object
+ properties:
+ agent_name:
+ description: Agent name
+ type: string
+ service:
+ $ref: '#/components/schemas/APM_UI_service_object'
+ settings:
+ $ref: '#/components/schemas/APM_UI_settings_object'
+ required:
+ - service
+ - settings
+ APM_UI_agent_configuration_object:
+ description: Agent configuration
+ type: object
+ properties:
+ '@timestamp':
+ description: Timestamp
+ example: 1730194190636
+ type: number
+ agent_name:
+ description: Agent name
+ type: string
+ applied_by_agent:
+ description: Applied by agent
+ example: true
+ type: boolean
+ etag:
+ description: Etag
+ example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85
+ type: string
+ service:
+ $ref: '#/components/schemas/APM_UI_service_object'
+ settings:
+ $ref: '#/components/schemas/APM_UI_settings_object'
+ required:
+ - service
+ - settings
+ - '@timestamp'
+ - etag
+ APM_UI_agent_configurations_response:
+ type: object
+ properties:
+ configurations:
+ description: Agent configuration
+ items:
+ $ref: '#/components/schemas/APM_UI_agent_configuration_object'
+ type: array
+ APM_UI_agent_keys_object:
+ type: object
+ properties:
+ name:
+ description: Agent name
+ type: string
+ privileges:
+ description: Privileges configuration
+ items:
+ enum:
+ - event:write
+ - config_agent:read
+ type: string
+ type: array
+ required:
+ - name
+ - privileges
+ APM_UI_agent_keys_response:
+ type: object
+ properties:
+ agentKey:
+ description: Agent key
+ type: object
+ properties:
+ api_key:
+ type: string
+ encoded:
+ type: string
+ expiration:
+ format: int64
+ type: integer
+ id:
+ type: string
+ name:
+ type: string
+ required:
+ - id
+ - name
+ - api_key
+ - encoded
+ APM_UI_annotation_search_response:
+ type: object
+ properties:
+ annotations:
+ description: Annotations
+ items:
+ type: object
+ properties:
+ '@timestamp':
+ type: number
+ id:
+ type: string
+ text:
+ type: string
+ type:
+ enum:
+ - version
+ type: string
+ type: array
+ APM_UI_base_source_map_object:
+ type: object
+ properties:
+ compressionAlgorithm:
+ description: Compression Algorithm
+ type: string
+ created:
+ description: Created date
+ type: string
+ decodedSha256:
+ description: Decoded SHA-256
+ type: string
+ decodedSize:
+ description: Decoded size
+ type: number
+ encodedSha256:
+ description: Encoded SHA-256
+ type: string
+ encodedSize:
+ description: Encoded size
+ type: number
+ encryptionAlgorithm:
+ description: Encryption Algorithm
+ type: string
+ id:
+ description: Identifier
+ type: string
+ identifier:
+ description: Identifier
+ type: string
+ packageName:
+ description: Package name
+ type: string
+ relative_url:
+ description: Relative URL
+ type: string
+ type:
+ description: Type
+ type: string
+ APM_UI_create_annotation_object:
+ type: object
+ properties:
+ '@timestamp':
+ description: Timestamp
+ type: string
+ message:
+ description: Message
+ type: string
+ service:
+ description: Service
+ type: object
+ properties:
+ environment:
+ type: string
+ version:
+ type: string
+ required:
+ - version
+ tags:
+ description: Tags
+ items:
+ type: string
+ type: array
+ required:
+ - '@timestamp'
+ - service
+ APM_UI_create_annotation_response:
+ type: object
+ properties:
+ _id:
+ description: Identifier
+ type: string
+ _index:
+ description: Index
+ type: string
+ _source:
+ description: Response
+ type: object
+ properties:
+ '@timestamp':
+ type: string
+ annotation:
+ type: object
+ properties:
+ title:
+ type: string
+ type:
+ type: string
+ event:
+ type: object
+ properties:
+ created:
+ type: string
+ message:
+ type: string
+ service:
+ type: object
+ properties:
+ environment:
+ type: string
+ name:
+ type: string
+ version:
+ type: string
+ tags:
+ items:
+ type: string
+ type: array
+ APM_UI_delete_agent_configurations_response:
+ type: object
+ properties:
+ result:
+ description: Result
+ type: string
+ APM_UI_search_agent_configuration_object:
+ type: object
+ properties:
+ etag:
+ description: If etags match then `applied_by_agent` field will be set to `true`
+ example: 0bc3b5ebf18fba8163fe4c96f491e3767a358f85
+ type: string
+ mark_as_applied_by_agent:
+ description: |
+ `markAsAppliedByAgent=true` means "force setting it to true regardless of etag".
+ This is needed for Jaeger agent that doesn't have etags
+ type: boolean
+ service:
+ $ref: '#/components/schemas/APM_UI_service_object'
+ required:
+ - service
+ APM_UI_search_agent_configuration_response:
+ type: object
+ properties:
+ _id:
+ description: Identifier
+ type: string
+ _index:
+ description: Index
+ type: string
+ _score:
+ description: Score
+ type: number
+ _source:
+ $ref: '#/components/schemas/APM_UI_agent_configuration_object'
+ APM_UI_service_agent_name_response:
+ type: object
+ properties:
+ agentName:
+ description: Agent name
+ example: nodejs
+ type: string
+ APM_UI_service_environment_object:
+ type: object
+ properties:
+ alreadyConfigured:
+ description: Already configured
+ type: boolean
+ name:
+ description: Service environment name
+ example: ALL_OPTION_VALUE
+ type: string
+ APM_UI_service_environments_response:
+ type: object
+ properties:
+ environments:
+ description: Service environment list
+ items:
+ $ref: '#/components/schemas/APM_UI_service_environment_object'
+ type: array
+ APM_UI_service_object:
+ description: Service
+ type: object
+ properties:
+ environment:
+ description: Environment
+ example: prod
+ type: string
+ name:
+ description: Name
+ example: node
+ type: string
+ APM_UI_settings_object:
+ additionalProperties:
+ type: string
+ description: Agent configuration settings
+ type: object
+ APM_UI_single_agent_configuration_response:
+ allOf:
+ - type: object
+ properties:
+ id:
+ type: string
+ required:
+ - id
+ - $ref: '#/components/schemas/APM_UI_agent_configuration_object'
+ APM_UI_source_maps_response:
+ type: object
+ properties:
+ artifacts:
+ description: Artifacts
+ items:
+ allOf:
+ - type: object
+ properties:
+ body:
+ type: object
+ properties:
+ bundleFilepath:
+ type: string
+ serviceName:
+ type: string
+ serviceVersion:
+ type: string
+ sourceMap:
+ type: object
+ properties:
+ file:
+ type: string
+ mappings:
+ type: string
+ sourceRoot:
+ type: string
+ sources:
+ items:
+ type: string
+ type: array
+ sourcesContent:
+ items:
+ type: string
+ type: array
+ version:
+ type: number
+ - $ref: '#/components/schemas/APM_UI_base_source_map_object'
+ type: array
+ APM_UI_upload_source_map_object:
+ type: object
+ properties:
+ bundle_filepath:
+ description: The absolute path of the final bundle as used in the web application.
+ type: string
+ service_name:
+ description: The name of the service that the service map should apply to.
+ type: string
+ service_version:
+ description: The version of the service that the service map should apply to.
+ type: string
+ sourcemap:
+ description: |
+ The source map. String or file upload. It must follow the
+ [source map revision 3 proposal](https://docs.google.com/document/d/1U1RGAehQwRypUTovF1KRlpiOFze0b-_2gc6fAH0KY0k).
+ format: binary
+ type: string
+ required:
+ - service_name
+ - service_version
+ - bundle_filepath
+ - sourcemap
+ APM_UI_upload_source_maps_response:
+ allOf:
+ - type: object
+ properties:
+ body:
+ type: string
+ - $ref: '#/components/schemas/APM_UI_base_source_map_object'
+ Data_views_400_response:
+ title: Bad request
+ type: object
+ properties:
+ error:
+ example: Bad Request
+ type: string
+ message:
+ type: string
+ statusCode:
+ example: 400
+ type: number
+ required:
+ - statusCode
+ - error
+ - message
+ Data_views_404_response:
+ type: object
+ properties:
+ error:
+ enum:
+ - Not Found
+ example: Not Found
+ type: string
+ message:
+ example: Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found
+ type: string
+ statusCode:
+ enum:
+ - 404
+ example: 404
+ type: integer
+ Data_views_allownoindex:
+ description: Allows the data view saved object to exist before the data is available.
+ type: boolean
+ Data_views_create_data_view_request_object:
+ title: Create data view request
+ type: object
+ properties:
+ data_view:
+ description: The data view object.
+ type: object
+ properties:
+ allowNoIndex:
+ $ref: '#/components/schemas/Data_views_allownoindex'
+ fieldAttrs:
+ additionalProperties:
+ $ref: '#/components/schemas/Data_views_fieldattrs'
+ type: object
+ fieldFormats:
+ $ref: '#/components/schemas/Data_views_fieldformats'
+ fields:
+ type: object
+ id:
+ type: string
+ name:
+ description: The data view name.
+ type: string
+ namespaces:
+ $ref: '#/components/schemas/Data_views_namespaces'
+ runtimeFieldMap:
+ additionalProperties:
+ $ref: '#/components/schemas/Data_views_runtimefieldmap'
+ type: object
+ sourceFilters:
+ $ref: '#/components/schemas/Data_views_sourcefilters'
+ timeFieldName:
+ $ref: '#/components/schemas/Data_views_timefieldname'
+ title:
+ $ref: '#/components/schemas/Data_views_title'
+ type:
+ $ref: '#/components/schemas/Data_views_type'
+ typeMeta:
+ $ref: '#/components/schemas/Data_views_typemeta'
+ version:
+ type: string
+ required:
+ - title
+ override:
+ default: false
+ description: Override an existing data view if a data view with the provided title already exists.
+ type: boolean
+ required:
+ - data_view
+ Data_views_data_view_response_object:
+ title: Data view response properties
+ type: object
+ properties:
+ data_view:
+ type: object
+ properties:
+ allowNoIndex:
+ $ref: '#/components/schemas/Data_views_allownoindex'
+ fieldAttrs:
+ additionalProperties:
+ $ref: '#/components/schemas/Data_views_fieldattrs'
+ type: object
+ fieldFormats:
+ $ref: '#/components/schemas/Data_views_fieldformats'
+ fields:
+ type: object
+ id:
+ example: ff959d40-b880-11e8-a6d9-e546fe2bba5f
+ type: string
+ name:
+ description: The data view name.
+ type: string
+ namespaces:
+ $ref: '#/components/schemas/Data_views_namespaces'
+ runtimeFieldMap:
+ additionalProperties:
+ $ref: '#/components/schemas/Data_views_runtimefieldmap'
+ type: object
+ sourceFilters:
+ $ref: '#/components/schemas/Data_views_sourcefilters'
+ timeFieldName:
+ $ref: '#/components/schemas/Data_views_timefieldname'
+ title:
+ $ref: '#/components/schemas/Data_views_title'
+ typeMeta:
+ $ref: '#/components/schemas/Data_views_typemeta_response'
+ version:
+ example: WzQ2LDJd
+ type: string
+ Data_views_fieldattrs:
+ description: A map of field attributes by field name.
+ type: object
+ properties:
+ count:
+ description: Popularity count for the field.
+ type: integer
+ customDescription:
+ description: Custom description for the field.
+ maxLength: 300
+ type: string
+ customLabel:
+ description: Custom label for the field.
+ type: string
+ Data_views_fieldformats:
+ description: A map of field formats by field name.
+ type: object
+ Data_views_namespaces:
+ description: An array of space identifiers for sharing the data view between multiple spaces.
+ items:
+ default: default
+ type: string
+ type: array
+ Data_views_runtimefieldmap:
+ description: A map of runtime field definitions by field name.
+ type: object
+ properties:
+ script:
+ type: object
+ properties:
+ source:
+ description: Script for the runtime field.
+ type: string
+ type:
+ description: Mapping type of the runtime field.
+ type: string
+ required:
+ - script
+ - type
+ Data_views_sourcefilters:
+ description: The array of field names you want to filter out in Discover.
+ items:
+ type: object
+ properties:
+ value:
+ type: string
+ required:
+ - value
+ type: array
+ Data_views_swap_data_view_request_object:
+ title: Data view reference swap request
+ type: object
+ properties:
+ delete:
+ description: Deletes referenced saved object if all references are removed.
+ type: boolean
+ forId:
+ description: Limit the affected saved objects to one or more by identifier.
+ oneOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ forType:
+ description: Limit the affected saved objects by type.
+ type: string
+ fromId:
+ description: The saved object reference to change.
+ type: string
+ fromType:
+ description: |
+ Specify the type of the saved object reference to alter. The default value is `index-pattern` for data views.
+ type: string
+ toId:
+ description: New saved object reference value to replace the old value.
+ type: string
+ required:
+ - fromId
+ - toId
+ Data_views_timefieldname:
+ description: The timestamp field name, which you use for time-based data views.
+ type: string
+ Data_views_title:
+ description: Comma-separated list of data streams, indices, and aliases that you want to search. Supports wildcards (`*`).
+ type: string
+ Data_views_type:
+ description: When set to `rollup`, identifies the rollup data views.
+ type: string
+ Data_views_typemeta:
+ description: When you use rollup indices, contains the field list for the rollup data view API endpoints.
+ type: object
+ properties:
+ aggs:
+ description: A map of rollup restrictions by aggregation type and field name.
+ type: object
+ params:
+ description: Properties for retrieving rollup fields.
+ type: object
+ required:
+ - aggs
+ - params
+ Data_views_typemeta_response:
+ description: When you use rollup indices, contains the field list for the rollup data view API endpoints.
+ nullable: true
+ type: object
+ properties:
+ aggs:
+ description: A map of rollup restrictions by aggregation type and field name.
+ type: object
+ params:
+ description: Properties for retrieving rollup fields.
+ type: object
+ Data_views_update_data_view_request_object:
+ title: Update data view request
+ type: object
+ properties:
+ data_view:
+ description: |
+ The data view properties you want to update. Only the specified properties are updated in the data view. Unspecified fields stay as they are persisted.
+ type: object
+ properties:
+ allowNoIndex:
+ $ref: '#/components/schemas/Data_views_allownoindex'
+ fieldFormats:
+ $ref: '#/components/schemas/Data_views_fieldformats'
+ fields:
+ type: object
+ name:
+ type: string
+ runtimeFieldMap:
+ additionalProperties:
+ $ref: '#/components/schemas/Data_views_runtimefieldmap'
+ type: object
+ sourceFilters:
+ $ref: '#/components/schemas/Data_views_sourcefilters'
+ timeFieldName:
+ $ref: '#/components/schemas/Data_views_timefieldname'
+ title:
+ $ref: '#/components/schemas/Data_views_title'
+ type:
+ $ref: '#/components/schemas/Data_views_type'
+ typeMeta:
+ $ref: '#/components/schemas/Data_views_typemeta'
+ refresh_fields:
+ default: false
+ description: Reloads the data view fields after the data view is updated.
+ type: boolean
+ required:
+ - data_view
+ Kibana_HTTP_APIs_core_status_redactedResponse:
+ additionalProperties: false
+ description: A minimal representation of Kibana's operational status.
+ type: object
+ properties:
+ status:
+ additionalProperties: false
+ type: object
+ properties:
+ overall:
+ additionalProperties: false
+ type: object
+ properties:
+ level:
+ description: Service status levels as human and machine readable values.
+ enum:
+ - available
+ - degraded
+ - unavailable
+ - critical
+ type: string
+ required:
+ - level
+ required:
+ - overall
+ required:
+ - status
+ Kibana_HTTP_APIs_core_status_response:
+ additionalProperties: false
+ description: Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request.
+ type: object
+ properties:
+ metrics:
+ additionalProperties: false
+ description: Metric groups collected by Kibana.
+ type: object
+ properties:
+ collection_interval_in_millis:
+ description: The interval at which metrics should be collected.
+ type: number
+ elasticsearch_client:
+ additionalProperties: false
+ description: Current network metrics of Kibana's Elasticsearch client.
+ type: object
+ properties:
+ totalActiveSockets:
+ description: Count of network sockets currently in use.
+ type: number
+ totalIdleSockets:
+ description: Count of network sockets currently idle.
+ type: number
+ totalQueuedRequests:
+ description: Count of requests not yet assigned to sockets.
+ type: number
+ required:
+ - totalActiveSockets
+ - totalIdleSockets
+ - totalQueuedRequests
+ last_updated:
+ description: The time metrics were collected.
+ type: string
+ required:
+ - elasticsearch_client
+ - last_updated
+ - collection_interval_in_millis
+ name:
+ description: Kibana instance name.
+ type: string
+ status:
+ additionalProperties: false
+ type: object
+ properties:
+ core:
+ additionalProperties: false
+ description: Statuses of core Kibana services.
+ type: object
+ properties:
+ elasticsearch:
+ additionalProperties: false
+ type: object
+ properties:
+ detail:
+ description: Human readable detail of the service status.
+ type: string
+ documentationUrl:
+ description: A URL to further documentation regarding this service.
+ type: string
+ level:
+ description: Service status levels as human and machine readable values.
+ enum:
+ - available
+ - degraded
+ - unavailable
+ - critical
+ type: string
+ meta:
+ additionalProperties: {}
+ description: An unstructured set of extra metadata about this service.
+ type: object
+ summary:
+ description: A human readable summary of the service status.
+ type: string
+ required:
+ - level
+ - summary
+ - meta
+ savedObjects:
+ additionalProperties: false
+ type: object
+ properties:
+ detail:
+ description: Human readable detail of the service status.
+ type: string
+ documentationUrl:
+ description: A URL to further documentation regarding this service.
+ type: string
+ level:
+ description: Service status levels as human and machine readable values.
+ enum:
+ - available
+ - degraded
+ - unavailable
+ - critical
+ type: string
+ meta:
+ additionalProperties: {}
+ description: An unstructured set of extra metadata about this service.
+ type: object
+ summary:
+ description: A human readable summary of the service status.
+ type: string
+ required:
+ - level
+ - summary
+ - meta
+ required:
+ - elasticsearch
+ - savedObjects
+ overall:
+ additionalProperties: false
+ type: object
+ properties:
+ detail:
+ description: Human readable detail of the service status.
+ type: string
+ documentationUrl:
+ description: A URL to further documentation regarding this service.
+ type: string
+ level:
+ description: Service status levels as human and machine readable values.
+ enum:
+ - available
+ - degraded
+ - unavailable
+ - critical
+ type: string
+ meta:
+ additionalProperties: {}
+ description: An unstructured set of extra metadata about this service.
+ type: object
+ summary:
+ description: A human readable summary of the service status.
+ type: string
+ required:
+ - level
+ - summary
+ - meta
+ plugins:
+ additionalProperties:
+ additionalProperties: false
+ type: object
+ properties:
+ detail:
+ description: Human readable detail of the service status.
+ type: string
+ documentationUrl:
+ description: A URL to further documentation regarding this service.
+ type: string
+ level:
+ description: Service status levels as human and machine readable values.
+ enum:
+ - available
+ - degraded
+ - unavailable
+ - critical
+ type: string
+ meta:
+ additionalProperties: {}
+ description: An unstructured set of extra metadata about this service.
+ type: object
+ summary:
+ description: A human readable summary of the service status.
+ type: string
+ required:
+ - level
+ - summary
+ - meta
+ description: A dynamic mapping of plugin ID to plugin status.
+ type: object
+ required:
+ - overall
+ - core
+ - plugins
+ uuid:
+ description: Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts.
+ type: string
+ version:
+ additionalProperties: false
+ type: object
+ properties:
+ build_date:
+ description: The date and time of this build.
+ type: string
+ build_flavor:
+ description: The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the "traditional" flavour, while other flavours are reserved for Elastic-specific use cases.
+ enum:
+ - serverless
+ - traditional
+ type: string
+ build_hash:
+ description: A unique hash value representing the git commit of this Kibana build.
+ type: string
+ build_number:
+ description: A monotonically increasing number, each subsequent build will have a higher number.
+ type: number
+ build_snapshot:
+ description: Whether this build is a snapshot build.
+ type: boolean
+ number:
+ description: A semantic version number.
+ type: string
+ required:
+ - number
+ - build_hash
+ - build_number
+ - build_snapshot
+ - build_flavor
+ - build_date
+ required:
+ - name
+ - uuid
+ - version
+ - status
+ - metrics
+ Machine_learning_APIs_mlSync200Response:
+ properties:
+ datafeedsAdded:
+ additionalProperties:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds'
+ description: If a saved object for an anomaly detection job is missing a datafeed identifier, it is added when you run the sync machine learning saved objects API.
+ type: object
+ datafeedsRemoved:
+ additionalProperties:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds'
+ description: If a saved object for an anomaly detection job references a datafeed that no longer exists, it is deleted when you run the sync machine learning saved objects API.
+ type: object
+ savedObjectsCreated:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated'
+ savedObjectsDeleted:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted'
+ title: Successful sync API response
+ type: object
+ Machine_learning_APIs_mlSync4xxResponse:
+ properties:
+ error:
+ example: Unauthorized
+ type: string
+ message:
+ type: string
+ statusCode:
+ example: 401
+ type: integer
+ title: Unsuccessful sync API response
+ type: object
+ Machine_learning_APIs_mlSyncResponseAnomalyDetectors:
+ description: The sync machine learning saved objects API response contains this object when there are anomaly detection jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.
+ properties:
+ success:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess'
+ title: Sync API response for anomaly detection jobs
+ type: object
+ Machine_learning_APIs_mlSyncResponseDatafeeds:
+ description: The sync machine learning saved objects API response contains this object when there are datafeeds affected by the synchronization. There is an object for each relevant datafeed, which contains the synchronization status.
+ properties:
+ success:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess'
+ title: Sync API response for datafeeds
+ type: object
+ Machine_learning_APIs_mlSyncResponseDataFrameAnalytics:
+ description: The sync machine learning saved objects API response contains this object when there are data frame analytics jobs affected by the synchronization. There is an object for each relevant job, which contains the synchronization status.
+ properties:
+ success:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess'
+ title: Sync API response for data frame analytics jobs
+ type: object
+ Machine_learning_APIs_mlSyncResponseSavedObjectsCreated:
+ description: If saved objects are missing for machine learning jobs or trained models, they are created when you run the sync machine learning saved objects API.
+ properties:
+ anomaly-detector:
+ additionalProperties:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors'
+ description: If saved objects are missing for anomaly detection jobs, they are created.
+ type: object
+ data-frame-analytics:
+ additionalProperties:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics'
+ description: If saved objects are missing for data frame analytics jobs, they are created.
+ type: object
+ trained-model:
+ additionalProperties:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels'
+ description: If saved objects are missing for trained models, they are created.
+ type: object
+ title: Sync API response for created saved objects
+ type: object
+ Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted:
+ description: If saved objects exist for machine learning jobs or trained models that no longer exist, they are deleted when you run the sync machine learning saved objects API.
+ properties:
+ anomaly-detector:
+ additionalProperties:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors'
+ description: If there are saved objects exist for nonexistent anomaly detection jobs, they are deleted.
+ type: object
+ data-frame-analytics:
+ additionalProperties:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics'
+ description: If there are saved objects exist for nonexistent data frame analytics jobs, they are deleted.
+ type: object
+ trained-model:
+ additionalProperties:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels'
+ description: If there are saved objects exist for nonexistent trained models, they are deleted.
+ type: object
+ title: Sync API response for deleted saved objects
+ type: object
+ Machine_learning_APIs_mlSyncResponseSuccess:
+ description: The success or failure of the synchronization.
+ type: boolean
+ Machine_learning_APIs_mlSyncResponseTrainedModels:
+ description: The sync machine learning saved objects API response contains this object when there are trained models affected by the synchronization. There is an object for each relevant trained model, which contains the synchronization status.
+ properties:
+ success:
+ $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess'
+ title: Sync API response for trained models
+ type: object
+ Security_AI_Assistant_API_AnonymizationFieldCreateProps:
+ type: object
+ properties:
+ allowed:
+ type: boolean
+ anonymized:
+ type: boolean
+ field:
+ type: string
+ required:
+ - field
+ Security_AI_Assistant_API_AnonymizationFieldDetailsInError:
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ required:
+ - id
+ Security_AI_Assistant_API_AnonymizationFieldResponse:
+ type: object
+ properties:
+ allowed:
+ type: boolean
+ anonymized:
+ type: boolean
+ createdAt:
+ type: string
+ createdBy:
+ type: string
+ field:
+ type: string
+ id:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
+ namespace:
+ description: Kibana space
+ type: string
+ timestamp:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
+ updatedAt:
+ type: string
+ updatedBy:
+ type: string
+ required:
+ - id
+ - field
+ Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason:
+ enum:
+ - ANONYMIZATION_FIELD_NOT_MODIFIED
+ type: string
+ Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult:
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ skip_reason:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason'
+ required:
+ - id
+ - skip_reason
+ Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse:
+ type: object
+ properties:
+ anonymization_fields_count:
+ type: integer
+ attributes:
+ type: object
+ properties:
+ errors:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError'
+ type: array
+ results:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults'
+ summary:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary'
+ required:
+ - results
+ - summary
+ message:
+ type: string
+ status_code:
+ type: integer
+ success:
+ type: boolean
+ required:
+ - attributes
+ Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults:
+ type: object
+ properties:
+ created:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse'
+ type: array
+ deleted:
+ items:
+ type: string
+ type: array
+ skipped:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult'
+ type: array
+ updated:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse'
+ type: array
+ required:
+ - updated
+ - created
+ - deleted
+ - skipped
+ Security_AI_Assistant_API_AnonymizationFieldUpdateProps:
+ type: object
+ properties:
+ allowed:
+ type: boolean
+ anonymized:
+ type: boolean
+ id:
+ type: string
+ required:
+ - id
+ Security_AI_Assistant_API_ApiConfig:
+ type: object
+ properties:
+ actionTypeId:
+ description: action type id
+ type: string
+ connectorId:
+ description: connector id
+ type: string
+ defaultSystemPromptId:
+ description: defaultSystemPromptId
+ type: string
+ model:
+ description: model
+ type: string
+ provider:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_Provider'
+ description: Provider
+ required:
+ - connectorId
+ - actionTypeId
+ Security_AI_Assistant_API_BulkCrudActionSummary:
+ type: object
+ properties:
+ failed:
+ type: integer
+ skipped:
+ type: integer
+ succeeded:
+ type: integer
+ total:
+ type: integer
+ required:
+ - failed
+ - skipped
+ - succeeded
+ - total
+ Security_AI_Assistant_API_ChatCompleteProps:
+ type: object
+ properties:
+ connectorId:
+ type: string
+ conversationId:
+ type: string
+ isStream:
+ type: boolean
+ langSmithApiKey:
+ type: string
+ langSmithProject:
+ type: string
+ messages:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage'
+ type: array
+ model:
+ type: string
+ persist:
+ type: boolean
+ promptId:
+ type: string
+ responseLanguage:
+ type: string
+ required:
+ - messages
+ - persist
+ - connectorId
+ Security_AI_Assistant_API_ChatMessage:
+ description: AI assistant message.
+ type: object
+ properties:
+ content:
+ description: Message content.
+ type: string
+ data:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData'
+ description: ECS object to attach to the context of the message.
+ fields_to_anonymize:
+ items:
+ type: string
+ type: array
+ role:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole'
+ description: Message role.
+ required:
+ - role
+ Security_AI_Assistant_API_ChatMessageRole:
+ description: Message role.
+ enum:
+ - system
+ - user
+ - assistant
+ type: string
+ Security_AI_Assistant_API_ConversationCategory:
+ description: The conversation category.
+ enum:
+ - assistant
+ - insights
+ type: string
+ Security_AI_Assistant_API_ConversationConfidence:
+ description: The conversation confidence.
+ enum:
+ - low
+ - medium
+ - high
+ type: string
+ Security_AI_Assistant_API_ConversationCreateProps:
+ type: object
+ properties:
+ apiConfig:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig'
+ description: LLM API configuration.
+ category:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory'
+ description: The conversation category.
+ excludeFromLastConversationStorage:
+ description: excludeFromLastConversationStorage.
+ type: boolean
+ id:
+ description: The conversation id.
+ type: string
+ isDefault:
+ description: Is default conversation.
+ type: boolean
+ messages:
+ description: The conversation messages.
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_Message'
+ type: array
+ replacements:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements'
+ title:
+ description: The conversation title.
+ type: string
+ required:
+ - title
+ Security_AI_Assistant_API_ConversationResponse:
+ type: object
+ properties:
+ apiConfig:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig'
+ description: LLM API configuration.
+ category:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory'
+ description: The conversation category.
+ createdAt:
+ description: The last time conversation was updated.
+ type: string
+ excludeFromLastConversationStorage:
+ description: excludeFromLastConversationStorage.
+ type: boolean
+ id:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
+ isDefault:
+ description: Is default conversation.
+ type: boolean
+ messages:
+ description: The conversation messages.
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_Message'
+ type: array
+ namespace:
+ description: Kibana space
+ type: string
+ replacements:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements'
+ summary:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary'
+ timestamp:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
+ title:
+ description: The conversation title.
+ type: string
+ updatedAt:
+ description: The last time conversation was updated.
+ type: string
+ users:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_User'
+ type: array
+ required:
+ - id
+ - title
+ - createdAt
+ - users
+ - namespace
+ - category
+ Security_AI_Assistant_API_ConversationSummary:
+ type: object
+ properties:
+ confidence:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationConfidence'
+ description: How confident you are about this being a correct and useful learning.
+ content:
+ description: Summary text of the conversation over time.
+ type: string
+ public:
+ description: Define if summary is marked as publicly available.
+ type: boolean
+ timestamp:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
+ description: The timestamp summary was updated.
+ Security_AI_Assistant_API_ConversationUpdateProps:
+ type: object
+ properties:
+ apiConfig:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig'
+ description: LLM API configuration.
+ category:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory'
+ description: The conversation category.
+ excludeFromLastConversationStorage:
+ description: excludeFromLastConversationStorage.
+ type: boolean
+ id:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
+ messages:
+ description: The conversation messages.
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_Message'
+ type: array
+ replacements:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements'
+ summary:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary'
+ title:
+ description: The conversation title.
+ type: string
+ required:
+ - id
+ Security_AI_Assistant_API_FindAnonymizationFieldsSortField:
+ enum:
+ - created_at
+ - anonymized
+ - allowed
+ - field
+ - updated_at
+ type: string
+ Security_AI_Assistant_API_FindConversationsSortField:
+ enum:
+ - created_at
+ - is_default
+ - title
+ - updated_at
+ type: string
+ Security_AI_Assistant_API_FindPromptsSortField:
+ enum:
+ - created_at
+ - is_default
+ - name
+ - updated_at
+ type: string
+ Security_AI_Assistant_API_Message:
+ description: AI assistant conversation message.
+ type: object
+ properties:
+ content:
+ description: Message content.
+ type: string
+ isError:
+ description: Is error message.
+ type: boolean
+ reader:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_Reader'
+ description: Message content.
+ role:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole'
+ description: Message role.
+ timestamp:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
+ description: The timestamp message was sent or received.
+ traceData:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData'
+ description: trace Data
+ required:
+ - timestamp
+ - content
+ - role
+ Security_AI_Assistant_API_MessageData:
+ additionalProperties: true
+ type: object
+ Security_AI_Assistant_API_MessageRole:
+ description: Message role.
+ enum:
+ - system
+ - user
+ - assistant
+ type: string
+ Security_AI_Assistant_API_NonEmptyString:
+ description: A string that is not empty and does not contain only whitespace
+ minLength: 1
+ pattern: ^(?! *$).+$
+ type: string
+ Security_AI_Assistant_API_NormalizedAnonymizationFieldError:
+ type: object
+ properties:
+ anonymization_fields:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError'
+ type: array
+ err_code:
+ type: string
+ message:
+ type: string
+ status_code:
+ type: integer
+ required:
+ - message
+ - status_code
+ - anonymization_fields
+ Security_AI_Assistant_API_NormalizedPromptError:
+ type: object
+ properties:
+ err_code:
+ type: string
+ message:
+ type: string
+ prompts:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_PromptDetailsInError'
+ type: array
+ status_code:
+ type: integer
+ required:
+ - message
+ - status_code
+ - prompts
+ Security_AI_Assistant_API_PromptCreateProps:
+ type: object
+ properties:
+ categories:
+ items:
+ type: string
+ type: array
+ color:
+ type: string
+ consumer:
+ type: string
+ content:
+ type: string
+ isDefault:
+ type: boolean
+ isNewConversationDefault:
+ type: boolean
+ name:
+ type: string
+ promptType:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType'
+ required:
+ - name
+ - content
+ - promptType
+ Security_AI_Assistant_API_PromptDetailsInError:
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ required:
+ - id
+ Security_AI_Assistant_API_PromptResponse:
+ type: object
+ properties:
+ categories:
+ items:
+ type: string
+ type: array
+ color:
+ type: string
+ consumer:
+ type: string
+ content:
+ type: string
+ createdAt:
+ type: string
+ createdBy:
+ type: string
+ id:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
+ isDefault:
+ type: boolean
+ isNewConversationDefault:
+ type: boolean
+ name:
+ type: string
+ namespace:
+ description: Kibana space
+ type: string
+ promptType:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType'
+ timestamp:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString'
+ updatedAt:
+ type: string
+ updatedBy:
+ type: string
+ users:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_User'
+ type: array
+ required:
+ - id
+ - name
+ - promptType
+ - content
+ Security_AI_Assistant_API_PromptsBulkActionSkipReason:
+ enum:
+ - PROMPT_FIELD_NOT_MODIFIED
+ type: string
+ Security_AI_Assistant_API_PromptsBulkActionSkipResult:
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ skip_reason:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason'
+ required:
+ - id
+ - skip_reason
+ Security_AI_Assistant_API_PromptsBulkCrudActionResponse:
+ type: object
+ properties:
+ attributes:
+ type: object
+ properties:
+ errors:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_NormalizedPromptError'
+ type: array
+ results:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults'
+ summary:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary'
+ required:
+ - results
+ - summary
+ message:
+ type: string
+ prompts_count:
+ type: integer
+ status_code:
+ type: integer
+ success:
+ type: boolean
+ required:
+ - attributes
+ Security_AI_Assistant_API_PromptsBulkCrudActionResults:
+ type: object
+ properties:
+ created:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse'
+ type: array
+ deleted:
+ items:
+ type: string
+ type: array
+ skipped:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult'
+ type: array
+ updated:
+ items:
+ $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse'
+ type: array
+ required:
+ - updated
+ - created
+ - deleted
+ - skipped
+ Security_AI_Assistant_API_PromptType:
+ description: Prompt type
+ enum:
+ - system
+ - quick
+ type: string
+ Security_AI_Assistant_API_PromptUpdateProps:
+ type: object
+ properties:
+ categories:
+ items:
+ type: string
+ type: array
+ color:
+ type: string
+ consumer:
+ type: string
+ content:
+ type: string
+ id:
+ type: string
+ isDefault:
+ type: boolean
+ isNewConversationDefault:
+ type: boolean
+ required:
+ - id
+ Security_AI_Assistant_API_Provider:
+ description: Provider
+ enum:
+ - OpenAI
+ - Azure OpenAI
+ - Other
+ type: string
+ Security_AI_Assistant_API_Reader:
+ additionalProperties: true
+ type: object
+ Security_AI_Assistant_API_Replacements:
+ additionalProperties:
+ type: string
+ description: Replacements object used to anonymize/deanomymize messsages
+ type: object
+ Security_AI_Assistant_API_SortOrder:
+ enum:
+ - asc
+ - desc
+ type: string
+ Security_AI_Assistant_API_TraceData:
+ description: trace Data
+ type: object
+ properties:
+ traceId:
+ description: Could be any string, not necessarily a UUID
+ type: string
+ transactionId:
+ description: Could be any string, not necessarily a UUID
+ type: string
+ Security_AI_Assistant_API_User:
+ description: Could be any string, not necessarily a UUID
+ type: object
+ properties:
+ id:
+ description: User id
+ type: string
+ name:
+ description: User name
+ type: string
+ Security_Detections_API_AlertAssignees:
+ type: object
+ properties:
+ add:
+ description: A list of users ids to assign.
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ type: array
+ remove:
+ description: A list of users ids to unassign.
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ type: array
+ required:
+ - add
+ - remove
+ Security_Detections_API_AlertIds:
+ description: A list of alerts ids.
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ minItems: 1
+ type: array
+ Security_Detections_API_AlertsIndex:
+ deprecated: true
+ description: (deprecated) Has no effect.
+ type: string
+ Security_Detections_API_AlertsIndexNamespace:
+ description: Has no effect.
+ type: string
+ Security_Detections_API_AlertsSort:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations'
+ - items:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations'
+ type: array
+ Security_Detections_API_AlertsSortCombinations:
+ anyOf:
+ - type: string
+ - additionalProperties: true
+ type: object
+ Security_Detections_API_AlertStatus:
+ enum:
+ - open
+ - closed
+ - acknowledged
+ - in-progress
+ type: string
+ Security_Detections_API_AlertSuppression:
+ type: object
+ properties:
+ duration:
+ $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration'
+ group_by:
+ $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy'
+ missing_fields_strategy:
+ $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy'
+ required:
+ - group_by
+ Security_Detections_API_AlertSuppressionDuration:
+ type: object
+ properties:
+ unit:
+ $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDurationUnit'
+ value:
+ minimum: 1
+ type: integer
+ required:
+ - value
+ - unit
+ Security_Detections_API_AlertSuppressionDurationUnit:
+ enum:
+ - s
+ - m
+ - h
+ type: string
+ Security_Detections_API_AlertSuppressionGroupBy:
+ items:
+ type: string
+ maxItems: 3
+ minItems: 1
+ type: array
+ Security_Detections_API_AlertSuppressionMissingFieldsStrategy:
+ description: |-
+ Describes how alerts will be generated for documents with missing suppress by fields:
+ doNotSuppress - per each document a separate alert will be created
+ suppress - only alert will be created per suppress by bucket
+ enum:
+ - doNotSuppress
+ - suppress
+ type: string
+ Security_Detections_API_AlertTag:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ Security_Detections_API_AlertTags:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_AlertTag'
+ type: array
+ Security_Detections_API_AnomalyThreshold:
+ description: Anomaly threshold
+ minimum: 0
+ type: integer
+ Security_Detections_API_BuildingBlockType:
+ description: Determines if the rule acts as a building block. By default, building-block alerts are not displayed in the UI. These rules are used as a foundation for other rules that do generate alerts. Its value must be default.
+ type: string
+ Security_Detections_API_BulkActionEditPayload:
+ anyOf:
+ - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTags'
+ - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns'
+ - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields'
+ - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline'
+ - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions'
+ - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule'
+ Security_Detections_API_BulkActionEditPayloadIndexPatterns:
+ type: object
+ properties:
+ overwrite_data_views:
+ type: boolean
+ type:
+ enum:
+ - add_index_patterns
+ - delete_index_patterns
+ - set_index_patterns
+ type: string
+ value:
+ $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
+ required:
+ - type
+ - value
+ Security_Detections_API_BulkActionEditPayloadInvestigationFields:
+ type: object
+ properties:
+ type:
+ enum:
+ - add_investigation_fields
+ - delete_investigation_fields
+ - set_investigation_fields
+ type: string
+ value:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ required:
+ - type
+ - value
+ Security_Detections_API_BulkActionEditPayloadRuleActions:
+ type: object
+ properties:
+ type:
+ enum:
+ - add_rule_actions
+ - set_rule_actions
+ type: string
+ value:
+ type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleAction'
+ type: array
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_ThrottleForBulkActions'
+ required:
+ - actions
+ required:
+ - type
+ - value
+ Security_Detections_API_BulkActionEditPayloadSchedule:
+ type: object
+ properties:
+ type:
+ enum:
+ - set_schedule
+ type: string
+ value:
+ type: object
+ properties:
+ interval:
+ description: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour.
+ example: 1h
+ pattern: ^[1-9]\d*[smh]$
+ type: string
+ lookback:
+ description: Lookback time for the rule
+ example: 1h
+ pattern: ^[1-9]\d*[smh]$
+ type: string
+ required:
+ - interval
+ - lookback
+ required:
+ - type
+ - value
+ Security_Detections_API_BulkActionEditPayloadTags:
+ type: object
+ properties:
+ type:
+ enum:
+ - add_tags
+ - delete_tags
+ - set_tags
+ type: string
+ value:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ required:
+ - type
+ - value
+ Security_Detections_API_BulkActionEditPayloadTimeline:
+ type: object
+ properties:
+ type:
+ enum:
+ - set_timeline
+ type: string
+ value:
+ type: object
+ properties:
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ required:
+ - timeline_id
+ - timeline_title
+ required:
+ - type
+ - value
+ Security_Detections_API_BulkActionsDryRunErrCode:
+ enum:
+ - IMMUTABLE
+ - MACHINE_LEARNING_AUTH
+ - MACHINE_LEARNING_INDEX_PATTERN
+ - ESQL_INDEX_PATTERN
+ - MANUAL_RULE_RUN_FEATURE
+ - MANUAL_RULE_RUN_DISABLED_RULE
+ type: string
+ Security_Detections_API_BulkActionSkipResult:
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ skip_reason:
+ $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason'
+ required:
+ - id
+ - skip_reason
+ Security_Detections_API_BulkDeleteRules:
+ type: object
+ properties:
+ action:
+ enum:
+ - delete
+ type: string
+ ids:
+ description: Array of rule IDs
+ items:
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: Query to filter rules
+ type: string
+ required:
+ - action
+ Security_Detections_API_BulkDisableRules:
+ type: object
+ properties:
+ action:
+ enum:
+ - disable
+ type: string
+ ids:
+ description: Array of rule IDs
+ items:
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: Query to filter rules
+ type: string
+ required:
+ - action
+ Security_Detections_API_BulkDuplicateRules:
+ type: object
+ properties:
+ action:
+ enum:
+ - duplicate
+ type: string
+ duplicate:
+ type: object
+ properties:
+ include_exceptions:
+ description: Whether to copy exceptions from the original rule
+ type: boolean
+ include_expired_exceptions:
+ description: Whether to copy expired exceptions from the original rule
+ type: boolean
+ required:
+ - include_exceptions
+ - include_expired_exceptions
+ ids:
+ description: Array of rule IDs
+ items:
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: Query to filter rules
+ type: string
+ required:
+ - action
+ Security_Detections_API_BulkEditActionResponse:
+ type: object
+ properties:
+ attributes:
+ type: object
+ properties:
+ errors:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_NormalizedRuleError'
+ type: array
+ results:
+ $ref: '#/components/schemas/Security_Detections_API_BulkEditActionResults'
+ summary:
+ $ref: '#/components/schemas/Security_Detections_API_BulkEditActionSummary'
+ required:
+ - results
+ - summary
+ message:
+ type: string
+ rules_count:
+ type: integer
+ status_code:
+ type: integer
+ success:
+ type: boolean
+ required:
+ - attributes
+ Security_Detections_API_BulkEditActionResults:
+ type: object
+ properties:
+ created:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleResponse'
+ type: array
+ deleted:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleResponse'
+ type: array
+ skipped:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_BulkActionSkipResult'
+ type: array
+ updated:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleResponse'
+ type: array
+ required:
+ - updated
+ - created
+ - deleted
+ - skipped
+ Security_Detections_API_BulkEditActionSummary:
+ type: object
+ properties:
+ failed:
+ type: integer
+ skipped:
+ type: integer
+ succeeded:
+ type: integer
+ total:
+ type: integer
+ required:
+ - failed
+ - skipped
+ - succeeded
+ - total
+ Security_Detections_API_BulkEditRules:
+ type: object
+ properties:
+ action:
+ enum:
+ - edit
+ type: string
+ edit:
+ description: Array of objects containing the edit operations
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayload'
+ minItems: 1
+ type: array
+ ids:
+ description: Array of rule IDs
+ items:
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: Query to filter rules
+ type: string
+ required:
+ - action
+ - edit
+ Security_Detections_API_BulkEditSkipReason:
+ enum:
+ - RULE_NOT_MODIFIED
+ type: string
+ Security_Detections_API_BulkEnableRules:
+ type: object
+ properties:
+ action:
+ enum:
+ - enable
+ type: string
+ ids:
+ description: Array of rule IDs
+ items:
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: Query to filter rules
+ type: string
+ required:
+ - action
+ Security_Detections_API_BulkExportActionResponse:
+ type: string
+ Security_Detections_API_BulkExportRules:
+ type: object
+ properties:
+ action:
+ enum:
+ - export
+ type: string
+ ids:
+ description: Array of rule IDs
+ items:
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: Query to filter rules
+ type: string
+ required:
+ - action
+ Security_Detections_API_BulkManualRuleRun:
+ type: object
+ properties:
+ action:
+ enum:
+ - run
+ type: string
+ ids:
+ description: Array of rule IDs
+ items:
+ type: string
+ minItems: 1
+ type: array
+ query:
+ description: Query to filter rules
+ type: string
+ run:
+ type: object
+ properties:
+ end_date:
+ description: End date of the manual rule run
+ type: string
+ start_date:
+ description: Start date of the manual rule run
+ type: string
+ required:
+ - start_date
+ required:
+ - action
+ - run
+ Security_Detections_API_ConcurrentSearches:
+ minimum: 1
+ type: integer
+ Security_Detections_API_DataViewId:
+ type: string
+ Security_Detections_API_DefaultParams:
+ type: object
+ properties:
+ command:
+ enum:
+ - isolate
+ type: string
+ comment:
+ type: string
+ required:
+ - command
+ Security_Detections_API_EcsMapping:
+ additionalProperties:
+ type: object
+ properties:
+ field:
+ type: string
+ value:
+ oneOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ type: object
+ Security_Detections_API_EndpointResponseAction:
+ type: object
+ properties:
+ action_type_id:
+ enum:
+ - .endpoint
+ type: string
+ params:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Detections_API_DefaultParams'
+ - $ref: '#/components/schemas/Security_Detections_API_ProcessesParams'
+ required:
+ - action_type_id
+ - params
+ Security_Detections_API_EqlOptionalFields:
+ type: object
+ properties:
+ alert_suppression:
+ $ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
+ data_view_id:
+ $ref: '#/components/schemas/Security_Detections_API_DataViewId'
+ event_category_override:
+ $ref: '#/components/schemas/Security_Detections_API_EventCategoryOverride'
+ filters:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
+ index:
+ $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
+ tiebreaker_field:
+ $ref: '#/components/schemas/Security_Detections_API_TiebreakerField'
+ timestamp_field:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampField'
+ Security_Detections_API_EqlQueryLanguage:
+ enum:
+ - eql
+ type: string
+ Security_Detections_API_EqlRequiredFields:
+ type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage'
+ description: Query language to use
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ description: EQL query to execute
+ type:
+ description: Rule type
+ enum:
+ - eql
+ type: string
+ required:
+ - type
+ - query
+ - language
+ Security_Detections_API_EqlRule:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - version
+ - tags
+ - enabled
+ - risk_score_mapping
+ - severity_mapping
+ - interval
+ - from
+ - to
+ - actions
+ - exceptions_list
+ - author
+ - false_positives
+ - references
+ - max_signals
+ - threat
+ - setup
+ - related_integrations
+ - required_fields
+ - $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
+ - $ref: '#/components/schemas/Security_Detections_API_EqlRuleResponseFields'
+ Security_Detections_API_EqlRuleCreateFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields'
+ Security_Detections_API_EqlRuleCreateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields'
+ Security_Detections_API_EqlRulePatchFields:
+ allOf:
+ - type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage'
+ description: Query language to use
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ description: EQL query to execute
+ type:
+ description: Rule type
+ enum:
+ - eql
+ type: string
+ - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields'
+ Security_Detections_API_EqlRulePatchProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchFields'
+ Security_Detections_API_EqlRuleResponseFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields'
+ Security_Detections_API_EqlRuleUpdateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields'
+ Security_Detections_API_ErrorSchema:
+ additionalProperties: false
+ type: object
+ properties:
+ error:
+ type: object
+ properties:
+ message:
+ type: string
+ status_code:
+ minimum: 400
+ type: integer
+ required:
+ - status_code
+ - message
+ id:
+ type: string
+ item_id:
+ minLength: 1
+ type: string
+ list_id:
+ minLength: 1
+ type: string
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ required:
+ - error
+ Security_Detections_API_EsqlQueryLanguage:
+ enum:
+ - esql
+ type: string
+ Security_Detections_API_EsqlRule:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - version
+ - tags
+ - enabled
+ - risk_score_mapping
+ - severity_mapping
+ - interval
+ - from
+ - to
+ - actions
+ - exceptions_list
+ - author
+ - false_positives
+ - references
+ - max_signals
+ - threat
+ - setup
+ - related_integrations
+ - required_fields
+ - $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields'
+ Security_Detections_API_EsqlRuleCreateFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields'
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields'
+ Security_Detections_API_EsqlRuleCreateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields'
+ Security_Detections_API_EsqlRuleOptionalFields:
+ type: object
+ properties:
+ alert_suppression:
+ $ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
+ Security_Detections_API_EsqlRulePatchProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ description: ESQL query to execute
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ type:
+ description: Rule type
+ enum:
+ - esql
+ type: string
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields'
+ Security_Detections_API_EsqlRuleRequiredFields:
+ type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage'
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ description: ESQL query to execute
+ type:
+ description: Rule type
+ enum:
+ - esql
+ type: string
+ required:
+ - type
+ - language
+ - query
+ Security_Detections_API_EsqlRuleResponseFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields'
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields'
+ Security_Detections_API_EsqlRuleUpdateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields'
+ Security_Detections_API_EventCategoryOverride:
+ type: string
+ Security_Detections_API_ExceptionListType:
+ description: The exception type
+ enum:
+ - detection
+ - rule_default
+ - endpoint
+ - endpoint_trusted_apps
+ - endpoint_events
+ - endpoint_host_isolation_exceptions
+ - endpoint_blocklists
+ type: string
+ Security_Detections_API_ExternalRuleSource:
+ description: Type of rule source for externally sourced rules, i.e. rules that have an external source, such as the Elastic Prebuilt rules repo.
+ type: object
+ properties:
+ is_customized:
+ $ref: '#/components/schemas/Security_Detections_API_IsExternalRuleCustomized'
+ type:
+ enum:
+ - external
+ type: string
+ required:
+ - type
+ - is_customized
+ Security_Detections_API_FindRulesSortField:
+ enum:
+ - created_at
+ - createdAt
+ - enabled
+ - execution_summary.last_execution.date
+ - execution_summary.last_execution.metrics.execution_gap_duration_s
+ - execution_summary.last_execution.metrics.total_indexing_duration_ms
+ - execution_summary.last_execution.metrics.total_search_duration_ms
+ - execution_summary.last_execution.status
+ - name
+ - risk_score
+ - riskScore
+ - severity
+ - updated_at
+ - updatedAt
+ type: string
+ Security_Detections_API_HistoryWindowStart:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ Security_Detections_API_IndexPatternArray:
+ items:
+ type: string
+ type: array
+ Security_Detections_API_InternalRuleSource:
+ description: Type of rule source for internally sourced rules, i.e. created within the Kibana apps.
+ type: object
+ properties:
+ type:
+ enum:
+ - internal
+ type: string
+ required:
+ - type
+ Security_Detections_API_InvestigationFields:
+ description: |
+ Schema for fields relating to investigation fields. These are user defined fields we use to highlight
+ in various features in the UI such as alert details flyout and exceptions auto-population from alert.
+ Added in PR #163235
+ Right now we only have a single field but anticipate adding more related fields to store various
+ configuration states such as `override` - where a user might say if they want only these fields to
+ display, or if they want these fields + the fields we select. When expanding this field, it may look
+ something like:
+ ```typescript
+ const investigationFields = z.object({
+ field_names: NonEmptyArray(NonEmptyString),
+ override: z.boolean().optional(),
+ });
+ ```
+ type: object
+ properties:
+ field_names:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ minItems: 1
+ type: array
+ required:
+ - field_names
+ Security_Detections_API_InvestigationGuide:
+ description: Notes to help investigate alerts produced by the rule.
+ type: string
+ Security_Detections_API_IsExternalRuleCustomized:
+ description: Determines whether an external/prebuilt rule has been customized by the user (i.e. any of its fields have been modified and diverged from the base value).
+ type: boolean
+ Security_Detections_API_IsRuleEnabled:
+ description: Determines whether the rule is enabled.
+ type: boolean
+ Security_Detections_API_IsRuleImmutable:
+ deprecated: true
+ description: This field determines whether the rule is a prebuilt Elastic rule. It will be replaced with the `rule_source` field.
+ type: boolean
+ Security_Detections_API_ItemsPerSearch:
+ minimum: 1
+ type: integer
+ Security_Detections_API_KqlQueryLanguage:
+ enum:
+ - kuery
+ - lucene
+ type: string
+ Security_Detections_API_MachineLearningJobId:
+ description: Machine learning job ID
+ oneOf:
+ - type: string
+ - items:
+ type: string
+ minItems: 1
+ type: array
+ Security_Detections_API_MachineLearningRule:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - version
+ - tags
+ - enabled
+ - risk_score_mapping
+ - severity_mapping
+ - interval
+ - from
+ - to
+ - actions
+ - exceptions_list
+ - author
+ - false_positives
+ - references
+ - max_signals
+ - threat
+ - setup
+ - related_integrations
+ - required_fields
+ - $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields'
+ Security_Detections_API_MachineLearningRuleCreateFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields'
+ Security_Detections_API_MachineLearningRuleCreateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields'
+ Security_Detections_API_MachineLearningRuleOptionalFields:
+ type: object
+ properties:
+ alert_suppression:
+ $ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
+ Security_Detections_API_MachineLearningRulePatchFields:
+ allOf:
+ - type: object
+ properties:
+ anomaly_threshold:
+ $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold'
+ machine_learning_job_id:
+ $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId'
+ type:
+ description: Rule type
+ enum:
+ - machine_learning
+ type: string
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields'
+ Security_Detections_API_MachineLearningRulePatchProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchFields'
+ Security_Detections_API_MachineLearningRuleRequiredFields:
+ type: object
+ properties:
+ anomaly_threshold:
+ $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold'
+ machine_learning_job_id:
+ $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId'
+ type:
+ description: Rule type
+ enum:
+ - machine_learning
+ type: string
+ required:
+ - type
+ - machine_learning_job_id
+ - anomaly_threshold
+ Security_Detections_API_MachineLearningRuleResponseFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields'
+ Security_Detections_API_MachineLearningRuleUpdateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields'
+ Security_Detections_API_MaxSignals:
+ minimum: 1
+ type: integer
+ Security_Detections_API_NewTermsFields:
+ items:
+ type: string
+ maxItems: 3
+ minItems: 1
+ type: array
+ Security_Detections_API_NewTermsRule:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - version
+ - tags
+ - enabled
+ - risk_score_mapping
+ - severity_mapping
+ - interval
+ - from
+ - to
+ - actions
+ - exceptions_list
+ - author
+ - false_positives
+ - references
+ - max_signals
+ - threat
+ - setup
+ - related_integrations
+ - required_fields
+ - $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleResponseFields'
+ Security_Detections_API_NewTermsRuleCreateFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields'
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields'
+ Security_Detections_API_NewTermsRuleCreateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields'
+ Security_Detections_API_NewTermsRuleDefaultableFields:
+ type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
+ Security_Detections_API_NewTermsRuleOptionalFields:
+ type: object
+ properties:
+ alert_suppression:
+ $ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
+ data_view_id:
+ $ref: '#/components/schemas/Security_Detections_API_DataViewId'
+ filters:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
+ index:
+ $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
+ Security_Detections_API_NewTermsRulePatchFields:
+ allOf:
+ - type: object
+ properties:
+ history_window_start:
+ $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart'
+ new_terms_fields:
+ $ref: '#/components/schemas/Security_Detections_API_NewTermsFields'
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ type:
+ description: Rule type
+ enum:
+ - new_terms
+ type: string
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields'
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields'
+ Security_Detections_API_NewTermsRulePatchProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields'
+ Security_Detections_API_NewTermsRuleRequiredFields:
+ type: object
+ properties:
+ history_window_start:
+ $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart'
+ new_terms_fields:
+ $ref: '#/components/schemas/Security_Detections_API_NewTermsFields'
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ type:
+ description: Rule type
+ enum:
+ - new_terms
+ type: string
+ required:
+ - type
+ - query
+ - new_terms_fields
+ - history_window_start
+ Security_Detections_API_NewTermsRuleResponseFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields'
+ - type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
+ required:
+ - language
+ Security_Detections_API_NewTermsRuleUpdateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateFields'
+ Security_Detections_API_NonEmptyString:
+ description: A string that is not empty and does not contain only whitespace
+ minLength: 1
+ pattern: ^(?! *$).+$
+ type: string
+ Security_Detections_API_NormalizedRuleAction:
+ additionalProperties: false
+ type: object
+ properties:
+ alerts_filter:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter'
+ frequency:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency'
+ group:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionId'
+ params:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionParams'
+ required:
+ - id
+ - params
+ Security_Detections_API_NormalizedRuleError:
+ type: object
+ properties:
+ err_code:
+ $ref: '#/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode'
+ message:
+ type: string
+ rules:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError'
+ type: array
+ status_code:
+ type: integer
+ required:
+ - message
+ - status_code
+ - rules
+ Security_Detections_API_OsqueryParams:
+ type: object
+ properties:
+ ecs_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_EcsMapping'
+ pack_id:
+ type: string
+ queries:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery'
+ type: array
+ query:
+ type: string
+ saved_query_id:
+ type: string
+ timeout:
+ type: number
+ Security_Detections_API_OsqueryQuery:
+ type: object
+ properties:
+ ecs_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_EcsMapping'
+ id:
+ description: Query ID
+ type: string
+ platform:
+ type: string
+ query:
+ description: Query to run
+ type: string
+ removed:
+ type: boolean
+ snapshot:
+ type: boolean
+ version:
+ description: Query version
+ type: string
+ required:
+ - id
+ - query
+ Security_Detections_API_OsqueryResponseAction:
+ type: object
+ properties:
+ action_type_id:
+ enum:
+ - .osquery
+ type: string
+ params:
+ $ref: '#/components/schemas/Security_Detections_API_OsqueryParams'
+ required:
+ - action_type_id
+ - params
+ Security_Detections_API_PlatformErrorResponse:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: integer
+ required:
+ - statusCode
+ - error
+ - message
+ Security_Detections_API_ProcessesParams:
+ type: object
+ properties:
+ command:
+ enum:
+ - kill-process
+ - suspend-process
+ type: string
+ comment:
+ type: string
+ config:
+ type: object
+ properties:
+ field:
+ description: Field to use instead of process.pid
+ type: string
+ overwrite:
+ default: true
+ description: Whether to overwrite field with process.pid
+ type: boolean
+ required:
+ - field
+ required:
+ - command
+ - config
+ Security_Detections_API_QueryRule:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - version
+ - tags
+ - enabled
+ - risk_score_mapping
+ - severity_mapping
+ - interval
+ - from
+ - to
+ - actions
+ - exceptions_list
+ - author
+ - false_positives
+ - references
+ - max_signals
+ - threat
+ - setup
+ - related_integrations
+ - required_fields
+ - $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields'
+ Security_Detections_API_QueryRuleCreateFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields'
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields'
+ Security_Detections_API_QueryRuleCreateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields'
+ Security_Detections_API_QueryRuleDefaultableFields:
+ type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ Security_Detections_API_QueryRuleOptionalFields:
+ type: object
+ properties:
+ alert_suppression:
+ $ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
+ data_view_id:
+ $ref: '#/components/schemas/Security_Detections_API_DataViewId'
+ filters:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
+ index:
+ $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
+ saved_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
+ Security_Detections_API_QueryRulePatchFields:
+ allOf:
+ - type: object
+ properties:
+ type:
+ description: Rule type
+ enum:
+ - query
+ type: string
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields'
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleDefaultableFields'
+ Security_Detections_API_QueryRulePatchProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields'
+ Security_Detections_API_QueryRuleRequiredFields:
+ type: object
+ properties:
+ type:
+ description: Rule type
+ enum:
+ - query
+ type: string
+ required:
+ - type
+ Security_Detections_API_QueryRuleResponseFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields'
+ - type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ required:
+ - query
+ - language
+ Security_Detections_API_QueryRuleUpdateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields'
+ Security_Detections_API_RelatedIntegration:
+ description: |
+ Related integration is a potential dependency of a rule. It's assumed that if the user installs
+ one of the related integrations of a rule, the rule might start to work properly because it will
+ have source events (generated by this integration) potentially matching the rule's query.
+
+ NOTE: Proper work is not guaranteed, because a related integration, if installed, can be
+ configured differently or generate data that is not necessarily relevant for this rule.
+
+ Related integration is a combination of a Fleet package and (optionally) one of the
+ package's "integrations" that this package contains. It is represented by 3 properties:
+
+ - `package`: name of the package (required, unique id)
+ - `version`: version of the package (required, semver-compatible)
+ - `integration`: name of the integration of this package (optional, id within the package)
+
+ There are Fleet packages like `windows` that contain only one integration; in this case,
+ `integration` should be unspecified. There are also packages like `aws` and `azure` that contain
+ several integrations; in this case, `integration` should be specified.
+
+ @example
+ const x: RelatedIntegration = {
+ package: 'windows',
+ version: '1.5.x',
+ };
+
+ @example
+ const x: RelatedIntegration = {
+ package: 'azure',
+ version: '~1.1.6',
+ integration: 'activitylogs',
+ };
+ type: object
+ properties:
+ integration:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ package:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ required:
+ - package
+ - version
+ Security_Detections_API_RelatedIntegrationArray:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration'
+ type: array
+ Security_Detections_API_RequiredField:
+ description: |
+ Describes an Elasticsearch field that is needed for the rule to function.
+
+ Almost all types of Security rules check source event documents for a match to some kind of
+ query or filter. If a document has certain field with certain values, then it's a match and
+ the rule will generate an alert.
+
+ Required field is an event field that must be present in the source indices of a given rule.
+
+ @example
+ const standardEcsField: RequiredField = {
+ name: 'event.action',
+ type: 'keyword',
+ ecs: true,
+ };
+
+ @example
+ const nonEcsField: RequiredField = {
+ name: 'winlog.event_data.AttributeLDAPDisplayName',
+ type: 'keyword',
+ ecs: false,
+ };
+ type: object
+ properties:
+ ecs:
+ description: Whether the field is an ECS field
+ type: boolean
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ description: Name of an Elasticsearch field
+ type:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ description: Type of the Elasticsearch field
+ required:
+ - name
+ - type
+ - ecs
+ Security_Detections_API_RequiredFieldArray:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredField'
+ type: array
+ Security_Detections_API_RequiredFieldInput:
+ description: Input parameters to create a RequiredField. Does not include the `ecs` field, because `ecs` is calculated on the backend based on the field name and type.
+ type: object
+ properties:
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ description: Name of an Elasticsearch field
+ type:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ description: Type of an Elasticsearch field
+ required:
+ - name
+ - type
+ Security_Detections_API_ResponseAction:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction'
+ - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction'
+ Security_Detections_API_ResponseFields:
+ type: object
+ properties:
+ created_at:
+ format: date-time
+ type: string
+ created_by:
+ type: string
+ execution_summary:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ immutable:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable'
+ required_fields:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray'
+ revision:
+ minimum: 0
+ type: integer
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_source:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSource'
+ updated_at:
+ format: date-time
+ type: string
+ updated_by:
+ type: string
+ required:
+ - id
+ - rule_id
+ - immutable
+ - rule_source
+ - updated_at
+ - updated_by
+ - created_at
+ - created_by
+ - revision
+ - related_integrations
+ - required_fields
+ Security_Detections_API_RiskScore:
+ description: Risk score (0 to 100)
+ maximum: 100
+ minimum: 0
+ type: integer
+ Security_Detections_API_RiskScoreMapping:
+ description: Overrides generated alerts' risk_score with a value from the source event
+ items:
+ type: object
+ properties:
+ field:
+ type: string
+ operator:
+ enum:
+ - equals
+ type: string
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ value:
+ type: string
+ required:
+ - field
+ - operator
+ - value
+ type: array
+ Security_Detections_API_RuleAction:
+ type: object
+ properties:
+ action_type_id:
+ description: The action type used for sending notifications.
+ type: string
+ alerts_filter:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter'
+ frequency:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency'
+ group:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionId'
+ params:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionParams'
+ uuid:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ required:
+ - action_type_id
+ - id
+ - params
+ Security_Detections_API_RuleActionAlertsFilter:
+ additionalProperties: true
+ type: object
+ Security_Detections_API_RuleActionFrequency:
+ description: The action frequency defines when the action runs (for example, only on rule execution or at specific time intervals).
+ type: object
+ properties:
+ notifyWhen:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen'
+ summary:
+ description: Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert
+ type: boolean
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ nullable: true
+ required:
+ - summary
+ - notifyWhen
+ - throttle
+ Security_Detections_API_RuleActionGroup:
+ description: Optionally groups actions by use cases. Use `default` for alert notifications.
+ type: string
+ Security_Detections_API_RuleActionId:
+ description: The connector ID.
+ type: string
+ Security_Detections_API_RuleActionNotifyWhen:
+ description: 'The condition for throttling the notification: `onActionGroupChange`, `onActiveAlert`, or `onThrottleInterval`'
+ enum:
+ - onActiveAlert
+ - onThrottleInterval
+ - onActionGroupChange
+ type: string
+ Security_Detections_API_RuleActionParams:
+ additionalProperties: true
+ description: Object containing the allowed connector fields, which varies according to the connector type.
+ type: object
+ Security_Detections_API_RuleActionThrottle:
+ description: Defines how often rule actions are taken.
+ oneOf:
+ - enum:
+ - no_actions
+ - rule
+ type: string
+ - description: Time interval in seconds, minutes, hours, or days.
+ example: 1h
+ pattern: ^[1-9]\d*[smhd]$
+ type: string
+ Security_Detections_API_RuleAuthorArray:
+ items:
+ type: string
+ type: array
+ Security_Detections_API_RuleCreateProps:
+ anyOf:
+ - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps'
+ discriminator:
+ propertyName: type
+ Security_Detections_API_RuleDescription:
+ minLength: 1
+ type: string
+ Security_Detections_API_RuleDetailsInError:
+ type: object
+ properties:
+ id:
+ type: string
+ name:
+ type: string
+ required:
+ - id
+ Security_Detections_API_RuleExceptionList:
+ type: object
+ properties:
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ description: ID of the exception container
+ list_id:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ description: List ID of the exception container
+ namespace_type:
+ description: Determines the exceptions validity in rule's Kibana space
+ enum:
+ - agnostic
+ - single
+ type: string
+ type:
+ $ref: '#/components/schemas/Security_Detections_API_ExceptionListType'
+ required:
+ - id
+ - list_id
+ - type
+ - namespace_type
+ Security_Detections_API_RuleExecutionMetrics:
+ type: object
+ properties:
+ execution_gap_duration_s:
+ description: Duration in seconds of execution gap
+ minimum: 0
+ type: integer
+ total_enrichment_duration_ms:
+ description: Total time spent enriching documents during current rule execution cycle
+ minimum: 0
+ type: integer
+ total_indexing_duration_ms:
+ description: Total time spent indexing documents during current rule execution cycle
+ minimum: 0
+ type: integer
+ total_search_duration_ms:
+ description: Total time spent performing ES searches as measured by Kibana; includes network latency and time spent serializing/deserializing request/response
+ minimum: 0
+ type: integer
+ Security_Detections_API_RuleExecutionStatus:
+ description: |-
+ Custom execution status of Security rules that is different from the status used in the Alerting Framework. We merge our custom status with the Framework's status to determine the resulting status of a rule.
+ - going to run - @deprecated Replaced by the 'running' status but left for backwards compatibility with rule execution events already written to Event Log in the prior versions of Kibana. Don't use when writing rule status changes.
+ - running - Rule execution started but not reached any intermediate or final status.
+ - partial failure - Rule can partially fail for various reasons either in the middle of an execution (in this case we update its status right away) or in the end of it. So currently this status can be both intermediate and final at the same time. A typical reason for a partial failure: not all the indices that the rule searches over actually exist.
+ - failed - Rule failed to execute due to unhandled exception or a reason defined in the business logic of its executor function.
+ - succeeded - Rule executed successfully without any issues. Note: this status is just an indication of a rule's "health". The rule might or might not generate any alerts despite of it.
+ enum:
+ - going to run
+ - running
+ - partial failure
+ - failed
+ - succeeded
+ type: string
+ Security_Detections_API_RuleExecutionStatusOrder:
+ type: integer
+ Security_Detections_API_RuleExecutionSummary:
+ type: object
+ properties:
+ last_execution:
+ type: object
+ properties:
+ date:
+ description: Date of the last execution
+ format: date-time
+ type: string
+ message:
+ type: string
+ metrics:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExecutionMetrics'
+ status:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus'
+ description: Status of the last execution
+ status_order:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatusOrder'
+ required:
+ - date
+ - status
+ - status_order
+ - message
+ - metrics
+ required:
+ - last_execution
+ Security_Detections_API_RuleFalsePositiveArray:
+ items:
+ type: string
+ type: array
+ Security_Detections_API_RuleFilterArray:
+ items: {}
+ type: array
+ Security_Detections_API_RuleInterval:
+ description: Frequency of rule execution, using a date math range. For example, "1h" means the rule runs every hour. Defaults to 5m (5 minutes).
+ type: string
+ Security_Detections_API_RuleIntervalFrom:
+ description: Time from which data is analyzed each time the rule runs, using a date math range. For example, now-4200s means the rule analyzes data from 70 minutes before its start time. Defaults to now-6m (analyzes data from 6 minutes before the start time).
+ format: date-math
+ type: string
+ Security_Detections_API_RuleIntervalTo:
+ type: string
+ Security_Detections_API_RuleLicense:
+ description: The rule's license.
+ type: string
+ Security_Detections_API_RuleMetadata:
+ additionalProperties: true
+ type: object
+ Security_Detections_API_RuleName:
+ minLength: 1
+ type: string
+ Security_Detections_API_RuleNameOverride:
+ description: Sets the source field for the alert's signal.rule.name value
+ type: string
+ Security_Detections_API_RuleObjectId:
+ $ref: '#/components/schemas/Security_Detections_API_UUID'
+ Security_Detections_API_RulePatchProps:
+ anyOf:
+ - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps'
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps'
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchProps'
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps'
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps'
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRulePatchProps'
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps'
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps'
+ Security_Detections_API_RulePreviewLoggedRequest:
+ type: object
+ properties:
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ duration:
+ type: integer
+ request:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ required:
+ - request
+ Security_Detections_API_RulePreviewLogs:
+ type: object
+ properties:
+ duration:
+ description: Execution duration in milliseconds
+ type: integer
+ errors:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ type: array
+ requests:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RulePreviewLoggedRequest'
+ type: array
+ startedAt:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ warnings:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ type: array
+ required:
+ - errors
+ - warnings
+ - duration
+ Security_Detections_API_RulePreviewParams:
+ type: object
+ properties:
+ invocationCount:
+ type: integer
+ timeframeEnd:
+ format: date-time
+ type: string
+ required:
+ - invocationCount
+ - timeframeEnd
+ Security_Detections_API_RuleQuery:
+ type: string
+ Security_Detections_API_RuleReferenceArray:
+ items:
+ type: string
+ type: array
+ Security_Detections_API_RuleResponse:
+ anyOf:
+ - $ref: '#/components/schemas/Security_Detections_API_EqlRule'
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRule'
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule'
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule'
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule'
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule'
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule'
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRule'
+ discriminator:
+ propertyName: type
+ Security_Detections_API_RuleSignatureId:
+ description: Could be any string, not necessarily a UUID
+ type: string
+ Security_Detections_API_RuleSource:
+ description: Discriminated union that determines whether the rule is internally sourced (created within the Kibana app) or has an external source, such as the Elastic Prebuilt rules repo.
+ discriminator:
+ propertyName: type
+ oneOf:
+ - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource'
+ - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource'
+ Security_Detections_API_RuleTagArray:
+ description: String array containing words and phrases to help categorize, filter, and search rules. Defaults to an empty array.
+ items:
+ type: string
+ type: array
+ Security_Detections_API_RuleUpdateProps:
+ anyOf:
+ - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps'
+ - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps'
+ discriminator:
+ propertyName: type
+ Security_Detections_API_RuleVersion:
+ description: The rule's version number.
+ minimum: 1
+ type: integer
+ Security_Detections_API_SavedObjectResolveAliasPurpose:
+ enum:
+ - savedObjectConversion
+ - savedObjectImport
+ type: string
+ Security_Detections_API_SavedObjectResolveAliasTargetId:
+ type: string
+ Security_Detections_API_SavedObjectResolveOutcome:
+ enum:
+ - exactMatch
+ - aliasMatch
+ - conflict
+ type: string
+ Security_Detections_API_SavedQueryId:
+ type: string
+ Security_Detections_API_SavedQueryRule:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - version
+ - tags
+ - enabled
+ - risk_score_mapping
+ - severity_mapping
+ - interval
+ - from
+ - to
+ - actions
+ - exceptions_list
+ - author
+ - false_positives
+ - references
+ - max_signals
+ - threat
+ - setup
+ - related_integrations
+ - required_fields
+ - $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields'
+ Security_Detections_API_SavedQueryRuleCreateFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields'
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields'
+ Security_Detections_API_SavedQueryRuleCreateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields'
+ Security_Detections_API_SavedQueryRuleDefaultableFields:
+ type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
+ Security_Detections_API_SavedQueryRuleOptionalFields:
+ type: object
+ properties:
+ alert_suppression:
+ $ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
+ data_view_id:
+ $ref: '#/components/schemas/Security_Detections_API_DataViewId'
+ filters:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
+ index:
+ $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ Security_Detections_API_SavedQueryRulePatchFields:
+ allOf:
+ - type: object
+ properties:
+ saved_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
+ type:
+ description: Rule type
+ enum:
+ - saved_query
+ type: string
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields'
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields'
+ Security_Detections_API_SavedQueryRulePatchProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRulePatchFields'
+ Security_Detections_API_SavedQueryRuleRequiredFields:
+ type: object
+ properties:
+ saved_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
+ type:
+ description: Rule type
+ enum:
+ - saved_query
+ type: string
+ required:
+ - type
+ - saved_id
+ Security_Detections_API_SavedQueryRuleResponseFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields'
+ - type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
+ required:
+ - language
+ Security_Detections_API_SavedQueryRuleUpdateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields'
+ Security_Detections_API_SetAlertsStatusByIds:
+ type: object
+ properties:
+ signal_ids:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ minItems: 1
+ type: array
+ status:
+ $ref: '#/components/schemas/Security_Detections_API_AlertStatus'
+ required:
+ - signal_ids
+ - status
+ Security_Detections_API_SetAlertsStatusByQuery:
+ type: object
+ properties:
+ conflicts:
+ default: abort
+ enum:
+ - abort
+ - proceed
+ type: string
+ query:
+ additionalProperties: true
+ type: object
+ status:
+ $ref: '#/components/schemas/Security_Detections_API_AlertStatus'
+ required:
+ - query
+ - status
+ Security_Detections_API_SetAlertTags:
+ type: object
+ properties:
+ tags_to_add:
+ $ref: '#/components/schemas/Security_Detections_API_AlertTags'
+ tags_to_remove:
+ $ref: '#/components/schemas/Security_Detections_API_AlertTags'
+ required:
+ - tags_to_add
+ - tags_to_remove
+ Security_Detections_API_SetupGuide:
+ type: string
+ Security_Detections_API_Severity:
+ description: Severity of the rule
+ enum:
+ - low
+ - medium
+ - high
+ - critical
+ type: string
+ Security_Detections_API_SeverityMapping:
+ description: Overrides generated alerts' severity with values from the source event
+ items:
+ type: object
+ properties:
+ field:
+ type: string
+ operator:
+ enum:
+ - equals
+ type: string
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ value:
+ type: string
+ required:
+ - field
+ - operator
+ - severity
+ - value
+ type: array
+ Security_Detections_API_SiemErrorResponse:
+ type: object
+ properties:
+ message:
+ type: string
+ status_code:
+ type: integer
+ required:
+ - status_code
+ - message
+ Security_Detections_API_SortOrder:
+ enum:
+ - asc
+ - desc
+ type: string
+ Security_Detections_API_Threat:
+ type: object
+ properties:
+ framework:
+ description: Relevant attack framework
+ type: string
+ tactic:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatTactic'
+ technique:
+ description: Array containing information on the attack techniques (optional)
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique'
+ type: array
+ required:
+ - framework
+ - tactic
+ Security_Detections_API_ThreatArray:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_Threat'
+ type: array
+ Security_Detections_API_ThreatFilters:
+ items:
+ description: Query and filter context array used to filter documents from the Elasticsearch index containing the threat values
+ type: array
+ Security_Detections_API_ThreatIndex:
+ items:
+ type: string
+ type: array
+ Security_Detections_API_ThreatIndicatorPath:
+ description: Defines the path to the threat indicator in the indicator documents (optional)
+ type: string
+ Security_Detections_API_ThreatMapping:
+ items:
+ type: object
+ properties:
+ entries:
+ items:
+ type: object
+ properties:
+ field:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ type:
+ enum:
+ - mapping
+ type: string
+ value:
+ $ref: '#/components/schemas/Security_Detections_API_NonEmptyString'
+ required:
+ - field
+ - type
+ - value
+ type: array
+ required:
+ - entries
+ minItems: 1
+ type: array
+ Security_Detections_API_ThreatMatchRule:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - version
+ - tags
+ - enabled
+ - risk_score_mapping
+ - severity_mapping
+ - interval
+ - from
+ - to
+ - actions
+ - exceptions_list
+ - author
+ - false_positives
+ - references
+ - max_signals
+ - threat
+ - setup
+ - related_integrations
+ - required_fields
+ - $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields'
+ Security_Detections_API_ThreatMatchRuleCreateFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields'
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields'
+ Security_Detections_API_ThreatMatchRuleCreateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields'
+ Security_Detections_API_ThreatMatchRuleDefaultableFields:
+ type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
+ Security_Detections_API_ThreatMatchRuleOptionalFields:
+ type: object
+ properties:
+ alert_suppression:
+ $ref: '#/components/schemas/Security_Detections_API_AlertSuppression'
+ concurrent_searches:
+ $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches'
+ data_view_id:
+ $ref: '#/components/schemas/Security_Detections_API_DataViewId'
+ filters:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
+ index:
+ $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
+ items_per_search:
+ $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch'
+ saved_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
+ threat_filters:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatFilters'
+ threat_indicator_path:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath'
+ threat_language:
+ $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
+ Security_Detections_API_ThreatMatchRulePatchFields:
+ allOf:
+ - type: object
+ properties:
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ threat_index:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatIndex'
+ threat_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatMapping'
+ threat_query:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatQuery'
+ type:
+ description: Rule type
+ enum:
+ - threat_match
+ type: string
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields'
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields'
+ Security_Detections_API_ThreatMatchRulePatchProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields'
+ Security_Detections_API_ThreatMatchRuleRequiredFields:
+ type: object
+ properties:
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ threat_index:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatIndex'
+ threat_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatMapping'
+ threat_query:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatQuery'
+ type:
+ description: Rule type
+ enum:
+ - threat_match
+ type: string
+ required:
+ - type
+ - query
+ - threat_query
+ - threat_mapping
+ - threat_index
+ Security_Detections_API_ThreatMatchRuleResponseFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields'
+ - type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
+ required:
+ - language
+ Security_Detections_API_ThreatMatchRuleUpdateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields'
+ Security_Detections_API_ThreatQuery:
+ description: Query to run
+ type: string
+ Security_Detections_API_ThreatSubtechnique:
+ type: object
+ properties:
+ id:
+ description: Subtechnique ID
+ type: string
+ name:
+ description: Subtechnique name
+ type: string
+ reference:
+ description: Subtechnique reference
+ type: string
+ required:
+ - id
+ - name
+ - reference
+ Security_Detections_API_ThreatTactic:
+ type: object
+ properties:
+ id:
+ description: Tactic ID
+ type: string
+ name:
+ description: Tactic name
+ type: string
+ reference:
+ description: Tactic reference
+ type: string
+ required:
+ - id
+ - name
+ - reference
+ Security_Detections_API_ThreatTechnique:
+ type: object
+ properties:
+ id:
+ description: Technique ID
+ type: string
+ name:
+ description: Technique name
+ type: string
+ reference:
+ description: Technique reference
+ type: string
+ subtechnique:
+ description: Array containing more specific information on the attack technique
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique'
+ type: array
+ required:
+ - id
+ - name
+ - reference
+ Security_Detections_API_Threshold:
+ type: object
+ properties:
+ cardinality:
+ $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality'
+ field:
+ $ref: '#/components/schemas/Security_Detections_API_ThresholdField'
+ value:
+ $ref: '#/components/schemas/Security_Detections_API_ThresholdValue'
+ required:
+ - field
+ - value
+ Security_Detections_API_ThresholdAlertSuppression:
+ type: object
+ properties:
+ duration:
+ $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionDuration'
+ required:
+ - duration
+ Security_Detections_API_ThresholdCardinality:
+ items:
+ type: object
+ properties:
+ field:
+ type: string
+ value:
+ minimum: 0
+ type: integer
+ required:
+ - field
+ - value
+ type: array
+ Security_Detections_API_ThresholdField:
+ description: Field to aggregate on
+ oneOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ Security_Detections_API_ThresholdRule:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - version
+ - tags
+ - enabled
+ - risk_score_mapping
+ - severity_mapping
+ - interval
+ - from
+ - to
+ - actions
+ - exceptions_list
+ - author
+ - false_positives
+ - references
+ - max_signals
+ - threat
+ - setup
+ - related_integrations
+ - required_fields
+ - $ref: '#/components/schemas/Security_Detections_API_ResponseFields'
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleResponseFields'
+ Security_Detections_API_ThresholdRuleCreateFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields'
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields'
+ Security_Detections_API_ThresholdRuleCreateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields'
+ Security_Detections_API_ThresholdRuleDefaultableFields:
+ type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
+ Security_Detections_API_ThresholdRuleOptionalFields:
+ type: object
+ properties:
+ alert_suppression:
+ $ref: '#/components/schemas/Security_Detections_API_ThresholdAlertSuppression'
+ data_view_id:
+ $ref: '#/components/schemas/Security_Detections_API_DataViewId'
+ filters:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray'
+ index:
+ $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray'
+ saved_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedQueryId'
+ Security_Detections_API_ThresholdRulePatchFields:
+ allOf:
+ - type: object
+ properties:
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ threshold:
+ $ref: '#/components/schemas/Security_Detections_API_Threshold'
+ type:
+ description: Rule type
+ enum:
+ - threshold
+ type: string
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields'
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields'
+ Security_Detections_API_ThresholdRulePatchProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchFields'
+ Security_Detections_API_ThresholdRuleRequiredFields:
+ type: object
+ properties:
+ query:
+ $ref: '#/components/schemas/Security_Detections_API_RuleQuery'
+ threshold:
+ $ref: '#/components/schemas/Security_Detections_API_Threshold'
+ type:
+ description: Rule type
+ enum:
+ - threshold
+ type: string
+ required:
+ - type
+ - query
+ - threshold
+ Security_Detections_API_ThresholdRuleResponseFields:
+ allOf:
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields'
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields'
+ - type: object
+ properties:
+ language:
+ $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage'
+ required:
+ - language
+ Security_Detections_API_ThresholdRuleUpdateProps:
+ allOf:
+ - type: object
+ properties:
+ actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAction'
+ type: array
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId'
+ author:
+ $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray'
+ building_block_type:
+ $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType'
+ description:
+ $ref: '#/components/schemas/Security_Detections_API_RuleDescription'
+ enabled:
+ $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled'
+ exceptions_list:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList'
+ type: array
+ false_positives:
+ $ref: '#/components/schemas/Security_Detections_API_RuleFalsePositiveArray'
+ from:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom'
+ id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleObjectId'
+ interval:
+ $ref: '#/components/schemas/Security_Detections_API_RuleInterval'
+ investigation_fields:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationFields'
+ license:
+ $ref: '#/components/schemas/Security_Detections_API_RuleLicense'
+ max_signals:
+ $ref: '#/components/schemas/Security_Detections_API_MaxSignals'
+ meta:
+ $ref: '#/components/schemas/Security_Detections_API_RuleMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Detections_API_RuleName'
+ namespace:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndexNamespace'
+ note:
+ $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide'
+ outcome:
+ $ref: '#/components/schemas/Security_Detections_API_SavedObjectResolveOutcome'
+ output_index:
+ $ref: '#/components/schemas/Security_Detections_API_AlertsIndex'
+ references:
+ $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray'
+ related_integrations:
+ $ref: '#/components/schemas/Security_Detections_API_RelatedIntegrationArray'
+ required_fields:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_RequiredFieldInput'
+ type: array
+ response_actions:
+ items:
+ $ref: '#/components/schemas/Security_Detections_API_ResponseAction'
+ type: array
+ risk_score:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScore'
+ risk_score_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping'
+ rule_id:
+ $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId'
+ rule_name_override:
+ $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride'
+ setup:
+ $ref: '#/components/schemas/Security_Detections_API_SetupGuide'
+ severity:
+ $ref: '#/components/schemas/Security_Detections_API_Severity'
+ severity_mapping:
+ $ref: '#/components/schemas/Security_Detections_API_SeverityMapping'
+ tags:
+ $ref: '#/components/schemas/Security_Detections_API_RuleTagArray'
+ threat:
+ $ref: '#/components/schemas/Security_Detections_API_ThreatArray'
+ throttle:
+ $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle'
+ timeline_id:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId'
+ timeline_title:
+ $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateTitle'
+ timestamp_override:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverride'
+ timestamp_override_fallback_disabled:
+ $ref: '#/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled'
+ to:
+ $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo'
+ version:
+ $ref: '#/components/schemas/Security_Detections_API_RuleVersion'
+ required:
+ - name
+ - description
+ - risk_score
+ - severity
+ - $ref: '#/components/schemas/Security_Detections_API_ThresholdRuleCreateFields'
+ Security_Detections_API_ThresholdValue:
+ description: Threshold value
+ minimum: 1
+ type: integer
+ Security_Detections_API_ThrottleForBulkActions:
+ description: 'The condition for throttling the notification: ''rule'', ''no_actions'', or time duration'
+ enum:
+ - rule
+ - 1h
+ - 1d
+ - 7d
+ type: string
+ Security_Detections_API_TiebreakerField:
+ description: Sets a secondary field for sorting events
+ type: string
+ Security_Detections_API_TimelineTemplateId:
+ description: Timeline template ID
+ type: string
+ Security_Detections_API_TimelineTemplateTitle:
+ description: Timeline template title
+ type: string
+ Security_Detections_API_TimestampField:
+ description: Contains the event timestamp used for sorting a sequence of events
+ type: string
+ Security_Detections_API_TimestampOverride:
+ description: Sets the time field used to query indices
+ type: string
+ Security_Detections_API_TimestampOverrideFallbackDisabled:
+ description: Disables the fallback to the event's @timestamp field
+ type: boolean
+ Security_Detections_API_UUID:
+ description: A universally unique identifier
+ format: uuid
+ type: string
+ Security_Detections_API_WarningSchema:
+ type: object
+ properties:
+ actionPath:
+ type: string
+ buttonLabel:
+ type: string
+ message:
+ type: string
+ type:
+ type: string
+ required:
+ - type
+ - message
+ - actionPath
+ Security_Endpoint_Exceptions_API_EndpointList:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList'
+ - additionalProperties: false
+ type: object
+ Security_Endpoint_Exceptions_API_EndpointListItem:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem'
+ Security_Endpoint_Exceptions_API_ExceptionList:
+ type: object
+ properties:
+ _version:
+ type: string
+ created_at:
+ format: date-time
+ type: string
+ created_by:
+ type: string
+ description:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription'
+ id:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId'
+ immutable:
+ type: boolean
+ list_id:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId'
+ meta:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta'
+ name:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName'
+ namespace_type:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType'
+ os_types:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray'
+ tags:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags'
+ tie_breaker_id:
+ type: string
+ type:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType'
+ updated_at:
+ format: date-time
+ type: string
+ updated_by:
+ type: string
+ version:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion'
+ required:
+ - id
+ - list_id
+ - type
+ - name
+ - description
+ - immutable
+ - namespace_type
+ - version
+ - tie_breaker_id
+ - created_at
+ - created_by
+ - updated_at
+ - updated_by
+ Security_Endpoint_Exceptions_API_ExceptionListDescription:
+ type: string
+ Security_Endpoint_Exceptions_API_ExceptionListHumanId:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ description: Human readable string identifier, e.g. `trusted-linux-processes`
+ Security_Endpoint_Exceptions_API_ExceptionListId:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ Security_Endpoint_Exceptions_API_ExceptionListItem:
+ type: object
+ properties:
+ _version:
+ type: string
+ comments:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray'
+ created_at:
+ format: date-time
+ type: string
+ created_by:
+ type: string
+ description:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription'
+ entries:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray'
+ expire_time:
+ format: date-time
+ type: string
+ id:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId'
+ item_id:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId'
+ list_id:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId'
+ meta:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta'
+ name:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName'
+ namespace_type:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType'
+ os_types:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray'
+ tags:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags'
+ tie_breaker_id:
+ type: string
+ type:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType'
+ updated_at:
+ format: date-time
+ type: string
+ updated_by:
+ type: string
+ required:
+ - id
+ - item_id
+ - list_id
+ - type
+ - name
+ - description
+ - entries
+ - namespace_type
+ - comments
+ - tie_breaker_id
+ - created_at
+ - created_by
+ - updated_at
+ - updated_by
+ Security_Endpoint_Exceptions_API_ExceptionListItemComment:
+ type: object
+ properties:
+ comment:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ created_at:
+ format: date-time
+ type: string
+ created_by:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ id:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ updated_at:
+ format: date-time
+ type: string
+ updated_by:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ required:
+ - id
+ - comment
+ - created_at
+ - created_by
+ Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray:
+ items:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment'
+ type: array
+ Security_Endpoint_Exceptions_API_ExceptionListItemDescription:
+ type: string
+ Security_Endpoint_Exceptions_API_ExceptionListItemEntry:
+ anyOf:
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard'
+ discriminator:
+ propertyName: type
+ Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray:
+ items:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry'
+ type: array
+ Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists:
+ type: object
+ properties:
+ field:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ operator:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator'
+ type:
+ enum:
+ - exists
+ type: string
+ required:
+ - type
+ - field
+ - operator
+ Security_Endpoint_Exceptions_API_ExceptionListItemEntryList:
+ type: object
+ properties:
+ field:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ list:
+ type: object
+ properties:
+ id:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId'
+ type:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType'
+ required:
+ - id
+ - type
+ operator:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator'
+ type:
+ enum:
+ - list
+ type: string
+ required:
+ - type
+ - field
+ - list
+ - operator
+ Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch:
+ type: object
+ properties:
+ field:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ operator:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator'
+ type:
+ enum:
+ - match
+ type: string
+ value:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ required:
+ - type
+ - field
+ - value
+ - operator
+ Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny:
+ type: object
+ properties:
+ field:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ operator:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator'
+ type:
+ enum:
+ - match_any
+ type: string
+ value:
+ items:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ minItems: 1
+ type: array
+ required:
+ - type
+ - field
+ - value
+ - operator
+ Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard:
+ type: object
+ properties:
+ field:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ operator:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator'
+ type:
+ enum:
+ - wildcard
+ type: string
+ value:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ required:
+ - type
+ - field
+ - value
+ - operator
+ Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested:
+ type: object
+ properties:
+ entries:
+ items:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem'
+ minItems: 1
+ type: array
+ field:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ type:
+ enum:
+ - nested
+ type: string
+ required:
+ - type
+ - field
+ - entries
+ Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny'
+ - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists'
+ Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator:
+ enum:
+ - excluded
+ - included
+ type: string
+ Security_Endpoint_Exceptions_API_ExceptionListItemHumanId:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ Security_Endpoint_Exceptions_API_ExceptionListItemId:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ Security_Endpoint_Exceptions_API_ExceptionListItemMeta:
+ additionalProperties: true
+ type: object
+ Security_Endpoint_Exceptions_API_ExceptionListItemName:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray:
+ items:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType'
+ type: array
+ Security_Endpoint_Exceptions_API_ExceptionListItemTags:
+ items:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ type: array
+ Security_Endpoint_Exceptions_API_ExceptionListItemType:
+ enum:
+ - simple
+ type: string
+ Security_Endpoint_Exceptions_API_ExceptionListMeta:
+ additionalProperties: true
+ type: object
+ Security_Endpoint_Exceptions_API_ExceptionListName:
+ type: string
+ Security_Endpoint_Exceptions_API_ExceptionListOsType:
+ enum:
+ - linux
+ - macos
+ - windows
+ type: string
+ Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray:
+ items:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType'
+ type: array
+ Security_Endpoint_Exceptions_API_ExceptionListTags:
+ items:
+ type: string
+ type: array
+ Security_Endpoint_Exceptions_API_ExceptionListType:
+ enum:
+ - detection
+ - rule_default
+ - endpoint
+ - endpoint_trusted_apps
+ - endpoint_events
+ - endpoint_host_isolation_exceptions
+ - endpoint_blocklists
+ type: string
+ Security_Endpoint_Exceptions_API_ExceptionListVersion:
+ minimum: 1
+ type: integer
+ Security_Endpoint_Exceptions_API_ExceptionNamespaceType:
+ description: |
+ Determines whether the exception container is available in all Kibana spaces or just the space
+ in which it is created, where:
+
+ - `single`: Only available in the Kibana space in which it is created.
+ - `agnostic`: Available in all Kibana spaces.
+ enum:
+ - agnostic
+ - single
+ type: string
+ Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ Security_Endpoint_Exceptions_API_ListId:
+ $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString'
+ Security_Endpoint_Exceptions_API_ListType:
+ enum:
+ - binary
+ - boolean
+ - byte
+ - date
+ - date_nanos
+ - date_range
+ - double
+ - double_range
+ - float
+ - float_range
+ - geo_point
+ - geo_shape
+ - half_float
+ - integer
+ - integer_range
+ - ip
+ - ip_range
+ - keyword
+ - long
+ - long_range
+ - shape
+ - short
+ - text
+ type: string
+ Security_Endpoint_Exceptions_API_NonEmptyString:
+ description: A string that is not empty and does not contain only whitespace
+ minLength: 1
+ pattern: ^(?! *$).+$
+ type: string
+ Security_Endpoint_Exceptions_API_PlatformErrorResponse:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: integer
+ required:
+ - statusCode
+ - error
+ - message
+ Security_Endpoint_Exceptions_API_SiemErrorResponse:
+ type: object
+ properties:
+ message:
+ type: string
+ status_code:
+ type: integer
+ required:
+ - status_code
+ - message
+ Security_Endpoint_Management_API_ActionStateSuccessResponse:
+ type: object
+ properties:
+ body:
+ type: object
+ properties:
+ data:
+ type: object
+ properties:
+ canEncrypt:
+ type: boolean
+ required:
+ - data
+ required:
+ - body
+ Security_Endpoint_Management_API_ActionStatusSuccessResponse:
+ type: object
+ properties:
+ body:
+ type: object
+ properties:
+ data:
+ type: object
+ properties:
+ agent_id:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId'
+ pending_actions:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema'
+ required:
+ - agent_id
+ - pending_actions
+ required:
+ - data
+ required:
+ - body
+ Security_Endpoint_Management_API_AgentId:
+ description: Agent ID
+ type: string
+ Security_Endpoint_Management_API_AgentIds:
+ minLength: 1
+ oneOf:
+ - items:
+ minLength: 1
+ type: string
+ maxItems: 50
+ minItems: 1
+ type: array
+ - minLength: 1
+ type: string
+ Security_Endpoint_Management_API_AgentTypes:
+ enum:
+ - endpoint
+ - sentinel_one
+ - crowdstrike
+ type: string
+ Security_Endpoint_Management_API_AlertIds:
+ description: A list of alerts ids.
+ items:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_NonEmptyString'
+ minItems: 1
+ type: array
+ Security_Endpoint_Management_API_CaseIds:
+ description: Case IDs to be updated (cannot contain empty strings)
+ items:
+ minLength: 1
+ type: string
+ minItems: 1
+ type: array
+ Security_Endpoint_Management_API_Command:
+ description: The command to be executed (cannot be an empty string)
+ enum:
+ - isolate
+ - unisolate
+ - kill-process
+ - suspend-process
+ - running-processes
+ - get-file
+ - execute
+ - upload
+ - scan
+ minLength: 1
+ type: string
+ Security_Endpoint_Management_API_Commands:
+ items:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Command'
+ type: array
+ Security_Endpoint_Management_API_Comment:
+ description: Optional comment
+ type: string
+ Security_Endpoint_Management_API_EndDate:
+ description: End date
+ type: string
+ Security_Endpoint_Management_API_EndpointIds:
+ description: List of endpoint IDs (cannot contain empty strings)
+ items:
+ minLength: 1
+ type: string
+ minItems: 1
+ type: array
+ Security_Endpoint_Management_API_EntityId:
+ type: object
+ properties:
+ entity_id:
+ minLength: 1
+ type: string
+ Security_Endpoint_Management_API_ExecuteRouteRequestBody:
+ allOf:
+ - type: object
+ properties:
+ agent_type:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
+ alert_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
+ case_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
+ comment:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
+ endpoint_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
+ parameters:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
+ required:
+ - endpoint_ids
+ - type: object
+ properties:
+ parameters:
+ type: object
+ properties:
+ command:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Command'
+ timeout:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Timeout'
+ required:
+ - command
+ required:
+ - parameters
+ Security_Endpoint_Management_API_GetEndpointActionListRouteQuery:
+ type: object
+ properties:
+ agentIds:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds'
+ agentTypes:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
+ commands:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands'
+ endDate:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate'
+ page:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Page'
+ pageSize:
+ default: 10
+ description: Number of items per page
+ maximum: 10000
+ minimum: 1
+ type: integer
+ startDate:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate'
+ types:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Types'
+ userIds:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds'
+ withOutputs:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs'
+ Security_Endpoint_Management_API_GetFileRouteRequestBody:
+ allOf:
+ - type: object
+ properties:
+ agent_type:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
+ alert_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
+ case_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
+ comment:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
+ endpoint_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
+ parameters:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
+ required:
+ - endpoint_ids
+ - type: object
+ properties:
+ parameters:
+ type: object
+ properties:
+ path:
+ type: string
+ required:
+ - path
+ required:
+ - parameters
+ Security_Endpoint_Management_API_GetProcessesRouteRequestBody:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema'
+ Security_Endpoint_Management_API_IsolateRouteRequestBody:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema'
+ Security_Endpoint_Management_API_KillProcessRouteRequestBody:
+ allOf:
+ - type: object
+ properties:
+ agent_type:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
+ alert_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
+ case_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
+ comment:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
+ endpoint_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
+ parameters:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
+ required:
+ - endpoint_ids
+ - type: object
+ properties:
+ parameters:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid'
+ - $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId'
+ - type: object
+ properties:
+ process_name:
+ description: Valid for SentinelOne agent type only
+ minLength: 1
+ type: string
+ required:
+ - parameters
+ Security_Endpoint_Management_API_ListRequestQuery:
+ type: object
+ properties:
+ hostStatuses:
+ items:
+ enum:
+ - healthy
+ - offline
+ - updating
+ - inactive
+ - unenrolled
+ type: string
+ type: array
+ kuery:
+ nullable: true
+ type: string
+ page:
+ default: 0
+ description: Page number
+ minimum: 0
+ type: integer
+ pageSize:
+ default: 10
+ description: Number of items per page
+ maximum: 10000
+ minimum: 1
+ type: integer
+ sortDirection:
+ enum:
+ - asc
+ - desc
+ nullable: true
+ type: string
+ sortField:
+ enum:
+ - enrolled_at
+ - metadata.host.hostname
+ - host_status
+ - metadata.Endpoint.policy.applied.name
+ - metadata.Endpoint.policy.applied.status
+ - metadata.host.os.name
+ - metadata.host.ip
+ - metadata.agent.version
+ - last_checkin
+ type: string
+ required:
+ - hostStatuses
+ Security_Endpoint_Management_API_NonEmptyString:
+ description: A string that is not empty and does not contain only whitespace
+ minLength: 1
+ pattern: ^(?! *$).+$
+ type: string
+ Security_Endpoint_Management_API_NoParametersRequestSchema:
+ type: object
+ properties:
+ body:
+ type: object
+ properties:
+ agent_type:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
+ alert_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
+ case_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
+ comment:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
+ endpoint_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
+ parameters:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
+ required:
+ - endpoint_ids
+ required:
+ - body
+ Security_Endpoint_Management_API_Page:
+ default: 1
+ description: Page number
+ minimum: 1
+ type: integer
+ Security_Endpoint_Management_API_Parameters:
+ description: Optional parameters object
+ type: object
+ Security_Endpoint_Management_API_PendingActionDataType:
+ type: integer
+ Security_Endpoint_Management_API_PendingActionsSchema:
+ oneOf:
+ - type: object
+ properties:
+ execute:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
+ get-file:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
+ isolate:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
+ kill-process:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
+ running-processes:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
+ scan:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
+ suspend-process:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
+ unisolate:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
+ upload:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
+ - additionalProperties: true
+ type: object
+ Security_Endpoint_Management_API_Pid:
+ type: object
+ properties:
+ pid:
+ minimum: 1
+ type: integer
+ Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse:
+ type: object
+ properties:
+ note:
+ type: string
+ Security_Endpoint_Management_API_ScanRouteRequestBody:
+ allOf:
+ - type: object
+ properties:
+ agent_type:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
+ alert_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
+ case_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
+ comment:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
+ endpoint_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
+ parameters:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
+ required:
+ - endpoint_ids
+ - type: object
+ properties:
+ parameters:
+ type: object
+ properties:
+ path:
+ type: string
+ required:
+ - path
+ required:
+ - parameters
+ Security_Endpoint_Management_API_StartDate:
+ description: Start date
+ type: string
+ Security_Endpoint_Management_API_SuccessResponse:
+ type: object
+ properties: {}
+ Security_Endpoint_Management_API_SuspendProcessRouteRequestBody:
+ allOf:
+ - type: object
+ properties:
+ agent_type:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
+ alert_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
+ case_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
+ comment:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
+ endpoint_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
+ parameters:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
+ required:
+ - endpoint_ids
+ - type: object
+ properties:
+ parameters:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid'
+ - $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId'
+ required:
+ - parameters
+ Security_Endpoint_Management_API_Timeout:
+ description: The maximum timeout value in milliseconds (optional)
+ minimum: 1
+ type: integer
+ Security_Endpoint_Management_API_Type:
+ description: Type of response action
+ enum:
+ - automated
+ - manual
+ type: string
+ Security_Endpoint_Management_API_Types:
+ description: List of types of response actions
+ items:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Type'
+ maxLength: 2
+ minLength: 1
+ type: array
+ Security_Endpoint_Management_API_UnisolateRouteRequestBody:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema'
+ Security_Endpoint_Management_API_UploadRouteRequestBody:
+ allOf:
+ - type: object
+ properties:
+ agent_type:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
+ alert_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
+ case_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
+ comment:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
+ endpoint_ids:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
+ parameters:
+ $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
+ required:
+ - endpoint_ids
+ - type: object
+ properties:
+ file:
+ format: binary
+ type: string
+ parameters:
+ type: object
+ properties:
+ overwrite:
+ default: false
+ type: boolean
+ required:
+ - parameters
+ - file
+ Security_Endpoint_Management_API_UserIds:
+ description: User IDs
+ oneOf:
+ - items:
+ minLength: 1
+ type: string
+ minItems: 1
+ type: array
+ - minLength: 1
+ type: string
+ Security_Endpoint_Management_API_WithOutputs:
+ description: Shows detailed outputs for an action response
+ oneOf:
+ - items:
+ minLength: 1
+ type: string
+ minItems: 1
+ type: array
+ - minLength: 1
+ type: string
+ Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem:
+ type: object
+ properties:
+ index:
+ type: integer
+ message:
+ type: string
+ required:
+ - message
+ - index
+ Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats:
+ type: object
+ properties:
+ failed:
+ type: integer
+ successful:
+ type: integer
+ total:
+ type: integer
+ required:
+ - successful
+ - failed
+ - total
+ Security_Entity_Analytics_API_AssetCriticalityLevel:
+ description: The criticality level of the asset.
+ enum:
+ - low_impact
+ - medium_impact
+ - high_impact
+ - extreme_impact
+ type: string
+ Security_Entity_Analytics_API_AssetCriticalityRecord:
+ allOf:
+ - $ref: '#/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord'
+ - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts'
+ - type: object
+ properties:
+ '@timestamp':
+ description: The time the record was created or updated.
+ example: '2017-07-21T17:32:28Z'
+ format: date-time
+ type: string
+ required:
+ - '@timestamp'
+ Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts:
+ type: object
+ properties:
+ asset:
+ type: object
+ properties:
+ criticality:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
+ required:
+ - asset
+ host:
+ type: object
+ properties:
+ asset:
+ type: object
+ properties:
+ criticality:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
+ required:
+ - criticality
+ name:
+ type: string
+ required:
+ - name
+ user:
+ type: object
+ properties:
+ asset:
+ type: object
+ properties:
+ criticality:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
+ required:
+ - criticality
+ name:
+ type: string
+ required:
+ - name
+ required:
+ - asset
+ Security_Entity_Analytics_API_AssetCriticalityRecordIdParts:
+ type: object
+ properties:
+ id_field:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField'
+ description: The field representing the ID.
+ example: host.name
+ id_value:
+ description: The ID value of the asset.
+ type: string
+ required:
+ - id_value
+ - id_field
+ Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse:
+ type: object
+ properties:
+ cleanup_successful:
+ example: false
+ type: boolean
+ errors:
+ items:
+ type: object
+ properties:
+ error:
+ type: string
+ seq:
+ type: integer
+ required:
+ - seq
+ - error
+ type: array
+ required:
+ - cleanup_successful
+ - errors
+ Security_Entity_Analytics_API_CreateAssetCriticalityRecord:
+ allOf:
+ - $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts'
+ - type: object
+ properties:
+ criticality_level:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
+ required:
+ - criticality_level
+ Security_Entity_Analytics_API_EngineComponentResource:
+ enum:
+ - entity_engine
+ - entity_definition
+ - index
+ - component_template
+ - index_template
+ - ingest_pipeline
+ - enrich_policy
+ - task
+ - transform
+ type: string
+ Security_Entity_Analytics_API_EngineComponentStatus:
+ type: object
+ properties:
+ errors:
+ items:
+ type: object
+ properties:
+ message:
+ type: string
+ title:
+ type: string
+ type: array
+ health:
+ enum:
+ - green
+ - yellow
+ - red
+ - unknown
+ type: string
+ id:
+ type: string
+ installed:
+ type: boolean
+ resource:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineComponentResource'
+ required:
+ - id
+ - installed
+ - resource
+ Security_Entity_Analytics_API_EngineDataviewUpdateResult:
+ type: object
+ properties:
+ changes:
+ type: object
+ properties:
+ indexPatterns:
+ items:
+ type: string
+ type: array
+ type:
+ type: string
+ required:
+ - type
+ Security_Entity_Analytics_API_EngineDescriptor:
+ type: object
+ properties:
+ error:
+ type: object
+ fieldHistoryLength:
+ type: integer
+ filter:
+ type: string
+ indexPattern:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern'
+ status:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus'
+ type:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType'
+ required:
+ - type
+ - indexPattern
+ - status
+ - fieldHistoryLength
+ Security_Entity_Analytics_API_EngineStatus:
+ enum:
+ - installing
+ - started
+ - stopped
+ - updating
+ - error
+ type: string
+ Security_Entity_Analytics_API_Entity:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity'
+ - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity'
+ Security_Entity_Analytics_API_EntityRiskLevels:
+ enum:
+ - Unknown
+ - Low
+ - Moderate
+ - High
+ - Critical
+ type: string
+ Security_Entity_Analytics_API_EntityRiskScoreRecord:
+ type: object
+ properties:
+ '@timestamp':
+ description: The time at which the risk score was calculated.
+ example: '2017-07-21T17:32:28Z'
+ format: date-time
+ type: string
+ calculated_level:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels'
+ description: Lexical description of the entity's risk.
+ example: Critical
+ calculated_score:
+ description: The raw numeric value of the given entity's risk score.
+ format: double
+ type: number
+ calculated_score_norm:
+ description: The normalized numeric value of the given entity's risk score. Useful for comparing with other entities.
+ format: double
+ maximum: 100
+ minimum: 0
+ type: number
+ category_1_count:
+ description: The number of risk input documents that contributed to the Category 1 score (`category_1_score`).
+ format: integer
+ type: number
+ category_1_score:
+ description: The contribution of Category 1 to the overall risk score (`calculated_score`). Category 1 contains Detection Engine Alerts.
+ format: double
+ type: number
+ category_2_count:
+ format: integer
+ type: number
+ category_2_score:
+ format: double
+ type: number
+ criticality_level:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
+ criticality_modifier:
+ format: double
+ type: number
+ id_field:
+ description: The identifier field defining this risk score. Coupled with `id_value`, uniquely identifies the entity being scored.
+ example: host.name
+ type: string
+ id_value:
+ description: The identifier value defining this risk score. Coupled with `id_field`, uniquely identifies the entity being scored.
+ example: example.host
+ type: string
+ inputs:
+ description: A list of the highest-risk documents contributing to this risk score. Useful for investigative purposes.
+ items:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput'
+ type: array
+ notes:
+ items:
+ type: string
+ type: array
+ required:
+ - '@timestamp'
+ - id_field
+ - id_value
+ - calculated_level
+ - calculated_score
+ - calculated_score_norm
+ - category_1_score
+ - category_1_count
+ - inputs
+ - notes
+ Security_Entity_Analytics_API_EntityType:
+ enum:
+ - user
+ - host
+ type: string
+ Security_Entity_Analytics_API_HostEntity:
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ type: string
+ asset:
+ type: object
+ properties:
+ criticality:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
+ required:
+ - criticality
+ entity:
+ type: object
+ properties:
+ name:
+ type: string
+ source:
+ type: string
+ required:
+ - name
+ - source
+ host:
+ type: object
+ properties:
+ architecture:
+ items:
+ type: string
+ type: array
+ domain:
+ items:
+ type: string
+ type: array
+ hostname:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ ip:
+ items:
+ type: string
+ type: array
+ mac:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ risk:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord'
+ type:
+ items:
+ type: string
+ type: array
+ required:
+ - name
+ required:
+ - '@timestamp'
+ - host
+ - entity
+ Security_Entity_Analytics_API_IdField:
+ enum:
+ - host.name
+ - user.name
+ type: string
+ Security_Entity_Analytics_API_IndexPattern:
+ type: string
+ Security_Entity_Analytics_API_InspectQuery:
+ type: object
+ properties:
+ dsl:
+ items:
+ type: string
+ type: array
+ response:
+ items:
+ type: string
+ type: array
+ required:
+ - dsl
+ - response
+ Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse:
+ type: object
+ properties:
+ full_error:
+ type: string
+ message:
+ type: string
+ required:
+ - message
+ - full_error
+ Security_Entity_Analytics_API_RiskEngineScheduleNowResponse:
+ type: object
+ properties:
+ success:
+ type: boolean
+ Security_Entity_Analytics_API_RiskScoreInput:
+ description: A generic representation of a document contributing to a Risk Score.
+ type: object
+ properties:
+ category:
+ description: The risk category of the risk input document.
+ example: category_1
+ type: string
+ contribution_score:
+ format: double
+ type: number
+ description:
+ description: A human-readable description of the risk input document.
+ example: 'Generated from Detection Engine Rule: Malware Prevention Alert'
+ type: string
+ id:
+ description: The unique identifier (`_id`) of the original source document
+ example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c
+ type: string
+ index:
+ description: The unique index (`_index`) of the original source document
+ example: .internal.alerts-security.alerts-default-000001
+ type: string
+ risk_score:
+ description: The weighted risk score of the risk input document.
+ format: double
+ maximum: 100
+ minimum: 0
+ type: number
+ timestamp:
+ description: The @timestamp of the risk input document.
+ example: '2017-07-21T17:32:28Z'
+ type: string
+ required:
+ - id
+ - index
+ - description
+ - category
+ Security_Entity_Analytics_API_StoreStatus:
+ enum:
+ - not_installed
+ - installing
+ - running
+ - stopped
+ - error
+ type: string
+ Security_Entity_Analytics_API_TaskManagerUnavailableResponse:
+ description: Task manager is unavailable
+ type: object
+ properties:
+ message:
+ type: string
+ status_code:
+ minimum: 400
+ type: integer
+ required:
+ - status_code
+ - message
+ Security_Entity_Analytics_API_UserEntity:
+ type: object
+ properties:
+ '@timestamp':
+ format: date-time
+ type: string
+ asset:
+ type: object
+ properties:
+ criticality:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel'
+ required:
+ - criticality
+ entity:
+ type: object
+ properties:
+ name:
+ type: string
+ source:
+ type: string
+ required:
+ - name
+ - source
+ user:
+ type: object
+ properties:
+ domain:
+ items:
+ type: string
+ type: array
+ email:
+ items:
+ type: string
+ type: array
+ full_name:
+ items:
+ type: string
+ type: array
+ hash:
+ items:
+ type: string
+ type: array
+ id:
+ items:
+ type: string
+ type: array
+ name:
+ type: string
+ risk:
+ $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord'
+ roles:
+ items:
+ type: string
+ type: array
+ required:
+ - name
+ required:
+ - '@timestamp'
+ - user
+ - entity
+ Security_Exceptions_API_CreateExceptionListItemComment:
+ type: object
+ properties:
+ comment:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ required:
+ - comment
+ Security_Exceptions_API_CreateExceptionListItemCommentArray:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment'
+ type: array
+ Security_Exceptions_API_CreateRuleExceptionListItemComment:
+ type: object
+ properties:
+ comment:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ required:
+ - comment
+ Security_Exceptions_API_CreateRuleExceptionListItemCommentArray:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment'
+ type: array
+ Security_Exceptions_API_CreateRuleExceptionListItemProps:
+ type: object
+ properties:
+ comments:
+ $ref: '#/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray'
+ default: []
+ description:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription'
+ entries:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray'
+ expire_time:
+ format: date-time
+ type: string
+ item_id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
+ meta:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta'
+ name:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName'
+ namespace_type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ default: single
+ os_types:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray'
+ default: []
+ tags:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags'
+ default: []
+ type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType'
+ required:
+ - type
+ - name
+ - description
+ - entries
+ Security_Exceptions_API_ExceptionList:
+ type: object
+ properties:
+ _version:
+ type: string
+ created_at:
+ format: date-time
+ type: string
+ created_by:
+ type: string
+ description:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListDescription'
+ id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
+ immutable:
+ type: boolean
+ list_id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ meta:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta'
+ name:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName'
+ namespace_type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ os_types:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray'
+ tags:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags'
+ tie_breaker_id:
+ type: string
+ type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType'
+ updated_at:
+ format: date-time
+ type: string
+ updated_by:
+ type: string
+ version:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion'
+ required:
+ - id
+ - list_id
+ - type
+ - name
+ - description
+ - immutable
+ - namespace_type
+ - version
+ - tie_breaker_id
+ - created_at
+ - created_by
+ - updated_at
+ - updated_by
+ Security_Exceptions_API_ExceptionListDescription:
+ type: string
+ Security_Exceptions_API_ExceptionListHumanId:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ description: Human readable string identifier, e.g. `trusted-linux-processes`
+ Security_Exceptions_API_ExceptionListId:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ Security_Exceptions_API_ExceptionListItem:
+ type: object
+ properties:
+ _version:
+ type: string
+ comments:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray'
+ created_at:
+ format: date-time
+ type: string
+ created_by:
+ type: string
+ description:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemDescription'
+ entries:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray'
+ expire_time:
+ format: date-time
+ type: string
+ id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId'
+ item_id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
+ list_id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ meta:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta'
+ name:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName'
+ namespace_type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType'
+ os_types:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray'
+ tags:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags'
+ tie_breaker_id:
+ type: string
+ type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType'
+ updated_at:
+ format: date-time
+ type: string
+ updated_by:
+ type: string
+ required:
+ - id
+ - item_id
+ - list_id
+ - type
+ - name
+ - description
+ - entries
+ - namespace_type
+ - comments
+ - tie_breaker_id
+ - created_at
+ - created_by
+ - updated_at
+ - updated_by
+ Security_Exceptions_API_ExceptionListItemComment:
+ type: object
+ properties:
+ comment:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ created_at:
+ format: date-time
+ type: string
+ created_by:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ id:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ updated_at:
+ format: date-time
+ type: string
+ updated_by:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ required:
+ - id
+ - comment
+ - created_at
+ - created_by
+ Security_Exceptions_API_ExceptionListItemCommentArray:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment'
+ type: array
+ Security_Exceptions_API_ExceptionListItemDescription:
+ type: string
+ Security_Exceptions_API_ExceptionListItemEntry:
+ anyOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch'
+ - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny'
+ - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList'
+ - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists'
+ - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested'
+ - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard'
+ discriminator:
+ propertyName: type
+ Security_Exceptions_API_ExceptionListItemEntryArray:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry'
+ type: array
+ Security_Exceptions_API_ExceptionListItemEntryExists:
+ type: object
+ properties:
+ field:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ operator:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator'
+ type:
+ enum:
+ - exists
+ type: string
+ required:
+ - type
+ - field
+ - operator
+ Security_Exceptions_API_ExceptionListItemEntryList:
+ type: object
+ properties:
+ field:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ list:
+ type: object
+ properties:
+ id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ListId'
+ type:
+ $ref: '#/components/schemas/Security_Exceptions_API_ListType'
+ required:
+ - id
+ - type
+ operator:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator'
+ type:
+ enum:
+ - list
+ type: string
+ required:
+ - type
+ - field
+ - list
+ - operator
+ Security_Exceptions_API_ExceptionListItemEntryMatch:
+ type: object
+ properties:
+ field:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ operator:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator'
+ type:
+ enum:
+ - match
+ type: string
+ value:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ required:
+ - type
+ - field
+ - value
+ - operator
+ Security_Exceptions_API_ExceptionListItemEntryMatchAny:
+ type: object
+ properties:
+ field:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ operator:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator'
+ type:
+ enum:
+ - match_any
+ type: string
+ value:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ minItems: 1
+ type: array
+ required:
+ - type
+ - field
+ - value
+ - operator
+ Security_Exceptions_API_ExceptionListItemEntryMatchWildcard:
+ type: object
+ properties:
+ field:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ operator:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator'
+ type:
+ enum:
+ - wildcard
+ type: string
+ value:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ required:
+ - type
+ - field
+ - value
+ - operator
+ Security_Exceptions_API_ExceptionListItemEntryNested:
+ type: object
+ properties:
+ entries:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem'
+ minItems: 1
+ type: array
+ field:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ type:
+ enum:
+ - nested
+ type: string
+ required:
+ - type
+ - field
+ - entries
+ Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch'
+ - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny'
+ - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists'
+ Security_Exceptions_API_ExceptionListItemEntryOperator:
+ enum:
+ - excluded
+ - included
+ type: string
+ Security_Exceptions_API_ExceptionListItemHumanId:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ Security_Exceptions_API_ExceptionListItemId:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ Security_Exceptions_API_ExceptionListItemMeta:
+ additionalProperties: true
+ type: object
+ Security_Exceptions_API_ExceptionListItemName:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ Security_Exceptions_API_ExceptionListItemOsTypeArray:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType'
+ type: array
+ Security_Exceptions_API_ExceptionListItemTags:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ type: array
+ Security_Exceptions_API_ExceptionListItemType:
+ enum:
+ - simple
+ type: string
+ Security_Exceptions_API_ExceptionListMeta:
+ additionalProperties: true
+ type: object
+ Security_Exceptions_API_ExceptionListName:
+ type: string
+ Security_Exceptions_API_ExceptionListOsType:
+ enum:
+ - linux
+ - macos
+ - windows
+ type: string
+ Security_Exceptions_API_ExceptionListOsTypeArray:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType'
+ type: array
+ Security_Exceptions_API_ExceptionListsImportBulkError:
+ type: object
+ properties:
+ error:
+ type: object
+ properties:
+ message:
+ type: string
+ status_code:
+ type: integer
+ required:
+ - status_code
+ - message
+ id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId'
+ item_id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId'
+ list_id:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId'
+ required:
+ - error
+ Security_Exceptions_API_ExceptionListsImportBulkErrorArray:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError'
+ type: array
+ Security_Exceptions_API_ExceptionListTags:
+ items:
+ type: string
+ type: array
+ Security_Exceptions_API_ExceptionListType:
+ enum:
+ - detection
+ - rule_default
+ - endpoint
+ - endpoint_trusted_apps
+ - endpoint_events
+ - endpoint_host_isolation_exceptions
+ - endpoint_blocklists
+ type: string
+ Security_Exceptions_API_ExceptionListVersion:
+ minimum: 1
+ type: integer
+ Security_Exceptions_API_ExceptionNamespaceType:
+ description: |
+ Determines whether the exception container is available in all Kibana spaces or just the space
+ in which it is created, where:
+
+ - `single`: Only available in the Kibana space in which it is created.
+ - `agnostic`: Available in all Kibana spaces.
+ enum:
+ - agnostic
+ - single
+ type: string
+ Security_Exceptions_API_FindExceptionListItemsFilter:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ Security_Exceptions_API_FindExceptionListsFilter:
+ type: string
+ Security_Exceptions_API_ListId:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ Security_Exceptions_API_ListType:
+ enum:
+ - binary
+ - boolean
+ - byte
+ - date
+ - date_nanos
+ - date_range
+ - double
+ - double_range
+ - float
+ - float_range
+ - geo_point
+ - geo_shape
+ - half_float
+ - integer
+ - integer_range
+ - ip
+ - ip_range
+ - keyword
+ - long
+ - long_range
+ - shape
+ - short
+ - text
+ type: string
+ Security_Exceptions_API_NonEmptyString:
+ description: A string that is not empty and does not contain only whitespace
+ minLength: 1
+ pattern: ^(?! *$).+$
+ type: string
+ Security_Exceptions_API_PlatformErrorResponse:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: integer
+ required:
+ - statusCode
+ - error
+ - message
+ Security_Exceptions_API_RuleId:
+ $ref: '#/components/schemas/Security_Exceptions_API_UUID'
+ Security_Exceptions_API_SiemErrorResponse:
+ type: object
+ properties:
+ message:
+ type: string
+ status_code:
+ type: integer
+ required:
+ - status_code
+ - message
+ Security_Exceptions_API_UpdateExceptionListItemComment:
+ type: object
+ properties:
+ comment:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ id:
+ $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString'
+ required:
+ - comment
+ Security_Exceptions_API_UpdateExceptionListItemCommentArray:
+ items:
+ $ref: '#/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment'
+ type: array
+ Security_Exceptions_API_UUID:
+ description: A universally unique identifier
+ format: uuid
+ type: string
+ Security_Lists_API_FindListItemsCursor:
+ $ref: '#/components/schemas/Security_Lists_API_NonEmptyString'
+ Security_Lists_API_FindListItemsFilter:
+ type: string
+ Security_Lists_API_FindListsCursor:
+ $ref: '#/components/schemas/Security_Lists_API_NonEmptyString'
+ Security_Lists_API_FindListsFilter:
+ type: string
+ Security_Lists_API_List:
+ type: object
+ properties:
+ _version:
+ type: string
+ '@timestamp':
+ format: date-time
+ type: string
+ created_at:
+ format: date-time
+ type: string
+ created_by:
+ type: string
+ description:
+ $ref: '#/components/schemas/Security_Lists_API_ListDescription'
+ deserializer:
+ type: string
+ id:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ immutable:
+ type: boolean
+ meta:
+ $ref: '#/components/schemas/Security_Lists_API_ListMetadata'
+ name:
+ $ref: '#/components/schemas/Security_Lists_API_ListName'
+ serializer:
+ type: string
+ tie_breaker_id:
+ type: string
+ type:
+ $ref: '#/components/schemas/Security_Lists_API_ListType'
+ updated_at:
+ format: date-time
+ type: string
+ updated_by:
+ type: string
+ version:
+ minimum: 1
+ type: integer
+ required:
+ - id
+ - type
+ - name
+ - description
+ - immutable
+ - version
+ - tie_breaker_id
+ - created_at
+ - created_by
+ - updated_at
+ - updated_by
+ Security_Lists_API_ListDescription:
+ $ref: '#/components/schemas/Security_Lists_API_NonEmptyString'
+ Security_Lists_API_ListId:
+ $ref: '#/components/schemas/Security_Lists_API_NonEmptyString'
+ Security_Lists_API_ListItem:
+ type: object
+ properties:
+ _version:
+ type: string
+ '@timestamp':
+ format: date-time
+ type: string
+ created_at:
+ format: date-time
+ type: string
+ created_by:
+ type: string
+ deserializer:
+ type: string
+ id:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemId'
+ list_id:
+ $ref: '#/components/schemas/Security_Lists_API_ListId'
+ meta:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata'
+ serializer:
+ type: string
+ tie_breaker_id:
+ type: string
+ type:
+ $ref: '#/components/schemas/Security_Lists_API_ListType'
+ updated_at:
+ format: date-time
+ type: string
+ updated_by:
+ type: string
+ value:
+ $ref: '#/components/schemas/Security_Lists_API_ListItemValue'
+ required:
+ - id
+ - type
+ - list_id
+ - value
+ - tie_breaker_id
+ - created_at
+ - created_by
+ - updated_at
+ - updated_by
+ Security_Lists_API_ListItemId:
+ $ref: '#/components/schemas/Security_Lists_API_NonEmptyString'
+ Security_Lists_API_ListItemMetadata:
+ additionalProperties: true
+ type: object
+ Security_Lists_API_ListItemPrivileges:
+ type: object
+ properties:
+ application:
+ additionalProperties:
+ type: boolean
+ type: object
+ cluster:
+ additionalProperties:
+ type: boolean
+ type: object
+ has_all_requested:
+ type: boolean
+ index:
+ additionalProperties:
+ additionalProperties:
+ type: boolean
+ type: object
+ type: object
+ username:
+ type: string
+ required:
+ - username
+ - has_all_requested
+ - cluster
+ - index
+ - application
+ Security_Lists_API_ListItemValue:
+ $ref: '#/components/schemas/Security_Lists_API_NonEmptyString'
+ Security_Lists_API_ListMetadata:
+ additionalProperties: true
+ type: object
+ Security_Lists_API_ListName:
+ $ref: '#/components/schemas/Security_Lists_API_NonEmptyString'
+ Security_Lists_API_ListPrivileges:
+ type: object
+ properties:
+ application:
+ additionalProperties:
+ type: boolean
+ type: object
+ cluster:
+ additionalProperties:
+ type: boolean
+ type: object
+ has_all_requested:
+ type: boolean
+ index:
+ additionalProperties:
+ additionalProperties:
+ type: boolean
+ type: object
+ type: object
+ username:
+ type: string
+ required:
+ - username
+ - has_all_requested
+ - cluster
+ - index
+ - application
+ Security_Lists_API_ListType:
+ enum:
+ - binary
+ - boolean
+ - byte
+ - date
+ - date_nanos
+ - date_range
+ - double
+ - double_range
+ - float
+ - float_range
+ - geo_point
+ - geo_shape
+ - half_float
+ - integer
+ - integer_range
+ - ip
+ - ip_range
+ - keyword
+ - long
+ - long_range
+ - shape
+ - short
+ - text
+ type: string
+ Security_Lists_API_NonEmptyString:
+ description: A string that is not empty and does not contain only whitespace
+ minLength: 1
+ pattern: ^(?! *$).+$
+ type: string
+ Security_Lists_API_PlatformErrorResponse:
+ type: object
+ properties:
+ error:
+ type: string
+ message:
+ type: string
+ statusCode:
+ type: integer
+ required:
+ - statusCode
+ - error
+ - message
+ Security_Lists_API_SiemErrorResponse:
+ type: object
+ properties:
+ message:
+ type: string
+ status_code:
+ type: integer
+ required:
+ - status_code
+ - message
+ Security_Osquery_API_ArrayQueries:
+ items:
+ $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem'
+ type: array
+ Security_Osquery_API_ArrayQueriesItem:
+ type: object
+ properties:
+ ecs_mapping:
+ $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
+ id:
+ $ref: '#/components/schemas/Security_Osquery_API_Id'
+ platform:
+ $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
+ query:
+ $ref: '#/components/schemas/Security_Osquery_API_Query'
+ removed:
+ $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined'
+ snapshot:
+ $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
+ version:
+ $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
+ Security_Osquery_API_CreateLiveQueryRequestBody:
+ type: object
+ properties:
+ agent_all:
+ type: boolean
+ agent_ids:
+ items:
+ type: string
+ type: array
+ agent_platforms:
+ items:
+ type: string
+ type: array
+ agent_policy_ids:
+ items:
+ type: string
+ type: array
+ alert_ids:
+ items:
+ type: string
+ type: array
+ case_ids:
+ items:
+ type: string
+ type: array
+ ecs_mapping:
+ $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
+ event_ids:
+ items:
+ type: string
+ type: array
+ metadata:
+ nullable: true
+ type: object
+ pack_id:
+ $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined'
+ queries:
+ $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries'
+ query:
+ $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
+ saved_query_id:
+ $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined'
+ Security_Osquery_API_CreatePacksRequestBody:
+ type: object
+ properties:
+ description:
+ $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
+ enabled:
+ $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined'
+ name:
+ $ref: '#/components/schemas/Security_Osquery_API_PackName'
+ policy_ids:
+ $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined'
+ queries:
+ $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
+ shards:
+ $ref: '#/components/schemas/Security_Osquery_API_Shards'
+ Security_Osquery_API_CreateSavedQueryRequestBody:
+ type: object
+ properties:
+ description:
+ $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
+ ecs_mapping:
+ $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
+ id:
+ $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
+ interval:
+ $ref: '#/components/schemas/Security_Osquery_API_Interval'
+ platform:
+ $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
+ query:
+ $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
+ removed:
+ $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined'
+ snapshot:
+ $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
+ version:
+ $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
+ Security_Osquery_API_DefaultSuccessResponse:
+ type: object
+ properties: {}
+ Security_Osquery_API_Description:
+ type: string
+ Security_Osquery_API_DescriptionOrUndefined:
+ $ref: '#/components/schemas/Security_Osquery_API_Description'
+ nullable: true
+ Security_Osquery_API_ECSMapping:
+ additionalProperties:
+ $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem'
+ type: object
+ Security_Osquery_API_ECSMappingItem:
+ type: object
+ properties:
+ field:
+ type: string
+ value:
+ oneOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ Security_Osquery_API_ECSMappingOrUndefined:
+ $ref: '#/components/schemas/Security_Osquery_API_ECSMapping'
+ nullable: true
+ Security_Osquery_API_Enabled:
+ type: boolean
+ Security_Osquery_API_EnabledOrUndefined:
+ $ref: '#/components/schemas/Security_Osquery_API_Enabled'
+ nullable: true
+ Security_Osquery_API_FindLiveQueryRequestQuery:
+ type: object
+ properties:
+ kuery:
+ $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
+ page:
+ $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
+ pageSize:
+ $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
+ sort:
+ $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
+ sortOrder:
+ $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
+ Security_Osquery_API_FindPacksRequestQuery:
+ type: object
+ properties:
+ page:
+ $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
+ pageSize:
+ $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
+ sort:
+ $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
+ sortOrder:
+ $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
+ Security_Osquery_API_FindSavedQueryRequestQuery:
+ type: object
+ properties:
+ page:
+ $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
+ pageSize:
+ $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
+ sort:
+ $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
+ sortOrder:
+ $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
+ Security_Osquery_API_GetLiveQueryResultsRequestQuery:
+ type: object
+ properties:
+ kuery:
+ $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined'
+ page:
+ $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined'
+ pageSize:
+ $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined'
+ sort:
+ $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined'
+ sortOrder:
+ $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined'
+ Security_Osquery_API_Id:
+ type: string
+ Security_Osquery_API_Interval:
+ type: string
+ Security_Osquery_API_IntervalOrUndefined:
+ $ref: '#/components/schemas/Security_Osquery_API_Interval'
+ nullable: true
+ Security_Osquery_API_KueryOrUndefined:
+ nullable: true
+ type: string
+ Security_Osquery_API_ObjectQueries:
+ additionalProperties:
+ $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem'
+ type: object
+ Security_Osquery_API_ObjectQueriesItem:
+ type: object
+ properties:
+ ecs_mapping:
+ $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
+ id:
+ $ref: '#/components/schemas/Security_Osquery_API_Id'
+ platform:
+ $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined'
+ query:
+ $ref: '#/components/schemas/Security_Osquery_API_Query'
+ removed:
+ $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined'
+ saved_query_id:
+ $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined'
+ snapshot:
+ $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
+ version:
+ $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
+ Security_Osquery_API_PackId:
+ type: string
+ Security_Osquery_API_PackIdOrUndefined:
+ $ref: '#/components/schemas/Security_Osquery_API_PackId'
+ nullable: true
+ Security_Osquery_API_PackName:
+ type: string
+ Security_Osquery_API_PageOrUndefined:
+ nullable: true
+ type: integer
+ Security_Osquery_API_PageSizeOrUndefined:
+ nullable: true
+ type: integer
+ Security_Osquery_API_Platform:
+ type: string
+ Security_Osquery_API_PlatformOrUndefined:
+ $ref: '#/components/schemas/Security_Osquery_API_Platform'
+ nullable: true
+ Security_Osquery_API_PolicyIds:
+ items:
+ type: string
+ type: array
+ Security_Osquery_API_PolicyIdsOrUndefined:
+ $ref: '#/components/schemas/Security_Osquery_API_PolicyIds'
+ nullable: true
+ Security_Osquery_API_Query:
+ type: string
+ Security_Osquery_API_QueryOrUndefined:
+ $ref: '#/components/schemas/Security_Osquery_API_Query'
+ nullable: true
+ Security_Osquery_API_Removed:
+ type: boolean
+ Security_Osquery_API_RemovedOrUndefined:
+ $ref: '#/components/schemas/Security_Osquery_API_Removed'
+ nullable: true
+ Security_Osquery_API_SavedQueryId:
+ type: string
+ Security_Osquery_API_SavedQueryIdOrUndefined:
+ $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
+ nullable: true
+ Security_Osquery_API_Shards:
+ additionalProperties:
+ type: number
+ type: object
+ Security_Osquery_API_Snapshot:
+ type: boolean
+ Security_Osquery_API_SnapshotOrUndefined:
+ $ref: '#/components/schemas/Security_Osquery_API_Snapshot'
+ nullable: true
+ Security_Osquery_API_SortOrderOrUndefined:
+ oneOf:
+ - nullable: true
+ type: string
+ - enum:
+ - asc
+ - desc
+ Security_Osquery_API_SortOrUndefined:
+ nullable: true
+ type: string
+ Security_Osquery_API_UpdatePacksRequestBody:
+ type: object
+ properties:
+ description:
+ $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
+ enabled:
+ $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined'
+ id:
+ $ref: '#/components/schemas/Security_Osquery_API_PackId'
+ policy_ids:
+ $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined'
+ queries:
+ $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries'
+ shards:
+ $ref: '#/components/schemas/Security_Osquery_API_Shards'
+ Security_Osquery_API_UpdateSavedQueryRequestBody:
+ type: object
+ properties:
+ description:
+ $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
+ ecs_mapping:
+ $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined'
+ id:
+ $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId'
+ interval:
+ $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined'
+ platform:
+ $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined'
+ query:
+ $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined'
+ removed:
+ $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined'
+ snapshot:
+ $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined'
+ version:
+ $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined'
+ Security_Osquery_API_Version:
+ type: string
+ Security_Osquery_API_VersionOrUndefined:
+ $ref: '#/components/schemas/Security_Osquery_API_Version'
+ nullable: true
+ Security_Timeline_API_AssociatedFilterType:
+ description: Filter notes based on their association with a document or saved object.
+ enum:
+ - all
+ - document_only
+ - saved_object_only
+ - document_and_saved_object
+ - orphan
+ type: string
+ Security_Timeline_API_BareNote:
+ type: object
+ properties:
+ created:
+ nullable: true
+ type: number
+ createdBy:
+ nullable: true
+ type: string
+ eventId:
+ nullable: true
+ type: string
+ note:
+ nullable: true
+ type: string
+ timelineId:
+ type: string
+ updated:
+ nullable: true
+ type: number
+ updatedBy:
+ nullable: true
+ type: string
+ required:
+ - timelineId
+ Security_Timeline_API_BarePinnedEvent:
+ type: object
+ properties:
+ created:
+ nullable: true
+ type: number
+ createdBy:
+ nullable: true
+ type: string
+ eventId:
+ type: string
+ timelineId:
+ type: string
+ updated:
+ nullable: true
+ type: number
+ updatedBy:
+ nullable: true
+ type: string
+ required:
+ - eventId
+ - timelineId
+ Security_Timeline_API_ColumnHeaderResult:
+ type: object
+ properties:
+ aggregatable:
+ nullable: true
+ type: boolean
+ category:
+ nullable: true
+ type: string
+ columnHeaderType:
+ nullable: true
+ type: string
+ description:
+ nullable: true
+ type: string
+ example:
+ nullable: true
+ type: string
+ id:
+ nullable: true
+ type: string
+ indexes:
+ items:
+ type: string
+ nullable: true
+ type: array
+ name:
+ nullable: true
+ type: string
+ placeholder:
+ nullable: true
+ type: string
+ searchable:
+ nullable: true
+ type: boolean
+ type:
+ nullable: true
+ type: string
+ Security_Timeline_API_DataProviderQueryMatch:
+ type: object
+ properties:
+ enabled:
+ nullable: true
+ type: boolean
+ excluded:
+ nullable: true
+ type: boolean
+ id:
+ nullable: true
+ type: string
+ kqlQuery:
+ nullable: true
+ type: string
+ name:
+ nullable: true
+ type: string
+ queryMatch:
+ $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult'
+ nullable: true
+ type:
+ $ref: '#/components/schemas/Security_Timeline_API_DataProviderType'
+ nullable: true
+ Security_Timeline_API_DataProviderResult:
+ type: object
+ properties:
+ and:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch'
+ nullable: true
+ type: array
+ enabled:
+ nullable: true
+ type: boolean
+ excluded:
+ nullable: true
+ type: boolean
+ id:
+ nullable: true
+ type: string
+ kqlQuery:
+ nullable: true
+ type: string
+ name:
+ nullable: true
+ type: string
+ queryMatch:
+ $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult'
+ nullable: true
+ type:
+ $ref: '#/components/schemas/Security_Timeline_API_DataProviderType'
+ nullable: true
+ Security_Timeline_API_DataProviderType:
+ description: The type of data provider to create. Valid values are `default` and `template`.
+ enum:
+ - default
+ - template
+ type: string
+ Security_Timeline_API_DocumentIds:
+ oneOf:
+ - items:
+ type: string
+ type: array
+ - type: string
+ Security_Timeline_API_FavoriteTimelineResponse:
+ type: object
+ properties:
+ favorite:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult'
+ type: array
+ savedObjectId:
+ type: string
+ templateTimelineId:
+ nullable: true
+ type: string
+ templateTimelineVersion:
+ nullable: true
+ type: number
+ timelineType:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineType'
+ version:
+ type: string
+ required:
+ - savedObjectId
+ - version
+ Security_Timeline_API_FavoriteTimelineResult:
+ type: object
+ properties:
+ favoriteDate:
+ nullable: true
+ type: number
+ fullName:
+ nullable: true
+ type: string
+ userName:
+ nullable: true
+ type: string
+ Security_Timeline_API_FilterTimelineResult:
+ type: object
+ properties:
+ exists:
+ nullable: true
+ type: string
+ match_all:
+ nullable: true
+ type: string
+ meta:
+ nullable: true
+ type: object
+ properties:
+ alias:
+ nullable: true
+ type: string
+ controlledBy:
+ nullable: true
+ type: string
+ disabled:
+ nullable: true
+ type: boolean
+ field:
+ nullable: true
+ type: string
+ formattedValue:
+ nullable: true
+ type: string
+ index:
+ nullable: true
+ type: string
+ key:
+ nullable: true
+ type: string
+ negate:
+ nullable: true
+ type: boolean
+ params:
+ nullable: true
+ type: string
+ type:
+ nullable: true
+ type: string
+ value:
+ nullable: true
+ type: string
+ missing:
+ nullable: true
+ type: string
+ query:
+ nullable: true
+ type: string
+ range:
+ nullable: true
+ type: string
+ script:
+ nullable: true
+ type: string
+ Security_Timeline_API_GetNotesResult:
+ type: object
+ properties:
+ notes:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_Note'
+ type: array
+ totalCount:
+ type: number
+ required:
+ - totalCount
+ - notes
+ Security_Timeline_API_ImportTimelineResult:
+ type: object
+ properties:
+ errors:
+ items:
+ type: object
+ properties:
+ error:
+ type: object
+ properties:
+ message:
+ type: string
+ status_code:
+ type: number
+ id:
+ type: string
+ type: array
+ success:
+ type: boolean
+ success_count:
+ type: number
+ timelines_installed:
+ type: number
+ timelines_updated:
+ type: number
+ Security_Timeline_API_ImportTimelines:
+ allOf:
+ - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
+ - type: object
+ properties:
+ eventNotes:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_BareNote'
+ nullable: true
+ type: array
+ globalNotes:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_BareNote'
+ nullable: true
+ type: array
+ pinnedEventIds:
+ items:
+ type: string
+ nullable: true
+ type: array
+ savedObjectId:
+ nullable: true
+ type: string
+ version:
+ nullable: true
+ type: string
+ required:
+ - savedObjectId
+ - version
+ - pinnedEventIds
+ - eventNotes
+ - globalNotes
+ Security_Timeline_API_Note:
+ allOf:
+ - $ref: '#/components/schemas/Security_Timeline_API_BareNote'
+ - type: object
+ properties:
+ noteId:
+ type: string
+ version:
+ type: string
+ required:
+ - noteId
+ - version
+ Security_Timeline_API_PersistPinnedEventResponse:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent'
+ - type: object
+ properties:
+ unpinned:
+ type: boolean
+ required:
+ - unpinned
+ Security_Timeline_API_PersistTimelineResponse:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse'
+ Security_Timeline_API_PinnedEvent:
+ allOf:
+ - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent'
+ - type: object
+ properties:
+ pinnedEventId:
+ type: string
+ version:
+ type: string
+ required:
+ - pinnedEventId
+ - version
+ Security_Timeline_API_QueryMatchResult:
+ type: object
+ properties:
+ displayField:
+ nullable: true
+ type: string
+ displayValue:
+ nullable: true
+ type: string
+ field:
+ nullable: true
+ type: string
+ operator:
+ nullable: true
+ type: string
+ value:
+ oneOf:
+ - nullable: true
+ type: string
+ - items:
+ type: string
+ nullable: true
+ type: array
+ Security_Timeline_API_ResolvedTimeline:
+ type: object
+ properties:
+ alias_purpose:
+ $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose'
+ alias_target_id:
+ type: string
+ outcome:
+ $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome'
+ timeline:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject'
+ required:
+ - timeline
+ - outcome
+ Security_Timeline_API_ResponseNote:
+ type: object
+ properties:
+ note:
+ $ref: '#/components/schemas/Security_Timeline_API_Note'
+ required:
+ - note
+ Security_Timeline_API_RowRendererId:
+ enum:
+ - alert
+ - alerts
+ - auditd
+ - auditd_file
+ - library
+ - netflow
+ - plain
+ - registry
+ - suricata
+ - system
+ - system_dns
+ - system_endgame_process
+ - system_file
+ - system_fim
+ - system_security_event
+ - system_socket
+ - threat_match
+ - zeek
+ type: string
+ Security_Timeline_API_SavedObjectIds:
+ oneOf:
+ - items:
+ type: string
+ type: array
+ - type: string
+ Security_Timeline_API_SavedObjectResolveAliasPurpose:
+ enum:
+ - savedObjectConversion
+ - savedObjectImport
+ type: string
+ Security_Timeline_API_SavedObjectResolveOutcome:
+ enum:
+ - exactMatch
+ - aliasMatch
+ - conflict
+ type: string
+ Security_Timeline_API_SavedTimeline:
+ type: object
+ properties:
+ columns:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult'
+ nullable: true
+ type: array
+ created:
+ nullable: true
+ type: number
+ createdBy:
+ nullable: true
+ type: string
+ dataProviders:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult'
+ nullable: true
+ type: array
+ dataViewId:
+ nullable: true
+ type: string
+ dateRange:
+ nullable: true
+ type: object
+ properties:
+ end:
+ oneOf:
+ - nullable: true
+ type: string
+ - nullable: true
+ type: number
+ start:
+ oneOf:
+ - nullable: true
+ type: string
+ - nullable: true
+ type: number
+ description:
+ nullable: true
+ type: string
+ eqlOptions:
+ nullable: true
+ type: object
+ properties:
+ eventCategoryField:
+ nullable: true
+ type: string
+ query:
+ nullable: true
+ type: string
+ size:
+ oneOf:
+ - nullable: true
+ type: string
+ - nullable: true
+ type: number
+ tiebreakerField:
+ nullable: true
+ type: string
+ timestampField:
+ nullable: true
+ type: string
+ eventType:
+ nullable: true
+ type: string
+ excludedRowRendererIds:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_RowRendererId'
+ nullable: true
+ type: array
+ favorite:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult'
+ nullable: true
+ type: array
+ filters:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult'
+ nullable: true
+ type: array
+ indexNames:
+ items:
+ type: string
+ nullable: true
+ type: array
+ kqlMode:
+ nullable: true
+ type: string
+ kqlQuery:
+ $ref: '#/components/schemas/Security_Timeline_API_SerializedFilterQueryResult'
+ nullable: true
+ savedQueryId:
+ nullable: true
+ type: string
+ savedSearchId:
+ nullable: true
+ type: string
+ sort:
+ $ref: '#/components/schemas/Security_Timeline_API_Sort'
+ nullable: true
+ status:
+ enum:
+ - active
+ - draft
+ - immutable
+ nullable: true
+ type: string
+ templateTimelineId:
+ nullable: true
+ type: string
+ templateTimelineVersion:
+ nullable: true
+ type: number
+ timelineType:
+ $ref: '#/components/schemas/Security_Timeline_API_TimelineType'
+ nullable: true
+ title:
+ nullable: true
+ type: string
+ updated:
+ nullable: true
+ type: number
+ updatedBy:
+ nullable: true
+ type: string
+ Security_Timeline_API_SavedTimelineWithSavedObjectId:
+ allOf:
+ - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
+ - type: object
+ properties:
+ savedObjectId:
+ type: string
+ version:
+ type: string
+ required:
+ - savedObjectId
+ - version
+ Security_Timeline_API_SerializedFilterQueryResult:
+ type: object
+ properties:
+ filterQuery:
+ nullable: true
+ type: object
+ properties:
+ kuery:
+ nullable: true
+ type: object
+ properties:
+ expression:
+ nullable: true
+ type: string
+ kind:
+ nullable: true
+ type: string
+ serializedQuery:
+ nullable: true
+ type: string
+ Security_Timeline_API_Sort:
+ oneOf:
+ - $ref: '#/components/schemas/Security_Timeline_API_SortObject'
+ - items:
+ $ref: '#/components/schemas/Security_Timeline_API_SortObject'
+ type: array
+ Security_Timeline_API_SortFieldTimeline:
+ description: The field to sort the timelines by.
+ enum:
+ - title
+ - description
+ - updated
+ - created
+ type: string
+ Security_Timeline_API_SortObject:
+ type: object
+ properties:
+ columnId:
+ nullable: true
+ type: string
+ columnType:
+ nullable: true
+ type: string
+ sortDirection:
+ nullable: true
+ type: string
+ Security_Timeline_API_TimelineResponse:
+ allOf:
+ - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
+ - $ref: '#/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId'
+ - type: object
+ properties:
+ eventIdToNoteIds:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_Note'
+ nullable: true
+ type: array
+ noteIds:
+ items:
+ type: string
+ nullable: true
+ type: array
+ notes:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_Note'
+ nullable: true
+ type: array
+ pinnedEventIds:
+ items:
+ type: string
+ nullable: true
+ type: array
+ pinnedEventsSaveObject:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent'
+ nullable: true
+ type: array
+ Security_Timeline_API_TimelineSavedToReturnObject:
+ allOf:
+ - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline'
+ - type: object
+ properties:
+ eventIdToNoteIds:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_Note'
+ nullable: true
+ type: array
+ noteIds:
+ items:
+ type: string
+ nullable: true
+ type: array
+ notes:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_Note'
+ nullable: true
+ type: array
+ pinnedEventIds:
+ items:
+ type: string
+ nullable: true
+ type: array
+ pinnedEventsSaveObject:
+ items:
+ $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent'
+ nullable: true
+ type: array
+ savedObjectId:
+ type: string
+ version:
+ type: string
+ required:
+ - savedObjectId
+ - version
+ Security_Timeline_API_TimelineStatus:
+ description: The status of the timeline. Valid values are `active`, `draft`, and `immutable`.
+ enum:
+ - active
+ - draft
+ - immutable
+ type: string
+ Security_Timeline_API_TimelineType:
+ description: The type of timeline to create. Valid values are `default` and `template`.
+ enum:
+ - default
+ - template
+ type: string
+ Serverless_saved_objects_400_response:
+ title: Bad request
+ type: object
+ properties:
+ error:
+ enum:
+ - Bad Request
+ type: string
+ message:
+ type: string
+ statusCode:
+ enum:
+ - 400
+ type: integer
+ required:
+ - error
+ - message
+ - statusCode
+ SLOs_400_response:
+ title: Bad request
+ type: object
+ properties:
+ error:
+ example: Bad Request
+ type: string
+ message:
+ example: 'Invalid value ''foo'' supplied to: [...]'
+ type: string
+ statusCode:
+ example: 400
+ type: number
+ required:
+ - statusCode
+ - error
+ - message
+ SLOs_401_response:
+ title: Unauthorized
+ type: object
+ properties:
+ error:
+ example: Unauthorized
+ type: string
+ message:
+ example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]"
+ type: string
+ statusCode:
+ example: 401
+ type: number
+ required:
+ - statusCode
+ - error
+ - message
+ SLOs_403_response:
+ title: Unauthorized
+ type: object
+ properties:
+ error:
+ example: Unauthorized
+ type: string
+ message:
+ example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]"
+ type: string
+ statusCode:
+ example: 403
+ type: number
+ required:
+ - statusCode
+ - error
+ - message
+ SLOs_404_response:
+ title: Not found
+ type: object
+ properties:
+ error:
+ example: Not Found
+ type: string
+ message:
+ example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found
+ type: string
+ statusCode:
+ example: 404
+ type: number
+ required:
+ - statusCode
+ - error
+ - message
+ SLOs_409_response:
+ title: Conflict
+ type: object
+ properties:
+ error:
+ example: Conflict
+ type: string
+ message:
+ example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists
+ type: string
+ statusCode:
+ example: 409
+ type: number
+ required:
+ - statusCode
+ - error
+ - message
+ SLOs_budgeting_method:
+ description: The budgeting method to use when computing the rollup data.
+ enum:
+ - occurrences
+ - timeslices
+ example: occurrences
+ title: Budgeting method
+ type: string
+ SLOs_create_slo_request:
+ description: |
+ The create SLO API request body varies depending on the type of indicator, time window and budgeting method.
+ properties:
+ budgetingMethod:
+ $ref: '#/components/schemas/SLOs_budgeting_method'
+ description:
+ description: A description for the SLO.
+ type: string
+ groupBy:
+ $ref: '#/components/schemas/SLOs_group_by'
+ id:
+ description: A optional and unique identifier for the SLO. Must be between 8 and 36 chars
+ example: my-super-slo-id
+ type: string
+ indicator:
+ oneOf:
+ - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_histogram'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric'
+ name:
+ description: A name for the SLO.
+ type: string
+ objective:
+ $ref: '#/components/schemas/SLOs_objective'
+ settings:
+ $ref: '#/components/schemas/SLOs_settings'
+ tags:
+ description: List of tags
+ items:
+ type: string
+ type: array
+ timeWindow:
+ $ref: '#/components/schemas/SLOs_time_window'
+ required:
+ - name
+ - description
+ - indicator
+ - timeWindow
+ - budgetingMethod
+ - objective
+ title: Create SLO request
+ type: object
+ SLOs_create_slo_response:
+ title: Create SLO response
+ type: object
+ properties:
+ id:
+ example: 8853df00-ae2e-11ed-90af-09bb6422b258
+ type: string
+ required:
+ - id
+ SLOs_delete_slo_instances_request:
+ description: |
+ The delete SLO instances request takes a list of SLO id and instance id, then delete the rollup and summary data. This API can be used to remove the staled data of an instance SLO that no longer get updated.
+ properties:
+ list:
+ description: An array of slo id and instance id
+ items:
+ type: object
+ properties:
+ instanceId:
+ description: The SLO instance identifier
+ example: 8853df00-ae2e-11ed-90af-09bb6422b258
+ type: string
+ sloId:
+ description: The SLO unique identifier
+ example: 8853df00-ae2e-11ed-90af-09bb6422b258
+ type: string
+ required:
+ - sloId
+ - instanceId
+ type: array
+ required:
+ - list
+ title: Delete SLO instances request
+ type: object
+ SLOs_error_budget:
+ title: Error budget
+ type: object
+ properties:
+ consumed:
+ description: The error budget consummed, as a percentage of the initial value.
+ example: 0.8
+ type: number
+ initial:
+ description: The initial error budget, as 1 - objective
+ example: 0.02
+ type: number
+ isEstimated:
+ description: Only for SLO defined with occurrences budgeting method and calendar aligned time window.
+ example: true
+ type: boolean
+ remaining:
+ description: The error budget remaining, as a percentage of the initial value.
+ example: 0.2
+ type: number
+ required:
+ - initial
+ - consumed
+ - remaining
+ - isEstimated
+ SLOs_filter:
+ description: Defines properties for a filter
+ properties:
+ meta:
+ $ref: '#/components/schemas/SLOs_filter_meta'
+ query:
+ type: object
+ title: Filter
+ type: object
+ SLOs_filter_meta:
+ description: Defines properties for a filter
+ properties:
+ alias:
+ nullable: true
+ type: string
+ controlledBy:
+ type: string
+ disabled:
+ type: boolean
+ field:
+ type: string
+ group:
+ type: string
+ index:
+ type: string
+ isMultiIndex:
+ type: boolean
+ key:
+ type: string
+ negate:
+ type: boolean
+ params:
+ type: object
+ type:
+ type: string
+ value:
+ type: string
+ title: FilterMeta
+ type: object
+ SLOs_find_slo_response:
+ description: |
+ A paginated response of SLOs matching the query.
+ properties:
+ page:
+ example: 1
+ type: number
+ perPage:
+ example: 25
+ type: number
+ results:
+ items:
+ $ref: '#/components/schemas/SLOs_slo_with_summary_response'
+ type: array
+ total:
+ example: 34
+ type: number
+ title: Find SLO response
+ type: object
+ SLOs_group_by:
+ description: optional group by field or fields to use to generate an SLO per distinct value
+ example:
+ - - service.name
+ - service.name
+ - - service.name
+ - service.environment
+ oneOf:
+ - type: string
+ - items:
+ type: string
+ type: array
+ title: Group by
+ SLOs_indicator_properties_apm_availability:
+ description: Defines properties for the APM availability indicator type
+ type: object
+ properties:
+ params:
+ description: An object containing the indicator parameters.
+ nullable: false
+ type: object
+ properties:
+ environment:
+ description: The APM service environment or "*"
+ example: production
+ type: string
+ filter:
+ description: KQL query used for filtering the data
+ example: 'service.foo : "bar"'
+ type: string
+ index:
+ description: The index used by APM metrics
+ example: metrics-apm*,apm*
+ type: string
+ service:
+ description: The APM service name
+ example: o11y-app
+ type: string
+ transactionName:
+ description: The APM transaction name or "*"
+ example: GET /my/api
+ type: string
+ transactionType:
+ description: The APM transaction type or "*"
+ example: request
+ type: string
+ required:
+ - service
+ - environment
+ - transactionType
+ - transactionName
+ - index
+ type:
+ description: The type of indicator.
+ example: sli.apm.transactionDuration
+ type: string
+ required:
+ - type
+ - params
+ title: APM availability
+ SLOs_indicator_properties_apm_latency:
+ description: Defines properties for the APM latency indicator type
+ type: object
+ properties:
+ params:
+ description: An object containing the indicator parameters.
+ nullable: false
+ type: object
+ properties:
+ environment:
+ description: The APM service environment or "*"
+ example: production
+ type: string
+ filter:
+ description: KQL query used for filtering the data
+ example: 'service.foo : "bar"'
+ type: string
+ index:
+ description: The index used by APM metrics
+ example: metrics-apm*,apm*
+ type: string
+ service:
+ description: The APM service name
+ example: o11y-app
+ type: string
+ threshold:
+ description: The latency threshold in milliseconds
+ example: 250
+ type: number
+ transactionName:
+ description: The APM transaction name or "*"
+ example: GET /my/api
+ type: string
+ transactionType:
+ description: The APM transaction type or "*"
+ example: request
+ type: string
+ required:
+ - service
+ - environment
+ - transactionType
+ - transactionName
+ - index
+ - threshold
+ type:
+ description: The type of indicator.
+ example: sli.apm.transactionDuration
+ type: string
+ required:
+ - type
+ - params
+ title: APM latency
+ SLOs_indicator_properties_custom_kql:
+ description: Defines properties for a custom query indicator type
+ type: object
+ properties:
+ params:
+ description: An object containing the indicator parameters.
+ nullable: false
+ type: object
+ properties:
+ dataViewId:
+ description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
+ example: 03b80ab3-003d-498b-881c-3beedbaf1162
+ type: string
+ filter:
+ $ref: '#/components/schemas/SLOs_kql_with_filters'
+ good:
+ $ref: '#/components/schemas/SLOs_kql_with_filters_good'
+ index:
+ description: The index or index pattern to use
+ example: my-service-*
+ type: string
+ timestampField:
+ description: |
+ The timestamp field used in the source indice.
+ example: timestamp
+ type: string
+ total:
+ $ref: '#/components/schemas/SLOs_kql_with_filters_total'
+ required:
+ - index
+ - timestampField
+ - good
+ - total
+ type:
+ description: The type of indicator.
+ example: sli.kql.custom
+ type: string
+ required:
+ - type
+ - params
+ title: Custom Query
+ SLOs_indicator_properties_custom_metric:
+ description: Defines properties for a custom metric indicator type
+ type: object
+ properties:
+ params:
+ description: An object containing the indicator parameters.
+ nullable: false
+ type: object
+ properties:
+ dataViewId:
+ description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
+ example: 03b80ab3-003d-498b-881c-3beedbaf1162
+ type: string
+ filter:
+ description: the KQL query to filter the documents with.
+ example: 'field.environment : "production" and service.name : "my-service"'
+ type: string
+ good:
+ description: |
+ An object defining the "good" metrics and equation
+ type: object
+ properties:
+ equation:
+ description: The equation to calculate the "good" metric.
+ example: A
+ type: string
+ metrics:
+ description: List of metrics with their name, aggregation type, and field.
+ items:
+ type: object
+ properties:
+ aggregation:
+ description: The aggregation type of the metric. Only valid option is "sum"
+ enum:
+ - sum
+ example: sum
+ type: string
+ field:
+ description: The field of the metric.
+ example: processor.processed
+ type: string
+ filter:
+ description: The filter to apply to the metric.
+ example: 'processor.outcome: "success"'
+ type: string
+ name:
+ description: The name of the metric. Only valid options are A-Z
+ example: A
+ pattern: ^[A-Z]$
+ type: string
+ required:
+ - name
+ - aggregation
+ - field
+ type: array
+ required:
+ - metrics
+ - equation
+ index:
+ description: The index or index pattern to use
+ example: my-service-*
+ type: string
+ timestampField:
+ description: |
+ The timestamp field used in the source indice.
+ example: timestamp
+ type: string
+ total:
+ description: |
+ An object defining the "total" metrics and equation
+ type: object
+ properties:
+ equation:
+ description: The equation to calculate the "total" metric.
+ example: A
+ type: string
+ metrics:
+ description: List of metrics with their name, aggregation type, and field.
+ items:
+ type: object
+ properties:
+ aggregation:
+ description: The aggregation type of the metric. Only valid option is "sum"
+ enum:
+ - sum
+ example: sum
+ type: string
+ field:
+ description: The field of the metric.
+ example: processor.processed
+ type: string
+ filter:
+ description: The filter to apply to the metric.
+ example: 'processor.outcome: *'
+ type: string
+ name:
+ description: The name of the metric. Only valid options are A-Z
+ example: A
+ pattern: ^[A-Z]$
+ type: string
+ required:
+ - name
+ - aggregation
+ - field
+ type: array
+ required:
+ - metrics
+ - equation
+ required:
+ - index
+ - timestampField
+ - good
+ - total
+ type:
+ description: The type of indicator.
+ example: sli.metric.custom
+ type: string
+ required:
+ - type
+ - params
+ title: Custom metric
+ SLOs_indicator_properties_histogram:
+ description: Defines properties for a histogram indicator type
+ type: object
+ properties:
+ params:
+ description: An object containing the indicator parameters.
+ nullable: false
+ type: object
+ properties:
+ dataViewId:
+ description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
+ example: 03b80ab3-003d-498b-881c-3beedbaf1162
+ type: string
+ filter:
+ description: the KQL query to filter the documents with.
+ example: 'field.environment : "production" and service.name : "my-service"'
+ type: string
+ good:
+ description: |
+ An object defining the "good" events
+ type: object
+ properties:
+ aggregation:
+ description: The type of aggregation to use.
+ enum:
+ - value_count
+ - range
+ example: value_count
+ type: string
+ field:
+ description: The field use to aggregate the good events.
+ example: processor.latency
+ type: string
+ filter:
+ description: The filter for good events.
+ example: 'processor.outcome: "success"'
+ type: string
+ from:
+ description: The starting value of the range. Only required for "range" aggregations.
+ example: 0
+ type: number
+ to:
+ description: The ending value of the range. Only required for "range" aggregations.
+ example: 100
+ type: number
+ required:
+ - aggregation
+ - field
+ index:
+ description: The index or index pattern to use
+ example: my-service-*
+ type: string
+ timestampField:
+ description: |
+ The timestamp field used in the source indice.
+ example: timestamp
+ type: string
+ total:
+ description: |
+ An object defining the "total" events
+ type: object
+ properties:
+ aggregation:
+ description: The type of aggregation to use.
+ enum:
+ - value_count
+ - range
+ example: value_count
+ type: string
+ field:
+ description: The field use to aggregate the good events.
+ example: processor.latency
+ type: string
+ filter:
+ description: The filter for total events.
+ example: 'processor.outcome : *'
+ type: string
+ from:
+ description: The starting value of the range. Only required for "range" aggregations.
+ example: 0
+ type: number
+ to:
+ description: The ending value of the range. Only required for "range" aggregations.
+ example: 100
+ type: number
+ required:
+ - aggregation
+ - field
+ required:
+ - index
+ - timestampField
+ - good
+ - total
+ type:
+ description: The type of indicator.
+ example: sli.histogram.custom
+ type: string
+ required:
+ - type
+ - params
+ title: Histogram indicator
+ SLOs_indicator_properties_timeslice_metric:
+ description: Defines properties for a timeslice metric indicator type
+ type: object
+ properties:
+ params:
+ description: An object containing the indicator parameters.
+ nullable: false
+ type: object
+ properties:
+ dataViewId:
+ description: The kibana data view id to use, primarily used to include data view runtime mappings. Make sure to save SLO again if you add/update run time fields to the data view and if those fields are being used in slo queries.
+ example: 03b80ab3-003d-498b-881c-3beedbaf1162
+ type: string
+ filter:
+ description: the KQL query to filter the documents with.
+ example: 'field.environment : "production" and service.name : "my-service"'
+ type: string
+ index:
+ description: The index or index pattern to use
+ example: my-service-*
+ type: string
+ metric:
+ description: |
+ An object defining the metrics, equation, and threshold to determine if it's a good slice or not
+ type: object
+ properties:
+ comparator:
+ description: The comparator to use to compare the equation to the threshold.
+ enum:
+ - GT
+ - GTE
+ - LT
+ - LTE
+ example: GT
+ type: string
+ equation:
+ description: The equation to calculate the metric.
+ example: A
+ type: string
+ metrics:
+ description: List of metrics with their name, aggregation type, and field.
+ items:
+ anyOf:
+ - $ref: '#/components/schemas/SLOs_timeslice_metric_basic_metric_with_field'
+ - $ref: '#/components/schemas/SLOs_timeslice_metric_percentile_metric'
+ - $ref: '#/components/schemas/SLOs_timeslice_metric_doc_count_metric'
+ type: array
+ threshold:
+ description: The threshold used to determine if the metric is a good slice or not.
+ example: 100
+ type: number
+ required:
+ - metrics
+ - equation
+ - comparator
+ - threshold
+ timestampField:
+ description: |
+ The timestamp field used in the source indice.
+ example: timestamp
+ type: string
+ required:
+ - index
+ - timestampField
+ - metric
+ type:
+ description: The type of indicator.
+ example: sli.metric.timeslice
+ type: string
+ required:
+ - type
+ - params
+ title: Timeslice metric
+ SLOs_kql_with_filters:
+ description: Defines properties for a filter
+ oneOf:
+ - description: the KQL query to filter the documents with.
+ example: 'field.environment : "production" and service.name : "my-service"'
+ type: string
+ - type: object
+ properties:
+ filters:
+ items:
+ $ref: '#/components/schemas/SLOs_filter'
+ type: array
+ kqlQuery:
+ type: string
+ title: KQL with filters
+ SLOs_kql_with_filters_good:
+ description: The KQL query used to define the good events.
+ oneOf:
+ - description: the KQL query to filter the documents with.
+ example: 'request.latency <= 150 and request.status_code : "2xx"'
+ type: string
+ - type: object
+ properties:
+ filters:
+ items:
+ $ref: '#/components/schemas/SLOs_filter'
+ type: array
+ kqlQuery:
+ type: string
+ title: KQL query for good events
+ SLOs_kql_with_filters_total:
+ description: The KQL query used to define all events.
+ oneOf:
+ - description: the KQL query to filter the documents with.
+ example: 'field.environment : "production" and service.name : "my-service"'
+ type: string
+ - type: object
+ properties:
+ filters:
+ items:
+ $ref: '#/components/schemas/SLOs_filter'
+ type: array
+ kqlQuery:
+ type: string
+ title: KQL query for all events
+ SLOs_objective:
+ description: Defines properties for the SLO objective
+ type: object
+ properties:
+ target:
+ description: the target objective between 0 and 1 excluded
+ example: 0.99
+ exclusiveMaximum: true
+ exclusiveMinimum: true
+ maximum: 100
+ minimum: 0
+ type: number
+ timesliceTarget:
+ description: the target objective for each slice when using a timeslices budgeting method
+ example: 0.995
+ maximum: 100
+ minimum: 0
+ type: number
+ timesliceWindow:
+ description: the duration of each slice when using a timeslices budgeting method, as {duraton}{unit}
+ example: 5m
+ type: string
+ required:
+ - target
+ title: Objective
+ SLOs_settings:
+ description: Defines properties for SLO settings.
+ properties:
+ frequency:
+ default: 1m
+ description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.
+ example: 5m
+ type: string
+ preventInitialBackfill:
+ default: false
+ description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.
+ example: true
+ type: boolean
+ syncDelay:
+ default: 1m
+ description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.
+ example: 5m
+ type: string
+ syncField:
+ description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.
+ example: event.ingested
+ type: string
+ title: Settings
+ type: object
+ SLOs_slo_definition_response:
+ title: SLO definition response
+ type: object
+ properties:
+ budgetingMethod:
+ $ref: '#/components/schemas/SLOs_budgeting_method'
+ createdAt:
+ description: The creation date
+ example: '2023-01-12T10:03:19.000Z'
+ type: string
+ description:
+ description: The description of the SLO.
+ example: My SLO description
+ type: string
+ enabled:
+ description: Indicate if the SLO is enabled
+ example: true
+ type: boolean
+ groupBy:
+ $ref: '#/components/schemas/SLOs_group_by'
+ id:
+ description: The identifier of the SLO.
+ example: 8853df00-ae2e-11ed-90af-09bb6422b258
+ type: string
+ indicator:
+ discriminator:
+ mapping:
+ sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency'
+ sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability'
+ sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram'
+ sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql'
+ sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric'
+ sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric'
+ propertyName: type
+ oneOf:
+ - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_histogram'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric'
+ name:
+ description: The name of the SLO.
+ example: My Service SLO
+ type: string
+ objective:
+ $ref: '#/components/schemas/SLOs_objective'
+ revision:
+ description: The SLO revision
+ example: 2
+ type: number
+ settings:
+ $ref: '#/components/schemas/SLOs_settings'
+ tags:
+ description: List of tags
+ items:
+ type: string
+ type: array
+ timeWindow:
+ $ref: '#/components/schemas/SLOs_time_window'
+ updatedAt:
+ description: The last update date
+ example: '2023-01-12T10:03:19.000Z'
+ type: string
+ version:
+ description: The internal SLO version
+ example: 2
+ type: number
+ required:
+ - id
+ - name
+ - description
+ - indicator
+ - timeWindow
+ - budgetingMethod
+ - objective
+ - settings
+ - revision
+ - enabled
+ - groupBy
+ - tags
+ - createdAt
+ - updatedAt
+ - version
+ SLOs_slo_with_summary_response:
+ title: SLO response
+ type: object
+ properties:
+ budgetingMethod:
+ $ref: '#/components/schemas/SLOs_budgeting_method'
+ createdAt:
+ description: The creation date
+ example: '2023-01-12T10:03:19.000Z'
+ type: string
+ description:
+ description: The description of the SLO.
+ example: My SLO description
+ type: string
+ enabled:
+ description: Indicate if the SLO is enabled
+ example: true
+ type: boolean
+ groupBy:
+ $ref: '#/components/schemas/SLOs_group_by'
+ id:
+ description: The identifier of the SLO.
+ example: 8853df00-ae2e-11ed-90af-09bb6422b258
+ type: string
+ indicator:
+ discriminator:
+ mapping:
+ sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency'
+ sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability'
+ sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram'
+ sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql'
+ sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric'
+ sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric'
+ propertyName: type
+ oneOf:
+ - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_histogram'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric'
+ instanceId:
+ description: the value derived from the groupBy field, if present, otherwise '*'
+ example: host-abcde
+ type: string
+ name:
+ description: The name of the SLO.
+ example: My Service SLO
+ type: string
+ objective:
+ $ref: '#/components/schemas/SLOs_objective'
+ revision:
+ description: The SLO revision
+ example: 2
+ type: number
+ settings:
+ $ref: '#/components/schemas/SLOs_settings'
+ summary:
+ $ref: '#/components/schemas/SLOs_summary'
+ tags:
+ description: List of tags
+ items:
+ type: string
+ type: array
+ timeWindow:
+ $ref: '#/components/schemas/SLOs_time_window'
+ updatedAt:
+ description: The last update date
+ example: '2023-01-12T10:03:19.000Z'
+ type: string
+ version:
+ description: The internal SLO version
+ example: 2
+ type: number
+ required:
+ - id
+ - name
+ - description
+ - indicator
+ - timeWindow
+ - budgetingMethod
+ - objective
+ - settings
+ - revision
+ - summary
+ - enabled
+ - groupBy
+ - instanceId
+ - tags
+ - createdAt
+ - updatedAt
+ - version
+ SLOs_summary:
+ description: The SLO computed data
+ properties:
+ errorBudget:
+ $ref: '#/components/schemas/SLOs_error_budget'
+ sliValue:
+ example: 0.9836
+ type: number
+ status:
+ $ref: '#/components/schemas/SLOs_summary_status'
+ required:
+ - status
+ - sliValue
+ - errorBudget
+ title: Summary
+ type: object
+ SLOs_summary_status:
+ enum:
+ - NO_DATA
+ - HEALTHY
+ - DEGRADING
+ - VIOLATED
+ example: HEALTHY
+ title: summary status
+ type: string
+ SLOs_time_window:
+ description: Defines properties for the SLO time window
+ type: object
+ properties:
+ duration:
+ description: 'the duration formatted as {duration}{unit}. Accepted values for rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w (weekly) or 1M (monthly)'
+ example: 30d
+ type: string
+ type:
+ description: Indicates weither the time window is a rolling or a calendar aligned time window.
+ enum:
+ - rolling
+ - calendarAligned
+ example: rolling
+ type: string
+ required:
+ - duration
+ - type
+ title: Time window
+ SLOs_timeslice_metric_basic_metric_with_field:
+ type: object
+ properties:
+ aggregation:
+ description: The aggregation type of the metric.
+ enum:
+ - sum
+ - avg
+ - min
+ - max
+ - std_deviation
+ - last_value
+ - cardinality
+ example: sum
+ type: string
+ field:
+ description: The field of the metric.
+ example: processor.processed
+ type: string
+ filter:
+ description: The filter to apply to the metric.
+ example: 'processor.outcome: "success"'
+ type: string
+ name:
+ description: The name of the metric. Only valid options are A-Z
+ example: A
+ pattern: ^[A-Z]$
+ type: string
+ required:
+ - name
+ - aggregation
+ - field
+ title: Timeslice Metric Basic Metric with Field
+ SLOs_timeslice_metric_doc_count_metric:
+ type: object
+ properties:
+ aggregation:
+ description: The aggregation type of the metric. Only valid option is "doc_count"
+ enum:
+ - doc_count
+ example: doc_count
+ type: string
+ filter:
+ description: The filter to apply to the metric.
+ example: 'processor.outcome: "success"'
+ type: string
+ name:
+ description: The name of the metric. Only valid options are A-Z
+ example: A
+ pattern: ^[A-Z]$
+ type: string
+ required:
+ - name
+ - aggregation
+ title: Timeslice Metric Doc Count Metric
+ SLOs_timeslice_metric_percentile_metric:
+ type: object
+ properties:
+ aggregation:
+ description: The aggregation type of the metric. Only valid option is "percentile"
+ enum:
+ - percentile
+ example: percentile
+ type: string
+ field:
+ description: The field of the metric.
+ example: processor.processed
+ type: string
+ filter:
+ description: The filter to apply to the metric.
+ example: 'processor.outcome: "success"'
+ type: string
+ name:
+ description: The name of the metric. Only valid options are A-Z
+ example: A
+ pattern: ^[A-Z]$
+ type: string
+ percentile:
+ description: The percentile value.
+ example: 95
+ type: number
+ required:
+ - name
+ - aggregation
+ - field
+ - percentile
+ title: Timeslice Metric Percentile Metric
+ SLOs_update_slo_request:
+ description: |
+ The update SLO API request body varies depending on the type of indicator, time window and budgeting method. Partial update is handled.
+ properties:
+ budgetingMethod:
+ $ref: '#/components/schemas/SLOs_budgeting_method'
+ description:
+ description: A description for the SLO.
+ type: string
+ groupBy:
+ $ref: '#/components/schemas/SLOs_group_by'
+ indicator:
+ oneOf:
+ - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_histogram'
+ - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric'
+ name:
+ description: A name for the SLO.
+ type: string
+ objective:
+ $ref: '#/components/schemas/SLOs_objective'
+ settings:
+ $ref: '#/components/schemas/SLOs_settings'
+ tags:
+ description: List of tags
+ items:
+ type: string
+ type: array
+ timeWindow:
+ $ref: '#/components/schemas/SLOs_time_window'
+ title: Update SLO request
+ type: object
+ bedrock_config:
+ title: Connector request properties for an Amazon Bedrock connector
+ description: Defines properties for connectors when type is `.bedrock`.
+ type: object
+ required:
+ - apiUrl
+ properties:
+ apiUrl:
+ type: string
+ description: The Amazon Bedrock request URL.
+ defaultModel:
+ type: string
+ description: |
+ The generative artificial intelligence model for Amazon Bedrock to use. Current support is for the Anthropic Claude models.
+ default: anthropic.claude-3-5-sonnet-20240620-v1:0
+ crowdstrike_config:
+ title: Connector request config properties for a Crowdstrike connector
+ required:
+ - url
+ description: Defines config properties for connectors when type is `.crowdstrike`.
+ type: object
+ properties:
+ url:
+ description: |
+ The CrowdStrike tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
+ type: string
+ d3security_config:
+ title: Connector request properties for a D3 Security connector
+ description: Defines properties for connectors when type is `.d3security`.
+ type: object
+ required:
+ - url
+ properties:
+ url:
+ type: string
+ description: |
+ The D3 Security API request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
+ email_config:
+ title: Connector request properties for an email connector
+ description: Defines properties for connectors when type is `.email`.
+ required:
+ - from
+ type: object
+ properties:
+ clientId:
+ description: |
+ The client identifier, which is a part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required.
+ type: string
+ nullable: true
+ from:
+ description: |
+ The from address for all emails sent by the connector. It must be specified in `user@host-name` format.
+ type: string
+ hasAuth:
+ description: |
+ Specifies whether a user and password are required inside the secrets configuration.
+ default: true
+ type: boolean
+ host:
+ description: |
+ The host name of the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined.
+ type: string
+ oauthTokenUrl:
+ type: string
+ nullable: true
+ port:
+ description: |
+ The port to connect to on the service provider. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored. If `service` is `other`, this property must be defined.
+ type: integer
+ secure:
+ description: |
+ Specifies whether the connection to the service provider will use TLS. If the `service` is `elastic_cloud` (for Elastic Cloud notifications) or one of Nodemailer's well-known email service providers, this property is ignored.
+ type: boolean
+ service:
+ description: |
+ The name of the email service.
+ type: string
+ enum:
+ - elastic_cloud
+ - exchange_server
+ - gmail
+ - other
+ - outlook365
+ - ses
+ tenantId:
+ description: |
+ The tenant identifier, which is part of OAuth 2.0 client credentials authentication, in GUID format. If `service` is `exchange_server`, this property is required.
+ type: string
+ nullable: true
+ gemini_config:
+ title: Connector request properties for an Google Gemini connector
+ description: Defines properties for connectors when type is `.gemini`.
+ type: object
+ required:
+ - apiUrl
+ - gcpRegion
+ - gcpProjectID
+ properties:
+ apiUrl:
+ type: string
+ description: The Google Gemini request URL.
+ defaultModel:
+ type: string
+ description: The generative artificial intelligence model for Google Gemini to use.
+ default: gemini-1.5-pro-002
+ gcpRegion:
+ type: string
+ description: The GCP region where the Vertex AI endpoint enabled.
+ gcpProjectID:
+ type: string
+ description: The Google ProjectID that has Vertex AI endpoint enabled.
+ resilient_config:
+ title: Connector request properties for a IBM Resilient connector
+ required:
+ - apiUrl
+ - orgId
+ description: Defines properties for connectors when type is `.resilient`.
+ type: object
+ properties:
+ apiUrl:
+ description: The IBM Resilient instance URL.
+ type: string
+ orgId:
+ description: The IBM Resilient organization ID.
+ type: string
+ index_config:
+ title: Connector request properties for an index connector
+ required:
+ - index
+ description: Defines properties for connectors when type is `.index`.
+ type: object
+ properties:
+ executionTimeField:
+ description: A field that indicates when the document was indexed.
+ default: null
+ type: string
+ nullable: true
+ index:
+ description: The Elasticsearch index to be written to.
+ type: string
+ refresh:
+ description: |
+ The refresh policy for the write request, which affects when changes are made visible to search. Refer to the refresh setting for Elasticsearch document APIs.
+ default: false
+ type: boolean
+ jira_config:
+ title: Connector request properties for a Jira connector
+ required:
+ - apiUrl
+ - projectKey
+ description: Defines properties for connectors when type is `.jira`.
+ type: object
+ properties:
+ apiUrl:
+ description: The Jira instance URL.
+ type: string
+ projectKey:
+ description: The Jira project key.
+ type: string
+ genai_azure_config:
+ title: Connector request properties for an OpenAI connector that uses Azure OpenAI
+ description: |
+ Defines properties for connectors when type is `.gen-ai` and the API provider is `Azure OpenAI`.
+ type: object
+ required:
+ - apiProvider
+ - apiUrl
+ properties:
+ apiProvider:
+ type: string
+ description: The OpenAI API provider.
+ enum:
+ - Azure OpenAI
+ apiUrl:
+ type: string
+ description: The OpenAI API endpoint.
+ genai_openai_config:
+ title: Connector request properties for an OpenAI connector
+ description: |
+ Defines properties for connectors when type is `.gen-ai` and the API provider is `OpenAI`.
+ type: object
+ required:
+ - apiProvider
+ - apiUrl
+ properties:
+ apiProvider:
+ type: string
+ description: The OpenAI API provider.
+ enum:
+ - OpenAI
+ apiUrl:
+ type: string
+ description: The OpenAI API endpoint.
+ defaultModel:
+ type: string
+ description: The default model to use for requests.
+ opsgenie_config:
+ title: Connector request properties for an Opsgenie connector
+ required:
+ - apiUrl
+ description: Defines properties for connectors when type is `.opsgenie`.
+ type: object
+ properties:
+ apiUrl:
+ description: |
+ The Opsgenie URL. For example, `https://api.opsgenie.com` or `https://api.eu.opsgenie.com`. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
+ type: string
+ pagerduty_config:
+ title: Connector request properties for a PagerDuty connector
+ description: Defines properties for connectors when type is `.pagerduty`.
+ type: object
+ properties:
+ apiUrl:
+ description: The PagerDuty event URL.
+ type: string
+ nullable: true
+ example: https://events.pagerduty.com/v2/enqueue
+ sentinelone_config:
+ title: Connector request properties for a SentinelOne connector
+ required:
+ - url
+ description: Defines properties for connectors when type is `.sentinelone`.
+ type: object
+ properties:
+ url:
+ description: |
+ The SentinelOne tenant URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
+ type: string
+ servicenow_config:
+ title: Connector request properties for a ServiceNow ITSM connector
+ required:
+ - apiUrl
+ description: Defines properties for connectors when type is `.servicenow`.
+ type: object
+ properties:
+ apiUrl:
+ type: string
+ description: The ServiceNow instance URL.
+ clientId:
+ description: |
+ The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`.
+ type: string
+ isOAuth:
+ description: |
+ The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).
+ default: false
+ type: boolean
+ jwtKeyId:
+ description: |
+ The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`.
+ type: string
+ userIdentifierValue:
+ description: |
+ The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`.
+ type: string
+ usesTableApi:
+ description: |
+ Determines whether the connector uses the Table API or the Import Set API. This property is supported only for ServiceNow ITSM and ServiceNow SecOps connectors. NOTE: If this property is set to `false`, the Elastic application should be installed in ServiceNow.
+ default: true
+ type: boolean
+ servicenow_itom_config:
+ title: Connector request properties for a ServiceNow ITOM connector
+ required:
+ - apiUrl
+ description: Defines properties for connectors when type is `.servicenow-itom`.
+ type: object
+ properties:
+ apiUrl:
+ type: string
+ description: The ServiceNow instance URL.
+ clientId:
+ description: |
+ The client ID assigned to your OAuth application. This property is required when `isOAuth` is `true`.
+ type: string
+ isOAuth:
+ description: |
+ The type of authentication to use. The default value is false, which means basic authentication is used instead of open authorization (OAuth).
+ default: false
+ type: boolean
+ jwtKeyId:
+ description: |
+ The key identifier assigned to the JWT verifier map of your OAuth application. This property is required when `isOAuth` is `true`.
+ type: string
+ userIdentifierValue:
+ description: |
+ The identifier to use for OAuth authentication. This identifier should be the user field you selected when you created an OAuth JWT API endpoint for external clients in your ServiceNow instance. For example, if the selected user field is `Email`, the user identifier should be the user's email address. This property is required when `isOAuth` is `true`.
+ type: string
+ slack_api_config:
+ title: Connector request properties for a Slack connector
+ description: Defines properties for connectors when type is `.slack_api`.
+ type: object
+ properties:
+ allowedChannels:
+ type: array
+ description: A list of valid Slack channels.
+ items:
+ type: object
+ required:
+ - id
+ - name
+ maxItems: 25
+ properties:
+ id:
+ type: string
+ description: The Slack channel ID.
+ example: C123ABC456
+ minLength: 1
+ name:
+ type: string
+ description: The Slack channel name.
+ minLength: 1
+ swimlane_config:
+ title: Connector request properties for a Swimlane connector
+ required:
+ - apiUrl
+ - appId
+ - connectorType
+ description: Defines properties for connectors when type is `.swimlane`.
+ type: object
+ properties:
+ apiUrl:
+ description: The Swimlane instance URL.
+ type: string
+ appId:
+ description: The Swimlane application ID.
+ type: string
+ connectorType:
+ description: The type of connector. Valid values are `all`, `alerts`, and `cases`.
+ type: string
+ enum:
+ - all
+ - alerts
+ - cases
+ mappings:
+ title: Connector mappings properties for a Swimlane connector
+ description: The field mapping.
+ type: object
+ properties:
+ alertIdConfig:
+ title: Alert identifier mapping
+ description: Mapping for the alert ID.
+ type: object
+ required:
+ - fieldType
+ - id
+ - key
+ - name
+ properties:
+ fieldType:
+ type: string
+ description: The type of field in Swimlane.
+ id:
+ type: string
+ description: The identifier for the field in Swimlane.
+ key:
+ type: string
+ description: The key for the field in Swimlane.
+ name:
+ type: string
+ description: The name of the field in Swimlane.
+ caseIdConfig:
+ title: Case identifier mapping
+ description: Mapping for the case ID.
+ type: object
+ required:
+ - fieldType
+ - id
+ - key
+ - name
+ properties:
+ fieldType:
+ type: string
+ description: The type of field in Swimlane.
+ id:
+ type: string
+ description: The identifier for the field in Swimlane.
+ key:
+ type: string
+ description: The key for the field in Swimlane.
+ name:
+ type: string
+ description: The name of the field in Swimlane.
+ caseNameConfig:
+ title: Case name mapping
+ description: Mapping for the case name.
+ type: object
+ required:
+ - fieldType
+ - id
+ - key
+ - name
+ properties:
+ fieldType:
+ type: string
+ description: The type of field in Swimlane.
+ id:
+ type: string
+ description: The identifier for the field in Swimlane.
+ key:
+ type: string
+ description: The key for the field in Swimlane.
+ name:
+ type: string
+ description: The name of the field in Swimlane.
+ commentsConfig:
+ title: Case comment mapping
+ description: Mapping for the case comments.
+ type: object
+ required:
+ - fieldType
+ - id
+ - key
+ - name
+ properties:
+ fieldType:
+ type: string
+ description: The type of field in Swimlane.
+ id:
+ type: string
+ description: The identifier for the field in Swimlane.
+ key:
+ type: string
+ description: The key for the field in Swimlane.
+ name:
+ type: string
+ description: The name of the field in Swimlane.
+ descriptionConfig:
+ title: Case description mapping
+ description: Mapping for the case description.
+ type: object
+ required:
+ - fieldType
+ - id
+ - key
+ - name
+ properties:
+ fieldType:
+ type: string
+ description: The type of field in Swimlane.
+ id:
+ type: string
+ description: The identifier for the field in Swimlane.
+ key:
+ type: string
+ description: The key for the field in Swimlane.
+ name:
+ type: string
+ description: The name of the field in Swimlane.
+ ruleNameConfig:
+ title: Rule name mapping
+ description: Mapping for the name of the alert's rule.
+ type: object
+ required:
+ - fieldType
+ - id
+ - key
+ - name
+ properties:
+ fieldType:
+ type: string
+ description: The type of field in Swimlane.
+ id:
+ type: string
+ description: The identifier for the field in Swimlane.
+ key:
+ type: string
+ description: The key for the field in Swimlane.
+ name:
+ type: string
+ description: The name of the field in Swimlane.
+ severityConfig:
+ title: Severity mapping
+ description: Mapping for the severity.
+ type: object
+ required:
+ - fieldType
+ - id
+ - key
+ - name
+ properties:
+ fieldType:
+ type: string
+ description: The type of field in Swimlane.
+ id:
+ type: string
+ description: The identifier for the field in Swimlane.
+ key:
+ type: string
+ description: The key for the field in Swimlane.
+ name:
+ type: string
+ description: The name of the field in Swimlane.
+ thehive_config:
+ title: Connector request properties for a TheHive connector
+ description: Defines configuration properties for connectors when type is `.thehive`.
+ type: object
+ required:
+ - url
+ properties:
+ organisation:
+ type: string
+ description: |
+ The organisation in TheHive that will contain the alerts or cases. By default, the connector uses the default organisation of the user account that created the API key.
+ url:
+ type: string
+ description: |
+ The instance URL in TheHive. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
+ tines_config:
+ title: Connector request properties for a Tines connector
+ description: Defines properties for connectors when type is `.tines`.
+ type: object
+ required:
+ - url
+ properties:
+ url:
+ description: |
+ The Tines tenant URL. If you are using the `xpack.actions.allowedHosts` setting, make sure this hostname is added to the allowed hosts.
+ type: string
+ torq_config:
+ title: Connector request properties for a Torq connector
+ description: Defines properties for connectors when type is `.torq`.
+ type: object
+ required:
+ - webhookIntegrationUrl
+ properties:
+ webhookIntegrationUrl:
+ description: The endpoint URL of the Elastic Security integration in Torq.
+ type: string
+ auth_type:
+ title: Authentication type
+ type: string
+ nullable: true
+ enum:
+ - webhook-authentication-basic
+ - webhook-authentication-ssl
+ description: |
+ The type of authentication to use: basic, SSL, or none.
+ ca:
+ title: Certificate authority
+ type: string
+ description: |
+ A base64 encoded version of the certificate authority file that the connector can trust to sign and validate certificates. This option is available for all authentication types.
+ cert_type:
+ title: Certificate type
+ type: string
+ description: |
+ If the `authType` is `webhook-authentication-ssl`, specifies whether the certificate authentication data is in a CRT and key file format or a PFX file format.
+ enum:
+ - ssl-crt-key
+ - ssl-pfx
+ has_auth:
+ title: Has authentication
+ type: boolean
+ description: If true, a username and password for login type authentication must be provided.
+ default: true
+ verification_mode:
+ title: Verification mode
+ type: string
+ enum:
+ - certificate
+ - full
+ - none
+ default: full
+ description: |
+ Controls the verification of certificates. Use `full` to validate that the certificate has an issue date within the `not_before` and `not_after` dates, chains to a trusted certificate authority (CA), and has a hostname or IP address that matches the names within the certificate. Use `certificate` to validate the certificate and verify that it is signed by a trusted authority; this option does not check the certificate hostname. Use `none` to skip certificate validation.
+ webhook_config:
+ title: Connector request properties for a Webhook connector
+ description: Defines properties for connectors when type is `.webhook`.
+ type: object
+ properties:
+ authType:
+ $ref: '#/components/schemas/auth_type'
+ ca:
+ $ref: '#/components/schemas/ca'
+ certType:
+ $ref: '#/components/schemas/cert_type'
+ hasAuth:
+ $ref: '#/components/schemas/has_auth'
+ headers:
+ type: object
+ nullable: true
+ description: A set of key-value pairs sent as headers with the request.
+ method:
+ type: string
+ default: post
+ enum:
+ - post
+ - put
+ description: |
+ The HTTP request method, either `post` or `put`.
+ url:
+ type: string
+ description: |
+ The request URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
+ verificationMode:
+ $ref: '#/components/schemas/verification_mode'
+ cases_webhook_config:
+ title: Connector request properties for Webhook - Case Management connector
+ required:
+ - createIncidentJson
+ - createIncidentResponseKey
+ - createIncidentUrl
+ - getIncidentResponseExternalTitleKey
+ - getIncidentUrl
+ - updateIncidentJson
+ - updateIncidentUrl
+ - viewIncidentUrl
+ description: Defines properties for connectors when type is `.cases-webhook`.
+ type: object
+ properties:
+ authType:
+ $ref: '#/components/schemas/auth_type'
+ ca:
+ $ref: '#/components/schemas/ca'
+ certType:
+ $ref: '#/components/schemas/cert_type'
+ createCommentJson:
+ type: string
+ description: |
+ A JSON payload sent to the create comment URL to create a case comment. You can use variables to add Kibana Cases data to the payload. The required variable is `case.comment`. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated once the Mustache variables have been placed when the REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.
+ example: '{"body": {{{case.comment}}}}'
+ createCommentMethod:
+ type: string
+ description: |
+ The REST API HTTP request method to create a case comment in the third-party system. Valid values are `patch`, `post`, and `put`.
+ default: put
+ enum:
+ - patch
+ - post
+ - put
+ createCommentUrl:
+ type: string
+ description: |
+ The REST API URL to create a case comment by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts setting`, add the hostname to the allowed hosts.
+ example: https://example.com/issue/{{{external.system.id}}}/comment
+ createIncidentJson:
+ type: string
+ description: |
+ A JSON payload sent to the create case URL to create a case. You can use variables to add case data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.
+ example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}'
+ createIncidentMethod:
+ type: string
+ description: |
+ The REST API HTTP request method to create a case in the third-party system. Valid values are `patch`, `post`, and `put`.
+ enum:
+ - patch
+ - post
+ - put
+ default: post
+ createIncidentResponseKey:
+ type: string
+ description: The JSON key in the create external case response that contains the case ID.
+ createIncidentUrl:
+ type: string
+ description: |
+ The REST API URL to create a case in the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
+ getIncidentResponseExternalTitleKey:
+ type: string
+ description: The JSON key in get external case response that contains the case title.
+ getIncidentUrl:
+ type: string
+ description: |
+ The REST API URL to get the case by ID from the third-party system. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts. You can use a variable to add the external system ID to the URL. Due to Mustache template variables (the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid, disregarding the Mustache variables, so the later validation will pass.
+ example: https://example.com/issue/{{{external.system.id}}}
+ hasAuth:
+ $ref: '#/components/schemas/has_auth'
+ headers:
+ type: string
+ description: |
+ A set of key-value pairs sent as headers with the request URLs for the create case, update case, get case, and create comment methods.
+ updateIncidentJson:
+ type: string
+ description: |
+ The JSON payload sent to the update case URL to update the case. You can use variables to add Kibana Cases data to the payload. Required variables are `case.title` and `case.description`. Due to Mustache template variables (which is the text enclosed in triple braces, for example, `{{{case.title}}}`), the JSON is not validated when you create the connector. The JSON is validated after the Mustache variables have been placed when REST method runs. Manually ensure that the JSON is valid to avoid future validation errors; disregard Mustache variables during your review.
+ example: '{"fields": {"summary": {{{case.title}}},"description": {{{case.description}}},"labels": {{{case.tags}}}}}'
+ updateIncidentMethod:
+ type: string
+ description: |
+ The REST API HTTP request method to update the case in the third-party system. Valid values are `patch`, `post`, and `put`.
+ default: put
+ enum:
+ - patch
+ - post
+ - put
+ updateIncidentUrl:
+ type: string
+ description: |
+ The REST API URL to update the case by ID in the third-party system. You can use a variable to add the external system ID to the URL. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
+ example: https://example.com/issue/{{{external.system.ID}}}
+ verificationMode:
+ $ref: '#/components/schemas/verification_mode'
+ viewIncidentUrl:
+ type: string
+ description: |
+ The URL to view the case in the external system. You can use variables to add the external system ID or external system title to the URL.
+ example: https://testing-jira.atlassian.net/browse/{{{external.system.title}}}
+ xmatters_config:
+ title: Connector request properties for an xMatters connector
+ description: Defines properties for connectors when type is `.xmatters`.
+ type: object
+ properties:
+ configUrl:
+ description: |
+ The request URL for the Elastic Alerts trigger in xMatters. It is applicable only when `usesBasic` is `true`.
+ type: string
+ nullable: true
+ usesBasic:
+ description: Specifies whether the connector uses HTTP basic authentication (`true`) or URL authentication (`false`).
+ type: boolean
+ default: true
+ bedrock_secrets:
+ title: Connector secrets properties for an Amazon Bedrock connector
+ description: Defines secrets for connectors when type is `.bedrock`.
+ type: object
+ required:
+ - accessKey
+ - secret
+ properties:
+ accessKey:
+ type: string
+ description: The AWS access key for authentication.
+ secret:
+ type: string
+ description: The AWS secret for authentication.
+ crowdstrike_secrets:
+ title: Connector secrets properties for a Crowdstrike connector
+ description: Defines secrets for connectors when type is `.crowdstrike`.
+ type: object
+ required:
+ - clientId
+ - clientSecret
+ properties:
+ clientId:
+ description: The CrowdStrike API client identifier.
+ type: string
+ clientSecret:
+ description: The CrowdStrike API client secret to authenticate the `clientId`.
+ type: string
+ d3security_secrets:
+ title: Connector secrets properties for a D3 Security connector
+ description: Defines secrets for connectors when type is `.d3security`.
+ required:
+ - token
+ type: object
+ properties:
+ token:
+ type: string
+ description: The D3 Security token.
+ email_secrets:
+ title: Connector secrets properties for an email connector
+ description: Defines secrets for connectors when type is `.email`.
+ type: object
+ properties:
+ clientSecret:
+ type: string
+ description: |
+ The Microsoft Exchange Client secret for OAuth 2.0 client credentials authentication. It must be URL-encoded. If `service` is `exchange_server`, this property is required.
+ password:
+ type: string
+ description: |
+ The password for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required.
+ user:
+ type: string
+ description: |
+ The username for HTTP basic authentication. If `hasAuth` is set to `true`, this property is required.
+ gemini_secrets:
+ title: Connector secrets properties for a Google Gemini connector
+ description: Defines secrets for connectors when type is `.gemini`.
+ type: object
+ required:
+ - credentialsJson
+ properties:
+ credentialsJson:
+ type: string
+ description: The service account credentials JSON file. The service account should have Vertex AI user IAM role assigned to it.
+ resilient_secrets:
+ title: Connector secrets properties for IBM Resilient connector
+ required:
+ - apiKeyId
+ - apiKeySecret
+ description: Defines secrets for connectors when type is `.resilient`.
+ type: object
+ properties:
+ apiKeyId:
+ type: string
+ description: The authentication key ID for HTTP Basic authentication.
+ apiKeySecret:
+ type: string
+ description: The authentication key secret for HTTP Basic authentication.
+ jira_secrets:
+ title: Connector secrets properties for a Jira connector
+ required:
+ - apiToken
+ - email
+ description: Defines secrets for connectors when type is `.jira`.
+ type: object
+ properties:
+ apiToken:
+ description: The Jira API authentication token for HTTP basic authentication.
+ type: string
+ email:
+ description: The account email for HTTP Basic authentication.
+ type: string
+ teams_secrets:
+ title: Connector secrets properties for a Microsoft Teams connector
+ description: Defines secrets for connectors when type is `.teams`.
+ type: object
+ required:
+ - webhookUrl
+ properties:
+ webhookUrl:
+ type: string
+ description: |
+ The URL of the incoming webhook. If you are using the `xpack.actions.allowedHosts` setting, add the hostname to the allowed hosts.
+ genai_secrets:
+ title: Connector secrets properties for an OpenAI connector
+ description: Defines secrets for connectors when type is `.gen-ai`.
+ type: object
+ properties:
+ apiKey:
+ type: string
+ description: The OpenAI API key.
+ opsgenie_secrets:
+ title: Connector secrets properties for an Opsgenie connector
+ required:
+ - apiKey
+ description: Defines secrets for connectors when type is `.opsgenie`.
+ type: object
+ properties:
+ apiKey:
+ description: The Opsgenie API authentication key for HTTP Basic authentication.
+ type: string
+ pagerduty_secrets:
+ title: Connector secrets properties for a PagerDuty connector
+ description: Defines secrets for connectors when type is `.pagerduty`.
+ type: object
+ required:
+ - routingKey
+ properties:
+ routingKey:
+ description: |
+ A 32 character PagerDuty Integration Key for an integration on a service.
+ type: string
+ sentinelone_secrets:
+ title: Connector secrets properties for a SentinelOne connector
+ description: Defines secrets for connectors when type is `.sentinelone`.
+ type: object
+ required:
+ - token
+ properties:
+ token:
+ description: The A SentinelOne API token.
+ type: string
+ servicenow_secrets:
+ title: Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors
+ description: Defines secrets for connectors when type is `.servicenow`, `.servicenow-sir`, or `.servicenow-itom`.
+ type: object
+ properties:
+ clientSecret:
+ type: string
+ description: The client secret assigned to your OAuth application. This property is required when `isOAuth` is `true`.
+ password:
+ type: string
+ description: The password for HTTP basic authentication. This property is required when `isOAuth` is `false`.
+ privateKey:
+ type: string
+ description: The RSA private key that you created for use in ServiceNow. This property is required when `isOAuth` is `true`.
+ privateKeyPassword:
+ type: string
+ description: The password for the RSA private key. This property is required when `isOAuth` is `true` and you set a password on your private key.
+ username:
+ type: string
+ description: The username for HTTP basic authentication. This property is required when `isOAuth` is `false`.
+ slack_api_secrets:
+ title: Connector secrets properties for a Web API Slack connector
+ description: Defines secrets for connectors when type is `.slack`.
+ required:
+ - token
+ type: object
+ properties:
+ token:
+ type: string
+ description: Slack bot user OAuth token.
+ swimlane_secrets:
+ title: Connector secrets properties for a Swimlane connector
+ description: Defines secrets for connectors when type is `.swimlane`.
+ type: object
+ properties:
+ apiToken:
+ description: Swimlane API authentication token.
+ type: string
+ thehive_secrets:
+ title: Connector secrets properties for a TheHive connector
+ description: Defines secrets for connectors when type is `.thehive`.
+ required:
+ - apiKey
+ type: object
+ properties:
+ apiKey:
+ type: string
+ description: The API key for authentication in TheHive.
+ tines_secrets:
+ title: Connector secrets properties for a Tines connector
+ description: Defines secrets for connectors when type is `.tines`.
+ type: object
+ required:
+ - email
+ - token
+ properties:
+ email:
+ description: The email used to sign in to Tines.
+ type: string
+ token:
+ description: The Tines API token.
+ type: string
+ torq_secrets:
+ title: Connector secrets properties for a Torq connector
+ description: Defines secrets for connectors when type is `.torq`.
+ type: object
+ required:
+ - token
+ properties:
+ token:
+ description: The secret of the webhook authentication header.
+ type: string
+ crt:
+ title: Certificate
+ type: string
+ description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT file.
+ key:
+ title: Certificate key
+ type: string
+ description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-crt-key`, it is a base64 encoded version of the KEY file.
+ pfx:
+ title: Personal information exchange
+ type: string
+ description: If `authType` is `webhook-authentication-ssl` and `certType` is `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file.
+ webhook_secrets:
+ title: Connector secrets properties for a Webhook connector
+ description: Defines secrets for connectors when type is `.webhook`.
+ type: object
+ properties:
+ crt:
+ $ref: '#/components/schemas/crt'
+ key:
+ $ref: '#/components/schemas/key'
+ pfx:
+ $ref: '#/components/schemas/pfx'
+ password:
+ type: string
+ description: |
+ The password for HTTP basic authentication or the passphrase for the SSL certificate files. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required.
+ user:
+ type: string
+ description: |
+ The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required.
+ cases_webhook_secrets:
+ title: Connector secrets properties for Webhook - Case Management connector
+ type: object
+ properties:
+ crt:
+ $ref: '#/components/schemas/crt'
+ key:
+ $ref: '#/components/schemas/key'
+ pfx:
+ $ref: '#/components/schemas/pfx'
+ password:
+ type: string
+ description: |
+ The password for HTTP basic authentication. If `hasAuth` is set to `true` and and `authType` is `webhook-authentication-basic`, this property is required.
+ user:
+ type: string
+ description: |
+ The username for HTTP basic authentication. If `hasAuth` is set to `true` and `authType` is `webhook-authentication-basic`, this property is required.
+ xmatters_secrets:
+ title: Connector secrets properties for an xMatters connector
+ description: Defines secrets for connectors when type is `.xmatters`.
+ type: object
+ properties:
+ password:
+ description: |
+ A user name for HTTP basic authentication. It is applicable only when `usesBasic` is `true`.
+ type: string
+ secretsUrl:
+ description: |
+ The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL. It is applicable only when `usesBasic` is `false`.
+ type: string
+ user:
+ description: |
+ A password for HTTP basic authentication. It is applicable only when `usesBasic` is `true`.
+ type: string
+ run_acknowledge_resolve_pagerduty:
+ title: PagerDuty connector parameters
+ description: Test an action that acknowledges or resolves a PagerDuty alert.
+ type: object
+ required:
+ - dedupKey
+ - eventAction
+ properties:
+ dedupKey:
+ description: The deduplication key for the PagerDuty alert.
+ type: string
+ maxLength: 255
+ eventAction:
+ description: The type of event.
+ type: string
+ enum:
+ - acknowledge
+ - resolve
+ run_documents:
+ title: Index connector parameters
+ description: Test an action that indexes a document into Elasticsearch.
+ type: object
+ required:
+ - documents
+ properties:
+ documents:
+ type: array
+ description: The documents in JSON format for index connectors.
+ items:
+ type: object
+ additionalProperties: true
+ run_message_email:
+ title: Email connector parameters
+ description: |
+ Test an action that sends an email message. There must be at least one recipient in `to`, `cc`, or `bcc`.
+ type: object
+ required:
+ - message
+ - subject
+ - anyOf:
+ - to
+ - cc
+ - bcc
+ properties:
+ bcc:
+ type: array
+ items:
+ type: string
+ description: |
+ A list of "blind carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format
+ cc:
+ type: array
+ items:
+ type: string
+ description: |
+ A list of "carbon copy" email addresses. Addresses can be specified in `user@host-name` format or in name `` format
+ message:
+ type: string
+ description: The email message text. Markdown format is supported.
+ subject:
+ type: string
+ description: The subject line of the email.
+ to:
+ type: array
+ description: |
+ A list of email addresses. Addresses can be specified in `user@host-name` format or in name `` format.
+ items:
+ type: string
+ run_message_serverlog:
+ title: Server log connector parameters
+ description: Test an action that writes an entry to the Kibana server log.
+ type: object
+ required:
+ - message
+ properties:
+ level:
+ type: string
+ description: The log level of the message for server log connectors.
+ enum:
+ - debug
+ - error
+ - fatal
+ - info
+ - trace
+ - warn
+ default: info
+ message:
+ type: string
+ description: The message for server log connectors.
+ run_message_slack:
+ title: Slack connector parameters
+ description: |
+ Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack`.
+ type: object
+ required:
+ - message
+ properties:
+ message:
+ type: string
+ description: The Slack message text, which cannot contain Markdown, images, or other advanced formatting.
+ run_trigger_pagerduty:
+ title: PagerDuty connector parameters
+ description: Test an action that triggers a PagerDuty alert.
+ type: object
+ required:
+ - eventAction
+ properties:
+ class:
+ description: The class or type of the event.
+ type: string
+ example: cpu load
+ component:
+ description: The component of the source machine that is responsible for the event.
+ type: string
+ example: eth0
+ customDetails:
+ description: Additional details to add to the event.
+ type: object
+ dedupKey:
+ description: |
+ All actions sharing this key will be associated with the same PagerDuty alert. This value is used to correlate trigger and resolution.
+ type: string
+ maxLength: 255
+ eventAction:
+ description: The type of event.
+ type: string
+ enum:
+ - trigger
+ group:
+ description: The logical grouping of components of a service.
+ type: string
+ example: app-stack
+ links:
+ description: A list of links to add to the event.
+ type: array
+ items:
+ type: object
+ properties:
+ href:
+ description: The URL for the link.
+ type: string
+ text:
+ description: A plain text description of the purpose of the link.
+ type: string
+ severity:
+ description: The severity of the event on the affected system.
+ type: string
+ enum:
+ - critical
+ - error
+ - info
+ - warning
+ default: info
+ source:
+ description: |
+ The affected system, such as a hostname or fully qualified domain name. Defaults to the Kibana saved object id of the action.
+ type: string
+ summary:
+ description: A summery of the event.
+ type: string
+ maxLength: 1024
+ timestamp:
+ description: An ISO-8601 timestamp that indicates when the event was detected or generated.
+ type: string
+ format: date-time
+ run_addevent:
+ title: The addEvent subaction
+ type: object
+ required:
+ - subAction
+ description: The `addEvent` subaction for ServiceNow ITOM connectors.
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - addEvent
+ subActionParams:
+ type: object
+ description: The set of configuration properties for the action.
+ properties:
+ additional_info:
+ type: string
+ description: Additional information about the event.
+ description:
+ type: string
+ description: The details about the event.
+ event_class:
+ type: string
+ description: A specific instance of the source.
+ message_key:
+ type: string
+ description: All actions sharing this key are associated with the same ServiceNow alert. The default value is `:`.
+ metric_name:
+ type: string
+ description: The name of the metric.
+ node:
+ type: string
+ description: The host that the event was triggered for.
+ resource:
+ type: string
+ description: The name of the resource.
+ severity:
+ type: string
+ description: The severity of the event.
+ source:
+ type: string
+ description: The name of the event source type.
+ time_of_event:
+ type: string
+ description: The time of the event.
+ type:
+ type: string
+ description: The type of event.
+ run_closealert:
+ title: The closeAlert subaction
+ type: object
+ required:
+ - subAction
+ - subActionParams
+ description: The `closeAlert` subaction for Opsgenie connectors.
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - closeAlert
+ subActionParams:
+ type: object
+ required:
+ - alias
+ properties:
+ alias:
+ type: string
+ description: The unique identifier used for alert deduplication in Opsgenie. The alias must match the value used when creating the alert.
+ note:
+ type: string
+ description: Additional information for the alert.
+ source:
+ type: string
+ description: The display name for the source of the alert.
+ user:
+ type: string
+ description: The display name for the owner.
+ run_closeincident:
+ title: The closeIncident subaction
+ type: object
+ required:
+ - subAction
+ - subActionParams
+ description: The `closeIncident` subaction for ServiceNow ITSM connectors.
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - closeIncident
+ subActionParams:
+ type: object
+ required:
+ - incident
+ properties:
+ incident:
+ type: object
+ anyOf:
+ - required:
+ - correlation_id
+ - required:
+ - externalId
+ properties:
+ correlation_id:
+ type: string
+ nullable: true
+ description: |
+ An identifier that is assigned to the incident when it is created by the connector. NOTE: If you use the default value and the rule generates multiple alerts that use the same alert IDs, the latest open incident for this correlation ID is closed unless you specify the external ID.
+ maxLength: 100
+ default: '{{rule.id}}:{{alert.id}}'
+ externalId:
+ type: string
+ nullable: true
+ description: The unique identifier (`incidentId`) for the incident in ServiceNow.
+ run_createalert:
+ title: The createAlert subaction
+ type: object
+ required:
+ - subAction
+ - subActionParams
+ description: The `createAlert` subaction for Opsgenie and TheHive connectors.
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - createAlert
+ subActionParams:
+ type: object
+ properties:
+ actions:
+ type: array
+ description: The custom actions available to the alert in Opsgenie connectors.
+ items:
+ type: string
+ alias:
+ type: string
+ description: The unique identifier used for alert deduplication in Opsgenie.
+ description:
+ type: string
+ description: A description that provides detailed information about the alert.
+ details:
+ type: object
+ description: The custom properties of the alert in Opsgenie connectors.
+ additionalProperties: true
+ example:
+ key1: value1
+ key2: value2
+ entity:
+ type: string
+ description: The domain of the alert in Opsgenie connectors. For example, the application or server name.
+ message:
+ type: string
+ description: The alert message in Opsgenie connectors.
+ note:
+ type: string
+ description: Additional information for the alert in Opsgenie connectors.
+ priority:
+ type: string
+ description: The priority level for the alert in Opsgenie connectors.
+ enum:
+ - P1
+ - P2
+ - P3
+ - P4
+ - P5
+ responders:
+ type: array
+ description: |
+ The entities to receive notifications about the alert in Opsgenie connectors. If `type` is `user`, either `id` or `username` is required. If `type` is `team`, either `id` or `name` is required.
+ items:
+ type: object
+ properties:
+ id:
+ type: string
+ description: The identifier for the entity.
+ name:
+ type: string
+ description: The name of the entity.
+ type:
+ type: string
+ description: The type of responders, in this case `escalation`.
+ enum:
+ - escalation
+ - schedule
+ - team
+ - user
+ username:
+ type: string
+ description: A valid email address for the user.
+ severity:
+ type: integer
+ minimum: 1
+ maximum: 4
+ description: |
+ The severity of the incident for TheHive connectors. The value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium).
+ source:
+ type: string
+ description: The display name for the source of the alert in Opsgenie and TheHive connectors.
+ sourceRef:
+ type: string
+ description: A source reference for the alert in TheHive connectors.
+ tags:
+ type: array
+ description: The tags for the alert in Opsgenie and TheHive connectors.
+ items:
+ type: string
+ title:
+ type: string
+ description: |
+ A title for the incident for TheHive connectors. It is used for searching the contents of the knowledge base.
+ tlp:
+ type: integer
+ minimum: 0
+ maximum: 4
+ default: 2
+ description: |
+ The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red).
+ type:
+ type: string
+ description: The type of alert in TheHive connectors.
+ user:
+ type: string
+ description: The display name for the owner.
+ visibleTo:
+ type: array
+ description: The teams and users that the alert will be visible to without sending a notification. Only one of `id`, `name`, or `username` is required.
+ items:
+ type: object
+ required:
+ - type
+ properties:
+ id:
+ type: string
+ description: The identifier for the entity.
+ name:
+ type: string
+ description: The name of the entity.
+ type:
+ type: string
+ description: Valid values are `team` and `user`.
+ enum:
+ - team
+ - user
+ username:
+ type: string
+ description: The user name. This property is required only when the `type` is `user`.
+ run_fieldsbyissuetype:
+ title: The fieldsByIssueType subaction
+ type: object
+ required:
+ - subAction
+ - subActionParams
+ description: The `fieldsByIssueType` subaction for Jira connectors.
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - fieldsByIssueType
+ subActionParams:
+ type: object
+ required:
+ - id
+ properties:
+ id:
+ type: string
+ description: The Jira issue type identifier.
+ example: 10024
+ run_getchoices:
+ title: The getChoices subaction
+ type: object
+ required:
+ - subAction
+ - subActionParams
+ description: The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and ServiceNow SecOps connectors.
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - getChoices
+ subActionParams:
+ type: object
+ description: The set of configuration properties for the action.
+ required:
+ - fields
+ properties:
+ fields:
+ type: array
+ description: An array of fields.
+ items:
+ type: string
+ run_getfields:
+ title: The getFields subaction
+ type: object
+ required:
+ - subAction
+ description: The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - getFields
+ run_getincident:
+ title: The getIncident subaction
+ type: object
+ description: The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow SecOps connectors.
+ required:
+ - subAction
+ - subActionParams
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - getIncident
+ subActionParams:
+ type: object
+ required:
+ - externalId
+ properties:
+ externalId:
+ type: string
+ description: The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier.
+ example: 71778
+ run_issue:
+ title: The issue subaction
+ type: object
+ required:
+ - subAction
+ description: The `issue` subaction for Jira connectors.
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - issue
+ subActionParams:
+ type: object
+ required:
+ - id
+ properties:
+ id:
+ type: string
+ description: The Jira issue identifier.
+ example: 71778
+ run_issues:
+ title: The issues subaction
+ type: object
+ required:
+ - subAction
+ - subActionParams
+ description: The `issues` subaction for Jira connectors.
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - issues
+ subActionParams:
+ type: object
+ required:
+ - title
+ properties:
+ title:
+ type: string
+ description: The title of the Jira issue.
+ run_issuetypes:
+ title: The issueTypes subaction
+ type: object
+ required:
+ - subAction
+ description: The `issueTypes` subaction for Jira connectors.
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - issueTypes
+ run_postmessage:
+ title: The postMessage subaction
+ type: object
+ description: |
+ Test an action that sends a message to Slack. It is applicable only when the connector type is `.slack_api`.
+ required:
+ - subAction
+ - subActionParams
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - postMessage
+ subActionParams:
+ type: object
+ description: The set of configuration properties for the action.
+ properties:
+ channelIds:
+ type: array
+ maxItems: 1
+ description: |
+ The Slack channel identifier, which must be one of the `allowedChannels` in the connector configuration.
+ items:
+ type: string
+ channels:
+ type: array
+ deprecated: true
+ description: |
+ The name of a channel that your Slack app has access to.
+ maxItems: 1
+ items:
+ type: string
+ text:
+ type: string
+ description: |
+ The Slack message text. If it is a Slack webhook connector, the text cannot contain Markdown, images, or other advanced formatting. If it is a Slack web API connector, it can contain either plain text or block kit messages.
+ minLength: 1
+ run_pushtoservice:
+ title: The pushToService subaction
+ type: object
+ required:
+ - subAction
+ - subActionParams
+ description: The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors.
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - pushToService
+ subActionParams:
+ type: object
+ description: The set of configuration properties for the action.
+ properties:
+ comments:
+ type: array
+ description: Additional information that is sent to Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, or TheHive.
+ items:
+ type: object
+ properties:
+ comment:
+ type: string
+ description: A comment related to the incident. For example, describe how to troubleshoot the issue.
+ commentId:
+ type: integer
+ description: A unique identifier for the comment.
+ incident:
+ type: object
+ description: Information necessary to create or update a Jira, ServiceNow ITSM, ServiveNow SecOps, Swimlane, or TheHive incident.
+ properties:
+ additional_fields:
+ type: string
+ nullable: true
+ maxLength: 20
+ description: |
+ Additional fields for ServiceNow ITSM and ServiveNow SecOps connectors. The fields must exist in the Elastic ServiceNow application and must be specified in JSON format.
+ alertId:
+ type: string
+ description: The alert identifier for Swimlane connectors.
+ caseId:
+ type: string
+ description: The case identifier for the incident for Swimlane connectors.
+ caseName:
+ type: string
+ description: The case name for the incident for Swimlane connectors.
+ category:
+ type: string
+ description: The category of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
+ correlation_display:
+ type: string
+ description: A descriptive label of the alert for correlation purposes for ServiceNow ITSM and ServiceNow SecOps connectors.
+ correlation_id:
+ type: string
+ description: |
+ The correlation identifier for the security incident for ServiceNow ITSM and ServiveNow SecOps connectors. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as `{{ruleID}}:{{alert ID}}` to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters. NOTE: Using the default configuration of `{{ruleID}}:{{alert ID}}` ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert.
+ description:
+ type: string
+ description: The description of the incident for Jira, ServiceNow ITSM, ServiceNow SecOps, Swimlane, TheHive, and Webhook - Case Management connectors.
+ dest_ip:
+ description: |
+ A list of destination IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.
+ oneOf:
+ - type: string
+ - type: array
+ items:
+ type: string
+ externalId:
+ type: string
+ description: |
+ The Jira, ServiceNow ITSM, or ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
+ id:
+ type: string
+ description: The external case identifier for Webhook - Case Management connectors.
+ impact:
+ type: string
+ description: The impact of the incident for ServiceNow ITSM connectors.
+ issueType:
+ type: integer
+ description: The type of incident for Jira connectors. For example, 10006. To obtain the list of valid values, set `subAction` to `issueTypes`.
+ labels:
+ type: array
+ items:
+ type: string
+ description: |
+ The labels for the incident for Jira connectors. NOTE: Labels cannot contain spaces.
+ malware_hash:
+ description: A list of malware hashes related to the security incident for ServiceNow SecOps connectors. The hashes are added as observables to the security incident.
+ oneOf:
+ - type: string
+ - type: array
+ items:
+ type: string
+ malware_url:
+ type: string
+ description: A list of malware URLs related to the security incident for ServiceNow SecOps connectors. The URLs are added as observables to the security incident.
+ oneOf:
+ - type: string
+ - type: array
+ items:
+ type: string
+ otherFields:
+ type: object
+ additionalProperties: true
+ maxProperties: 20
+ description: |
+ Custom field identifiers and their values for Jira connectors.
+ parent:
+ type: string
+ description: The ID or key of the parent issue for Jira connectors. Applies only to `Sub-task` types of issues.
+ priority:
+ type: string
+ description: The priority of the incident in Jira and ServiceNow SecOps connectors.
+ ruleName:
+ type: string
+ description: The rule name for Swimlane connectors.
+ severity:
+ type: integer
+ description: |
+ The severity of the incident for ServiceNow ITSM, Swimlane, and TheHive connectors. In TheHive connectors, the severity value ranges from 1 (low) to 4 (critical) with a default value of 2 (medium).
+ short_description:
+ type: string
+ description: |
+ A short description of the incident for ServiceNow ITSM and ServiceNow SecOps connectors. It is used for searching the contents of the knowledge base.
+ source_ip:
+ description: A list of source IP addresses related to the security incident for ServiceNow SecOps connectors. The IPs are added as observables to the security incident.
+ oneOf:
+ - type: string
+ - type: array
+ items:
+ type: string
+ status:
+ type: string
+ description: The status of the incident for Webhook - Case Management connectors.
+ subcategory:
+ type: string
+ description: The subcategory of the incident for ServiceNow ITSM and ServiceNow SecOps connectors.
+ summary:
+ type: string
+ description: A summary of the incident for Jira connectors.
+ tags:
+ type: array
+ items:
+ type: string
+ description: A list of tags for TheHive and Webhook - Case Management connectors.
+ title:
+ type: string
+ description: |
+ A title for the incident for Jira, TheHive, and Webhook - Case Management connectors. It is used for searching the contents of the knowledge base.
+ tlp:
+ type: integer
+ minimum: 0
+ maximum: 4
+ default: 2
+ description: |
+ The traffic light protocol designation for the incident in TheHive connectors. Valid values include: 0 (clear), 1 (green), 2 (amber), 3 (amber and strict), and 4 (red).
+ urgency:
+ type: string
+ description: The urgency of the incident for ServiceNow ITSM connectors.
+ run_validchannelid:
+ title: The validChannelId subaction
+ type: object
+ description: |
+ Retrieves information about a valid Slack channel identifier. It is applicable only when the connector type is `.slack_api`.
+ required:
+ - subAction
+ - subActionParams
+ properties:
+ subAction:
+ type: string
+ description: The action to test.
+ enum:
+ - validChannelId
+ subActionParams:
+ type: object
+ required:
+ - channelId
+ properties:
+ channelId:
+ type: string
+ description: The Slack channel identifier.
+ example: C123ABC456
+ params_property_apm_anomaly:
+ required:
+ - windowSize
+ - windowUnit
+ - environment
+ - anomalySeverityType
+ properties:
+ serviceName:
+ type: string
+ description: The service name from APM
+ transactionType:
+ type: string
+ description: The transaction type from APM
+ windowSize:
+ type: number
+ example: 6
+ description: The window size
+ windowUnit:
+ type: string
+ description: The window size unit
+ enum:
+ - m
+ - h
+ - d
+ environment:
+ type: string
+ description: The environment from APM
+ anomalySeverityType:
+ type: string
+ description: The anomaly threshold value
+ enum:
+ - critical
+ - major
+ - minor
+ - warning
+ params_property_apm_error_count:
+ required:
+ - windowSize
+ - windowUnit
+ - threshold
+ - environment
+ properties:
+ serviceName:
+ type: string
+ description: The service name from APM
+ windowSize:
+ type: number
+ description: The window size
+ example: 6
+ windowUnit:
+ type: string
+ description: The window size unit
+ enum:
+ - m
+ - h
+ - d
+ environment:
+ type: string
+ description: The environment from APM
+ threshold:
+ type: number
+ description: The error count threshold value
+ groupBy:
+ type: array
+ default:
+ - service.name
+ - service.environment
+ uniqueItems: true
+ items:
+ type: string
+ enum:
+ - service.name
+ - service.environment
+ - transaction.name
+ - error.grouping_key
+ errorGroupingKey:
+ type: string
+ params_property_apm_transaction_duration:
+ required:
+ - windowSize
+ - windowUnit
+ - threshold
+ - environment
+ - aggregationType
+ properties:
+ serviceName:
+ type: string
+ description: The service name from APM
+ transactionType:
+ type: string
+ description: The transaction type from APM
+ transactionName:
+ type: string
+ description: The transaction name from APM
+ windowSize:
+ type: number
+ description: The window size
+ example: 6
+ windowUnit:
+ type: string
+ description: ç
+ enum:
+ - m
+ - h
+ - d
+ environment:
+ type: string
+ threshold:
+ type: number
+ description: The latency threshold value
+ groupBy:
+ type: array
+ default:
+ - service.name
+ - service.environment
+ - transaction.type
+ uniqueItems: true
+ items:
+ type: string
+ enum:
+ - service.name
+ - service.environment
+ - transaction.type
+ - transaction.name
+ aggregationType:
+ type: string
+ enum:
+ - avg
+ - 95th
+ - 99th
+ params_property_apm_transaction_error_rate:
+ required:
+ - windowSize
+ - windowUnit
+ - threshold
+ - environment
+ properties:
+ serviceName:
+ type: string
+ description: The service name from APM
+ transactionType:
+ type: string
+ description: The transaction type from APM
+ transactionName:
+ type: string
+ description: The transaction name from APM
+ windowSize:
+ type: number
+ description: The window size
+ example: 6
+ windowUnit:
+ type: string
+ description: The window size unit
+ enum:
+ - m
+ - h
+ - d
+ environment:
+ type: string
+ description: The environment from APM
+ threshold:
+ type: number
+ description: The error rate threshold value
+ groupBy:
+ type: array
+ default:
+ - service.name
+ - service.environment
+ - transaction.type
+ uniqueItems: true
+ items:
+ type: string
+ enum:
+ - service.name
+ - service.environment
+ - transaction.type
+ - transaction.name
+ aggfield:
+ description: |
+ The name of the numeric field that is used in the aggregation. This property is required when `aggType` is `avg`, `max`, `min` or `sum`.
+ type: string
+ aggtype:
+ description: The type of aggregation to perform.
+ type: string
+ enum:
+ - avg
+ - count
+ - max
+ - min
+ - sum
+ default: count
+ excludehitsfrompreviousrun:
+ description: |
+ Indicates whether to exclude matches from previous runs. If `true`, you can avoid alert duplication by excluding documents that have already been detected by the previous rule run. This option is not available when a grouping field is specified.
+ type: boolean
+ groupby:
+ description: |
+ Indicates whether the aggregation is applied over all documents (`all`) or split into groups (`top`) using a grouping field (`termField`). If grouping is used, an alert will be created for each group when it exceeds the threshold; only the top groups (up to `termSize` number of groups) are checked.
+ type: string
+ enum:
+ - all
+ - top
+ default: all
+ size:
+ description: |
+ The number of documents to pass to the configured actions when the threshold condition is met.
+ type: integer
+ termfield:
+ description: |
+ The names of up to four fields that are used for grouping the aggregation. This property is required when `groupBy` is `top`.
+ oneOf:
+ - type: string
+ - type: array
+ items:
+ type: string
+ maxItems: 4
+ termsize:
+ description: |
+ This property is required when `groupBy` is `top`. It specifies the number of groups to check against the threshold and therefore limits the number of alerts on high cardinality fields.
+ type: integer
+ threshold:
+ description: |
+ The threshold value that is used with the `thresholdComparator`. If the `thresholdComparator` is `between` or `notBetween`, you must specify the boundary values.
+ type: array
+ items:
+ type: integer
+ example: 4000
+ thresholdcomparator:
+ description: The comparison function for the threshold. For example, "is above", "is above or equals", "is below", "is below or equals", "is between", and "is not between".
+ type: string
+ enum:
+ - '>'
+ - '>='
+ - <
+ - <=
+ - between
+ - notBetween
+ example: '>'
+ timefield:
+ description: The field that is used to calculate the time window.
+ type: string
+ timewindowsize:
+ description: |
+ The size of the time window (in `timeWindowUnit` units), which determines how far back to search for documents. Generally it should be a value higher than the rule check interval to avoid gaps in detection.
+ type: integer
+ example: 5
+ timewindowunit:
+ description: |
+ The type of units for the time window: seconds, minutes, hours, or days.
+ type: string
+ enum:
+ - s
+ - m
+ - h
+ - d
+ example: m
+ params_es_query_dsl_rule:
+ title: Elasticsearch DSL query rule params
+ description: |
+ An Elasticsearch query rule can run a query defined in Elasticsearch Query DSL and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`.
+ type: object
+ required:
+ - esQuery
+ - index
+ - threshold
+ - thresholdComparator
+ - timeField
+ - timeWindowSize
+ - timeWindowUnit
+ properties:
+ aggField:
+ $ref: '#/components/schemas/aggfield'
+ aggType:
+ $ref: '#/components/schemas/aggtype'
+ esQuery:
+ description: The query definition, which uses Elasticsearch Query DSL.
+ type: string
+ excludeHitsFromPreviousRun:
+ $ref: '#/components/schemas/excludehitsfrompreviousrun'
+ groupBy:
+ $ref: '#/components/schemas/groupby'
+ index:
+ description: The indices to query.
+ oneOf:
+ - type: array
+ items:
+ type: string
+ - type: string
+ searchType:
+ description: The type of query, in this case a query that uses Elasticsearch Query DSL.
+ type: string
+ enum:
+ - esQuery
+ default: esQuery
+ example: esQuery
+ size:
+ $ref: '#/components/schemas/size'
+ termField:
+ $ref: '#/components/schemas/termfield'
+ termSize:
+ $ref: '#/components/schemas/termsize'
+ threshold:
+ $ref: '#/components/schemas/threshold'
+ thresholdComparator:
+ $ref: '#/components/schemas/thresholdcomparator'
+ timeField:
+ $ref: '#/components/schemas/timefield'
+ timeWindowSize:
+ $ref: '#/components/schemas/timewindowsize'
+ timeWindowUnit:
+ $ref: '#/components/schemas/timewindowunit'
+ params_es_query_esql_rule:
+ title: Elasticsearch ES|QL query rule params
+ description: |
+ An Elasticsearch query rule can run an ES|QL query and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`.
+ type: object
+ required:
+ - esqlQuery
+ - searchType
+ - size
+ - threshold
+ - thresholdComparator
+ - timeWindowSize
+ - timeWindowUnit
+ properties:
+ aggField:
+ $ref: '#/components/schemas/aggfield'
+ aggType:
+ $ref: '#/components/schemas/aggtype'
+ esqlQuery:
+ type: object
+ required:
+ - esql
+ properties:
+ esql:
+ description: The query definition, which uses Elasticsearch Query Language.
+ type: string
+ excludeHitsFromPreviousRun:
+ $ref: '#/components/schemas/excludehitsfrompreviousrun'
+ groupBy:
+ $ref: '#/components/schemas/groupby'
+ searchType:
+ description: The type of query, in this case a query that uses Elasticsearch Query Language (ES|QL).
+ type: string
+ enum:
+ - esqlQuery
+ example: esqlQuery
+ size:
+ type: integer
+ description: |
+ When `searchType` is `esqlQuery`, this property is required but it does not affect the rule behavior.
+ example: 0
+ termSize:
+ $ref: '#/components/schemas/termsize'
+ threshold:
+ type: array
+ items:
+ type: integer
+ minimum: 0
+ maximum: 0
+ description: |
+ The threshold value that is used with the `thresholdComparator`. When `searchType` is `esqlQuery`, this property is required and must be set to zero.
+ thresholdComparator:
+ type: string
+ description: |
+ The comparison function for the threshold. When `searchType` is `esqlQuery`, this property is required and must be set to ">". Since the `threshold` value must be `0`, the result is that an alert occurs whenever the query returns results.
+ enum:
+ - '>'
+ example: '>'
+ timeField:
+ $ref: '#/components/schemas/timefield'
+ timeWindowSize:
+ $ref: '#/components/schemas/timewindowsize'
+ timeWindowUnit:
+ $ref: '#/components/schemas/timewindowunit'
+ filter:
+ type: object
+ description: A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.
+ properties:
+ meta:
+ type: object
+ properties:
+ alias:
+ type: string
+ nullable: true
+ controlledBy:
+ type: string
+ disabled:
+ type: boolean
+ field:
+ type: string
+ group:
+ type: string
+ index:
+ type: string
+ isMultiIndex:
+ type: boolean
+ key:
+ type: string
+ negate:
+ type: boolean
+ params:
+ type: object
+ type:
+ type: string
+ value:
+ type: string
+ query:
+ type: object
+ $state:
+ type: object
+ params_es_query_kql_rule:
+ title: Elasticsearch KQL query rule params
+ description: |
+ An Elasticsearch query rule can run a query defined in KQL or Lucene and compare the number of matches to a configured threshold. These parameters are appropriate when `rule_type_id` is `.es-query`.
+ type: object
+ required:
+ - searchType
+ - size
+ - threshold
+ - thresholdComparator
+ - timeWindowSize
+ - timeWindowUnit
+ properties:
+ aggField:
+ $ref: '#/components/schemas/aggfield'
+ aggType:
+ $ref: '#/components/schemas/aggtype'
+ excludeHitsFromPreviousRun:
+ $ref: '#/components/schemas/excludehitsfrompreviousrun'
+ groupBy:
+ $ref: '#/components/schemas/groupby'
+ searchConfiguration:
+ description: The query definition, which uses KQL or Lucene to fetch the documents from Elasticsearch.
+ type: object
+ properties:
+ filter:
+ type: array
+ items:
+ $ref: '#/components/schemas/filter'
+ index:
+ description: The indices to query.
+ oneOf:
+ - type: string
+ - type: array
+ items:
+ type: string
+ query:
+ type: object
+ properties:
+ language:
+ type: string
+ example: kuery
+ query:
+ type: string
+ searchType:
+ description: The type of query, in this case a text-based query that uses KQL or Lucene.
+ type: string
+ enum:
+ - searchSource
+ example: searchSource
+ size:
+ $ref: '#/components/schemas/size'
+ termField:
+ $ref: '#/components/schemas/termfield'
+ termSize:
+ $ref: '#/components/schemas/termsize'
+ threshold:
+ $ref: '#/components/schemas/threshold'
+ thresholdComparator:
+ $ref: '#/components/schemas/thresholdcomparator'
+ timeField:
+ $ref: '#/components/schemas/timefield'
+ timeWindowSize:
+ $ref: '#/components/schemas/timewindowsize'
+ timeWindowUnit:
+ $ref: '#/components/schemas/timewindowunit'
+ params_index_threshold_rule:
+ title: Index threshold rule params
+ description: An index threshold rule runs an Elasticsearch query, aggregates field values from documents, compares them to threshold values, and schedules actions to run when the thresholds are met. These parameters are appropriate when `rule_type_id` is `.index-threshold`.
+ type: object
+ required:
+ - index
+ - threshold
+ - thresholdComparator
+ - timeField
+ - timeWindowSize
+ - timeWindowUnit
+ properties:
+ aggField:
+ $ref: '#/components/schemas/aggfield'
+ aggType:
+ $ref: '#/components/schemas/aggtype'
+ filterKuery:
+ description: A KQL expression thats limits the scope of alerts.
+ type: string
+ groupBy:
+ $ref: '#/components/schemas/groupby'
+ index:
+ description: The indices to query.
+ type: array
+ items:
+ type: string
+ termField:
+ $ref: '#/components/schemas/termfield'
+ termSize:
+ $ref: '#/components/schemas/termsize'
+ threshold:
+ $ref: '#/components/schemas/threshold'
+ thresholdComparator:
+ $ref: '#/components/schemas/thresholdcomparator'
+ timeField:
+ $ref: '#/components/schemas/timefield'
+ timeWindowSize:
+ $ref: '#/components/schemas/timewindowsize'
+ timeWindowUnit:
+ $ref: '#/components/schemas/timewindowunit'
+ params_property_infra_inventory:
+ properties:
+ criteria:
+ type: array
+ items:
+ type: object
+ properties:
+ metric:
+ type: string
+ enum:
+ - count
+ - cpu
+ - diskLatency
+ - load
+ - memory
+ - memoryTotal
+ - tx
+ - rx
+ - logRate
+ - diskIOReadBytes
+ - diskIOWriteBytes
+ - s3TotalRequests
+ - s3NumberOfObjects
+ - s3BucketSize
+ - s3DownloadBytes
+ - s3UploadBytes
+ - rdsConnections
+ - rdsQueriesExecuted
+ - rdsActiveTransactions
+ - rdsLatency
+ - sqsMessagesVisible
+ - sqsMessagesDelayed
+ - sqsMessagesSent
+ - sqsMessagesEmpty
+ - sqsOldestMessage
+ - custom
+ timeSize:
+ type: number
+ timeUnit:
+ type: string
+ enum:
+ - s
+ - m
+ - h
+ - d
+ sourceId:
+ type: string
+ threshold:
+ type: array
+ items:
+ type: number
+ comparator:
+ type: string
+ enum:
+ - <
+ - <=
+ - '>'
+ - '>='
+ - between
+ - outside
+ customMetric:
+ type: object
+ properties:
+ type:
+ type: string
+ enum:
+ - custom
+ field:
+ type: string
+ aggregation:
+ type: string
+ enum:
+ - avg
+ - max
+ - min
+ - rate
+ id:
+ type: string
+ label:
+ type: string
+ warningThreshold:
+ type: array
+ items:
+ type: number
+ warningComparator:
+ type: string
+ enum:
+ - <
+ - <=
+ - '>'
+ - '>='
+ - between
+ - outside
+ filterQuery:
+ type: string
+ filterQueryText:
+ type: string
+ nodeType:
+ type: string
+ enum:
+ - host
+ - pod
+ - container
+ - awsEC2
+ - awsS3
+ - awsSQS
+ - awsRDS
+ sourceId:
+ type: string
+ alertOnNoData:
+ type: boolean
+ params_property_log_threshold:
+ oneOf:
+ - title: Count
+ type: object
+ required:
+ - count
+ - timeSize
+ - timeUnit
+ - logView
+ properties:
+ criteria:
+ type: array
+ items:
+ type: object
+ properties:
+ field:
+ type: string
+ example: my.field
+ comparator:
+ type: string
+ enum:
+ - more than
+ - more than or equals
+ - less than
+ - less than or equals
+ - equals
+ - does not equal
+ - matches
+ - does not match
+ - matches phrase
+ - does not match phrase
+ value:
+ oneOf:
+ - type: number
+ example: 42
+ - type: string
+ example: value
+ count:
+ type: object
+ properties:
+ comparator:
+ type: string
+ enum:
+ - more than
+ - more than or equals
+ - less than
+ - less than or equals
+ - equals
+ - does not equal
+ - matches
+ - does not match
+ - matches phrase
+ - does not match phrase
+ value:
+ type: number
+ example: 100
+ timeSize:
+ type: number
+ example: 6
+ timeUnit:
+ type: string
+ enum:
+ - s
+ - m
+ - h
+ - d
+ logView:
+ type: object
+ properties:
+ logViewId:
+ type: string
+ type:
+ type: string
+ enum:
+ - log-view-reference
+ example: log-view-reference
+ groupBy:
+ type: array
+ items:
+ type: string
+ - title: Ratio
+ type: object
+ required:
+ - count
+ - timeSize
+ - timeUnit
+ - logView
+ properties:
+ criteria:
+ type: array
+ items:
+ minItems: 2
+ maxItems: 2
+ type: array
+ items:
+ type: object
+ properties:
+ field:
+ type: string
+ example: my.field
+ comparator:
+ type: string
+ enum:
+ - more than
+ - more than or equals
+ - less than
+ - less than or equals
+ - equals
+ - does not equal
+ - matches
+ - does not match
+ - matches phrase
+ - does not match phrase
+ value:
+ oneOf:
+ - type: number
+ example: 42
+ - type: string
+ example: value
+ count:
+ type: object
+ properties:
+ comparator:
+ type: string
+ enum:
+ - more than
+ - more than or equals
+ - less than
+ - less than or equals
+ - equals
+ - does not equal
+ - matches
+ - does not match
+ - matches phrase
+ - does not match phrase
+ value:
+ type: number
+ example: 100
+ timeSize:
+ type: number
+ example: 6
+ timeUnit:
+ type: string
+ enum:
+ - s
+ - m
+ - h
+ - d
+ logView:
+ type: object
+ properties:
+ logViewId:
+ type: string
+ type:
+ type: string
+ enum:
+ - log-view-reference
+ example: log-view-reference
+ groupBy:
+ type: array
+ items:
+ type: string
+ params_property_infra_metric_threshold:
+ properties:
+ criteria:
+ type: array
+ items:
+ oneOf:
+ - title: non count criterion
+ type: object
+ properties:
+ threshold:
+ type: array
+ items:
+ type: number
+ comparator:
+ type: string
+ enum:
+ - <
+ - <=
+ - '>'
+ - '>='
+ - between
+ - outside
+ timeUnit:
+ type: string
+ timeSize:
+ type: number
+ warningThreshold:
+ type: array
+ items:
+ type: number
+ warningComparator:
+ type: string
+ enum:
+ - <
+ - <=
+ - '>'
+ - '>='
+ - between
+ - outside
+ metric:
+ type: string
+ aggType:
+ type: string
+ enum:
+ - avg
+ - max
+ - min
+ - cardinality
+ - rate
+ - count
+ - sum
+ - p95
+ - p99
+ - custom
+ - title: count criterion
+ type: object
+ properties:
+ threshold:
+ type: array
+ items:
+ type: number
+ comparator:
+ type: string
+ enum:
+ - <
+ - <=
+ - '>'
+ - '>='
+ - between
+ - outside
+ timeUnit:
+ type: string
+ timeSize:
+ type: number
+ warningThreshold:
+ type: array
+ items:
+ type: number
+ warningComparator:
+ type: string
+ enum:
+ - <
+ - <=
+ - '>'
+ - '>='
+ - between
+ - outside
+ aggType:
+ type: string
+ enum:
+ - count
+ - title: custom criterion
+ type: object
+ properties:
+ threshold:
+ type: array
+ items:
+ type: number
+ comparator:
+ type: string
+ enum:
+ - <
+ - <=
+ - '>'
+ - '>='
+ - between
+ - outside
+ timeUnit:
+ type: string
+ timeSize:
+ type: number
+ warningThreshold:
+ type: array
+ items:
+ type: number
+ warningComparator:
+ type: string
+ enum:
+ - <
+ - <=
+ - '>'
+ - '>='
+ - between
+ - outside
+ aggType:
+ type: string
+ enum:
+ - custom
+ customMetric:
+ type: array
+ items:
+ oneOf:
+ - type: object
+ properties:
+ name:
+ type: string
+ aggType:
+ type: string
+ enum:
+ - avg
+ - sum
+ - max
+ - min
+ - cardinality
+ field:
+ type: string
+ - type: object
+ properties:
+ name:
+ type: string
+ aggType:
+ type: string
+ enum:
+ - count
+ filter:
+ type: string
+ equation:
+ type: string
+ label:
+ type: string
+ groupBy:
+ oneOf:
+ - type: string
+ - type: array
+ items:
+ type: string
+ filterQuery:
+ type: string
+ sourceId:
+ type: string
+ alertOnNoData:
+ type: boolean
+ alertOnGroupDisappear:
+ type: boolean
+ params_property_slo_burn_rate:
+ properties:
+ sloId:
+ description: The SLO identifier used by the rule
+ type: string
+ example: 8853df00-ae2e-11ed-90af-09bb6422b258
+ burnRateThreshold:
+ description: The burn rate threshold used to trigger the alert
+ type: number
+ example: 14.4
+ maxBurnRateThreshold:
+ description: The maximum burn rate threshold value defined by the SLO error budget
+ type: number
+ example: 168
+ longWindow:
+ description: The duration of the long window used to compute the burn rate
+ type: object
+ properties:
+ value:
+ description: The duration value
+ type: number
+ example: 6
+ unit:
+ description: The duration unit
+ type: string
+ example: h
+ shortWindow:
+ description: The duration of the short window used to compute the burn rate
+ type: object
+ properties:
+ value:
+ description: The duration value
+ type: number
+ example: 30
+ unit:
+ description: The duration unit
+ type: string
+ example: m
+ params_property_synthetics_uptime_tls:
+ properties:
+ search:
+ type: string
+ certExpirationThreshold:
+ type: number
+ certAgeThreshold:
+ type: number
+ params_property_synthetics_monitor_status:
+ required:
+ - numTimes
+ - shouldCheckStatus
+ - shouldCheckAvailability
+ properties:
+ availability:
+ type: object
+ properties:
+ range:
+ type: number
+ rangeUnit:
+ type: string
+ threshold:
+ type: string
+ filters:
+ oneOf:
+ - type: string
+ - type: object
+ deprecated: true
+ properties:
+ monitor.type:
+ type: array
+ items:
+ type: string
+ observer.geo.name:
+ type: array
+ items:
+ type: string
+ tags:
+ type: array
+ items:
+ type: string
+ url.port:
+ type: array
+ items:
+ type: string
+ locations:
+ deprecated: true
+ type: array
+ items:
+ type: string
+ numTimes:
+ type: number
+ search:
+ type: string
+ shouldCheckStatus:
+ type: boolean
+ shouldCheckAvailability:
+ type: boolean
+ timerangeCount:
+ type: number
+ timerangeUnit:
+ type: string
+ timerange:
+ deprecated: true
+ type: object
+ properties:
+ from:
+ type: string
+ to:
+ type: string
+ version:
+ type: number
+ isAutoGenerated:
+ type: boolean
+ securitySchemes:
+ apiKeyAuth:
+ description: You must create an API key and use the encoded value in the request header. To learn about creating keys, go to [API keys](https://www.elastic.co/docs/current/serverless/api-keys).
+ in: header
+ name: Authorization
+ type: apiKey
diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml
index f8036f9ecdd9a..3d0b0f5d8ca17 100644
--- a/oas_docs/output/kibana.yaml
+++ b/oas_docs/output/kibana.yaml
@@ -43884,19 +43884,23 @@ components:
properties:
frequency:
default: 1m
- description: Configure how often the transform runs, default 1m
+ description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.
example: 5m
type: string
preventInitialBackfill:
default: false
- description: Prevents the transform from backfilling data when it starts.
+ description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.
example: true
type: boolean
syncDelay:
default: 1m
- description: The synch delay to apply to the transform. Default 1m
+ description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.
example: 5m
type: string
+ syncField:
+ description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.
+ example: event.ingested
+ type: string
title: Settings
type: object
SLOs_slo_definition_response:
diff --git a/x-pack/packages/kbn-slo-schema/src/schema/slo.ts b/x-pack/packages/kbn-slo-schema/src/schema/slo.ts
index 0576f1cf328eb..c292d355b4867 100644
--- a/x-pack/packages/kbn-slo-schema/src/schema/slo.ts
+++ b/x-pack/packages/kbn-slo-schema/src/schema/slo.ts
@@ -27,16 +27,26 @@ const objectiveSchema = t.intersection([
t.partial({ timesliceTarget: t.number, timesliceWindow: durationType }),
]);
-const settingsSchema = t.type({
+const settingsSchema = t.intersection([
+ t.type({
+ syncDelay: durationType,
+ frequency: durationType,
+ preventInitialBackfill: t.boolean,
+ }),
+ t.partial({ syncField: t.union([t.string, t.null]) }),
+]);
+
+const groupBySchema = allOrAnyStringOrArray;
+
+const optionalSettingsSchema = t.partial({
syncDelay: durationType,
frequency: durationType,
preventInitialBackfill: t.boolean,
+ syncField: t.union([t.string, t.null]),
});
-const groupBySchema = allOrAnyStringOrArray;
-
-const optionalSettingsSchema = t.partial({ ...settingsSchema.props });
const tagsSchema = t.array(t.string);
+
// id cannot contain special characters and spaces
const sloIdSchema = new t.Type(
'sloIdSchema',
diff --git a/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.json b/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.json
index 4018a4957b9ab..915fa9e108d4a 100644
--- a/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.json
+++ b/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.json
@@ -1647,20 +1647,25 @@
"description": "Defines properties for SLO settings.",
"type": "object",
"properties": {
+ "syncField": {
+ "description": "The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.",
+ "type": "string",
+ "example": "event.ingested"
+ },
"syncDelay": {
- "description": "The synch delay to apply to the transform. Default 1m",
+ "description": "The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.",
"type": "string",
"default": "1m",
"example": "5m"
},
"frequency": {
- "description": "Configure how often the transform runs, default 1m",
+ "description": "The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.",
"type": "string",
"default": "1m",
"example": "5m"
},
"preventInitialBackfill": {
- "description": "Prevents the transform from backfilling data when it starts.",
+ "description": "Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.",
"type": "boolean",
"default": false,
"example": true
diff --git a/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.yaml b/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.yaml
index a1780acc3e008..96d63163b1d51 100644
--- a/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.yaml
+++ b/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.yaml
@@ -1137,18 +1137,22 @@ components:
description: Defines properties for SLO settings.
type: object
properties:
+ syncField:
+ description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.
+ type: string
+ example: event.ingested
syncDelay:
- description: The synch delay to apply to the transform. Default 1m
+ description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.
type: string
default: 1m
example: 5m
frequency:
- description: Configure how often the transform runs, default 1m
+ description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.
type: string
default: 1m
example: 5m
preventInitialBackfill:
- description: Prevents the transform from backfilling data when it starts.
+ description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.
type: boolean
default: false
example: true
diff --git a/x-pack/plugins/observability_solution/slo/docs/openapi/slo/components/schemas/settings.yaml b/x-pack/plugins/observability_solution/slo/docs/openapi/slo/components/schemas/settings.yaml
index a50ce0c28c136..e811e18734d51 100644
--- a/x-pack/plugins/observability_solution/slo/docs/openapi/slo/components/schemas/settings.yaml
+++ b/x-pack/plugins/observability_solution/slo/docs/openapi/slo/components/schemas/settings.yaml
@@ -2,18 +2,22 @@ title: Settings
description: Defines properties for SLO settings.
type: object
properties:
+ syncField:
+ description: The date field that is used to identify new documents in the source. It is strongly recommended to use a field that contains the ingest timestamp. If you use a different field, you might need to set the delay such that it accounts for data transmission delays. When unspecified, we use the indicator timestamp field.
+ type: string
+ example: 'event.ingested'
syncDelay:
- description: The synch delay to apply to the transform. Default 1m
+ description: The time delay in minutes between the current time and the latest source data time. Increasing the value will delay any alerting. The default value is 1 minute. The minimum value is 1m and the maximum is 359m. It should always be greater then source index refresh interval.
type: string
default: 1m
example: 5m
frequency:
- description: Configure how often the transform runs, default 1m
+ description: The interval between checks for changes in the source data. The minimum value is 1m and the maximum is 59m. The default value is 1 minute.
type: string
default: 1m
example: 5m
preventInitialBackfill:
- description: Prevents the transform from backfilling data when it starts.
+ description: Start aggregating data from the time the SLO is created, instead of backfilling data from the beginning of the time window.
type: boolean
default: false
example: true
diff --git a/x-pack/plugins/observability_solution/slo/docs/openapi/slo/entrypoint.yaml b/x-pack/plugins/observability_solution/slo/docs/openapi/slo/entrypoint.yaml
index 008d063919815..413540ecb96c6 100644
--- a/x-pack/plugins/observability_solution/slo/docs/openapi/slo/entrypoint.yaml
+++ b/x-pack/plugins/observability_solution/slo/docs/openapi/slo/entrypoint.yaml
@@ -33,17 +33,3 @@ paths:
# $ref: "paths/s@{spaceid}@api@slos@_definitions.yaml"
"/s/{spaceId}/api/observability/slos/_delete_instances":
$ref: "paths/s@{spaceid}@api@slos@_delete_instances.yaml"
-# Security is defined when files are joined in oas_docs
-# components:
-# securitySchemes:
-# basicAuth:
-# type: http
-# scheme: basic
-# apiKeyAuth:
-# type: apiKey
-# in: header
-# name: Authorization
-# description: 'e.g. Authorization: ApiKey base64AccessApiKey'
-# security:
-# - basicAuth: []
-# - apiKeyAuth: []
diff --git a/x-pack/plugins/observability_solution/slo/public/data/slo/slo.ts b/x-pack/plugins/observability_solution/slo/public/data/slo/slo.ts
index ce50190eb7adf..0fccc4deb0f8b 100644
--- a/x-pack/plugins/observability_solution/slo/public/data/slo/slo.ts
+++ b/x-pack/plugins/observability_solution/slo/public/data/slo/slo.ts
@@ -39,6 +39,7 @@ const baseSlo: Omit = {
good: 'http_status: 2xx',
total: 'a query',
timestampField: 'custom_timestamp',
+ dataViewId: 'some-data-view-id',
},
},
timeWindow: {
diff --git a/x-pack/plugins/observability_solution/slo/public/locators/slo_edit.test.ts b/x-pack/plugins/observability_solution/slo/public/locators/slo_edit.test.ts
index 40fcae8c840ee..55305a4a3719b 100644
--- a/x-pack/plugins/observability_solution/slo/public/locators/slo_edit.test.ts
+++ b/x-pack/plugins/observability_solution/slo/public/locators/slo_edit.test.ts
@@ -11,16 +11,21 @@ import { SloEditLocatorDefinition } from './slo_edit';
describe('SloEditLocator', () => {
const locator = new SloEditLocatorDefinition();
- it('should return correct url when empty params are provided', async () => {
+ it('returns the correct url when empty params are provided', async () => {
const location = await locator.getLocation({});
expect(location.app).toEqual('slo');
expect(location.path).toEqual('/create?_a=()');
});
- it('should return correct url when slo is provided', async () => {
- const location = await locator.getLocation(buildSlo({ id: 'foo' }));
+ it('returns the correct url when slo id is provided', async () => {
+ const location = await locator.getLocation({ id: 'existing-slo-id' });
+ expect(location.path).toEqual('/edit/existing-slo-id');
+ });
+
+ it('returns the correct url when partial slo input is provided', async () => {
+ const location = await locator.getLocation(buildSlo({ id: undefined }));
expect(location.path).toEqual(
- "/edit/foo?_a=(budgetingMethod:occurrences,createdAt:'2022-12-29T10:11:12.000Z',description:'some%20description%20useful',enabled:!t,groupBy:'*',groupings:(),id:foo,indicator:(params:(filter:'baz:%20foo%20and%20bar%20%3E%202',good:'http_status:%202xx',index:some-index,timestampField:custom_timestamp,total:'a%20query'),type:sli.kql.custom),instanceId:'*',meta:(),name:'super%20important%20level%20service',objective:(target:0.98),revision:1,settings:(frequency:'1m',preventInitialBackfill:!f,syncDelay:'1m'),summary:(errorBudget:(consumed:0.064,initial:0.02,isEstimated:!f,remaining:0.936),fiveMinuteBurnRate:0,oneDayBurnRate:0,oneHourBurnRate:0,sliValue:0.99872,status:HEALTHY),tags:!(k8s,production,critical),timeWindow:(duration:'30d',type:rolling),updatedAt:'2022-12-29T10:11:12.000Z',version:2)"
+ "/create?_a=(budgetingMethod:occurrences,createdAt:'2022-12-29T10:11:12.000Z',description:'some%20description%20useful',enabled:!t,groupBy:'*',groupings:(),indicator:(params:(dataViewId:some-data-view-id,filter:'baz:%20foo%20and%20bar%20%3E%202',good:'http_status:%202xx',index:some-index,timestampField:custom_timestamp,total:'a%20query'),type:sli.kql.custom),instanceId:'*',meta:(),name:'super%20important%20level%20service',objective:(target:0.98),revision:1,settings:(frequency:'1m',preventInitialBackfill:!f,syncDelay:'1m'),summary:(errorBudget:(consumed:0.064,initial:0.02,isEstimated:!f,remaining:0.936),fiveMinuteBurnRate:0,oneDayBurnRate:0,oneHourBurnRate:0,sliValue:0.99872,status:HEALTHY),tags:!(k8s,production,critical),timeWindow:(duration:'30d',type:rolling),updatedAt:'2022-12-29T10:11:12.000Z',version:2)"
);
});
});
diff --git a/x-pack/plugins/observability_solution/slo/public/locators/slo_edit.ts b/x-pack/plugins/observability_solution/slo/public/locators/slo_edit.ts
index 120bc533e9eea..2233ea9c5718b 100644
--- a/x-pack/plugins/observability_solution/slo/public/locators/slo_edit.ts
+++ b/x-pack/plugins/observability_solution/slo/public/locators/slo_edit.ts
@@ -5,31 +5,34 @@
* 2.0.
*/
-import { setStateToKbnUrl } from '@kbn/kibana-utils-plugin/public';
import type { RecursivePartial } from '@elastic/charts';
-import type { SerializableRecord } from '@kbn/utility-types';
-import type { LocatorDefinition } from '@kbn/share-plugin/public';
+import { setStateToKbnUrl } from '@kbn/kibana-utils-plugin/public';
import { sloEditLocatorID } from '@kbn/observability-plugin/common';
-import type { CreateSLOForm } from '../pages/slo_edit/types';
+import type { LocatorDefinition } from '@kbn/share-plugin/public';
+import { CreateSLOInput } from '@kbn/slo-schema';
import { SLO_CREATE_PATH } from '../../common/locators/paths';
-export type SloEditParams = RecursivePartial;
-
-export interface SloEditLocatorParams extends SloEditParams, SerializableRecord {}
+export type SloEditLocatorParams = RecursivePartial;
export class SloEditLocatorDefinition implements LocatorDefinition {
public readonly id = sloEditLocatorID;
public readonly getLocation = async (slo: SloEditLocatorParams) => {
+ if (!!slo.id) {
+ return {
+ app: 'slo',
+ path: `/edit/${encodeURIComponent(slo.id)}`,
+ state: {},
+ };
+ }
+
return {
app: 'slo',
- path: setStateToKbnUrl(
+ path: setStateToKbnUrl>(
'_a',
- {
- ...slo,
- },
+ slo,
{ useHash: false, storeInHashQuery: false },
- slo.id ? `/edit/${encodeURIComponent(String(slo.id))}` : `${SLO_CREATE_PATH}`
+ SLO_CREATE_PATH
),
state: {},
};
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_details/components/overview/overview.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_details/components/overview/overview.tsx
index 34f3b0132dc8a..9a2f798ab628e 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_details/components/overview/overview.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_details/components/overview/overview.tsx
@@ -8,15 +8,14 @@
import { EuiFlexGrid, EuiPanel, EuiText, useIsWithinBreakpoints } from '@elastic/eui';
import numeral from '@elastic/numeral';
import { i18n } from '@kbn/i18n';
+import { TagsList } from '@kbn/observability-shared-plugin/public';
import {
+ SLOWithSummaryResponse,
occurrencesBudgetingMethodSchema,
querySchema,
rollingTimeWindowTypeSchema,
- SLOWithSummaryResponse,
} from '@kbn/slo-schema';
import React from 'react';
-import { TagsList } from '@kbn/observability-shared-plugin/public';
-import { DisplayQuery } from './display_query';
import { useKibana } from '../../../../hooks/use_kibana';
import {
BUDGETING_METHOD_OCCURRENCES,
@@ -26,9 +25,9 @@ import {
toIndicatorTypeLabel,
} from '../../../../utils/slo/labels';
import { ApmIndicatorOverview } from './apm_indicator_overview';
-import { SyntheticsIndicatorOverview } from './synthetics_indicator_overview';
-
+import { DisplayQuery } from './display_query';
import { OverviewItem } from './overview_item';
+import { SyntheticsIndicatorOverview } from './synthetics_indicator_overview';
export interface Props {
slo: SLOWithSummaryResponse;
@@ -170,6 +169,19 @@ export function Overview({ slo }: Props) {
}
/>
)}
+
+
+
);
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/advanced_settings/advanced_settings.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/advanced_settings/advanced_settings.tsx
new file mode 100644
index 0000000000000..81a630990a256
--- /dev/null
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/advanced_settings/advanced_settings.tsx
@@ -0,0 +1,174 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import {
+ EuiAccordion,
+ EuiCheckbox,
+ EuiFieldNumber,
+ EuiFlexGrid,
+ EuiFlexGroup,
+ EuiFlexItem,
+ EuiFormRow,
+ EuiIcon,
+ EuiIconTip,
+ EuiTitle,
+ useGeneratedHtmlId,
+} from '@elastic/eui';
+import { i18n } from '@kbn/i18n';
+import React from 'react';
+import { Controller, useFormContext } from 'react-hook-form';
+import { CreateSLOForm } from '../../../types';
+import { SyncFieldSelector } from './sync_field_selector';
+
+export function AdvancedSettings() {
+ const { control, getFieldState } = useFormContext();
+ const preventBackfillCheckbox = useGeneratedHtmlId({ prefix: 'preventBackfill' });
+ const advancedSettingsAccordion = useGeneratedHtmlId({ prefix: 'advancedSettingsAccordion' });
+
+ return (
+
+
+
+
+
+
+
+
+ {i18n.translate('xpack.slo.sloEdit.settings.advancedSettingsLabel', {
+ defaultMessage: 'Advanced settings',
+ })}
+
+
+
+
+ }
+ >
+
+
+
+
+
+
+
+
+ {i18n.translate('xpack.slo.sloEdit.settings.syncDelay.label', {
+ defaultMessage: 'Sync delay (in minutes)',
+ })}{' '}
+
+
+ }
+ >
+ (
+ onChange(event.target.value)}
+ />
+ )}
+ />
+
+
+
+
+
+ {i18n.translate('xpack.slo.sloEdit.settings.frequency.label', {
+ defaultMessage: 'Frequency (in minutes)',
+ })}{' '}
+
+
+ }
+ >
+ (
+ onChange(event.target.value)}
+ />
+ )}
+ />
+
+
+
+
+
+ (
+
+ {i18n.translate('xpack.slo.sloEdit.settings.preventInitialBackfill.label', {
+ defaultMessage: 'Prevent initial backfill of data',
+ })}{' '}
+
+
+ }
+ checked={Boolean(field.value)}
+ onChange={(event: any) => onChange(event.target.checked)}
+ />
+ )}
+ />
+
+
+
+ );
+}
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/advanced_settings/sync_field_selector.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/advanced_settings/sync_field_selector.tsx
new file mode 100644
index 0000000000000..ddfb51bb28977
--- /dev/null
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/advanced_settings/sync_field_selector.tsx
@@ -0,0 +1,84 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { EuiComboBox, EuiComboBoxOptionOption, EuiFormRow, EuiIconTip } from '@elastic/eui';
+import { i18n } from '@kbn/i18n';
+import React from 'react';
+import { Controller, useFormContext } from 'react-hook-form';
+import { useCreateDataView } from '../../../../../hooks/use_create_data_view';
+import { createOptionsFromFields } from '../../../helpers/create_options';
+import { CreateSLOForm } from '../../../types';
+import { OptionalText } from '../../common/optional_text';
+
+const placeholder = i18n.translate('xpack.slo.sloEdit.settings.syncField.placeholder', {
+ defaultMessage: 'Select a timestamp field',
+});
+
+export function SyncFieldSelector() {
+ const { control, watch, getFieldState } = useFormContext();
+ const [index, dataViewId] = watch(['indicator.params.index', 'indicator.params.dataViewId']);
+ const { dataView, loading: isIndexFieldsLoading } = useCreateDataView({
+ indexPatternString: index,
+ dataViewId,
+ });
+ const timestampFields = dataView?.fields?.filter((field) => field.type === 'date') ?? [];
+
+ return (
+
+ {i18n.translate('xpack.slo.sloEdit.settings.syncField.label', {
+ defaultMessage: 'Sync field',
+ })}{' '}
+
+
+ }
+ isInvalid={getFieldState('settings.syncField').invalid}
+ labelAppend={}
+ >
+ {
+ return (
+
+ {...field}
+ placeholder={placeholder}
+ aria-label={placeholder}
+ isClearable
+ isDisabled={isIndexFieldsLoading}
+ isInvalid={fieldState.invalid}
+ isLoading={isIndexFieldsLoading}
+ onChange={(selected: EuiComboBoxOptionOption[]) => {
+ if (selected.length) {
+ return field.onChange(selected[0].value);
+ }
+
+ field.onChange(null);
+ }}
+ singleSelection={{ asPlainText: true }}
+ options={createOptionsFromFields(timestampFields)}
+ selectedOptions={
+ !!timestampFields && !!field.value
+ ? [{ value: field.value, label: field.value }]
+ : []
+ }
+ />
+ );
+ }}
+ />
+
+ );
+}
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/apm_availability/apm_availability_indicator_type_form.stories.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/apm_availability/apm_availability_indicator_type_form.stories.tsx
similarity index 84%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/apm_availability/apm_availability_indicator_type_form.stories.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/apm_availability/apm_availability_indicator_type_form.stories.tsx
index c3c506eb484eb..d40d56941ccfe 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/apm_availability/apm_availability_indicator_type_form.stories.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/apm_availability/apm_availability_indicator_type_form.stories.tsx
@@ -9,9 +9,9 @@ import React from 'react';
import { ComponentStory } from '@storybook/react';
import { FormProvider, useForm } from 'react-hook-form';
-import { KibanaReactStorybookDecorator } from '../../../../utils/kibana_react.storybook_decorator';
+import { KibanaReactStorybookDecorator } from '../../../../../utils/kibana_react.storybook_decorator';
import { ApmAvailabilityIndicatorTypeForm as Component } from './apm_availability_indicator_type_form';
-import { SLO_EDIT_FORM_DEFAULT_VALUES } from '../../constants';
+import { SLO_EDIT_FORM_DEFAULT_VALUES } from '../../../constants';
export default {
component: Component,
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/apm_availability/apm_availability_indicator_type_form.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/apm_availability/apm_availability_indicator_type_form.tsx
similarity index 88%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/apm_availability/apm_availability_indicator_type_form.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/apm_availability/apm_availability_indicator_type_form.tsx
index 0dcddcdb232b5..fd00e3d359530 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/apm_availability/apm_availability_indicator_type_form.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/apm_availability/apm_availability_indicator_type_form.tsx
@@ -12,14 +12,14 @@ import React from 'react';
import { useFormContext } from 'react-hook-form';
import { useApmDefaultValues } from '../apm_common/use_apm_default_values';
import { DATA_VIEW_FIELD } from '../custom_common/index_selection';
-import { useCreateDataView } from '../../../../hooks/use_create_data_view';
-import { GroupByField } from '../common/group_by_field';
-import { useFetchApmIndex } from '../../../../hooks/use_fetch_apm_indices';
-import { CreateSLOForm } from '../../types';
+import { useCreateDataView } from '../../../../../hooks/use_create_data_view';
+import { GroupByField } from '../../common/group_by_field';
+import { useFetchApmIndex } from '../../../../../hooks/use_fetch_apm_indices';
+import { CreateSLOForm } from '../../../types';
import { FieldSelector } from '../apm_common/field_selector';
-import { DataPreviewChart } from '../common/data_preview_chart';
-import { QueryBuilder } from '../common/query_builder';
-import { formatAllFilters } from '../../helpers/format_filters';
+import { DataPreviewChart } from '../../common/data_preview_chart';
+import { QueryBuilder } from '../../common/query_builder';
+import { formatAllFilters } from '../../../helpers/format_filters';
import { getGroupByCardinalityFilters } from '../apm_common/get_group_by_cardinality_filters';
export function ApmAvailabilityIndicatorTypeForm() {
@@ -56,8 +56,8 @@ export function ApmAvailabilityIndicatorTypeForm() {
});
return (
-
-
+
+
-
+
-
+
{
const { watch, setValue } = useFormContext>();
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/apm_latency/apm_latency_indicator_type_form.stories.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/apm_latency/apm_latency_indicator_type_form.stories.tsx
similarity index 84%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/apm_latency/apm_latency_indicator_type_form.stories.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/apm_latency/apm_latency_indicator_type_form.stories.tsx
index 3ca02641f9bfa..9b346c94dea9a 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/apm_latency/apm_latency_indicator_type_form.stories.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/apm_latency/apm_latency_indicator_type_form.stories.tsx
@@ -9,9 +9,9 @@ import React from 'react';
import { ComponentStory } from '@storybook/react';
import { FormProvider, useForm } from 'react-hook-form';
-import { KibanaReactStorybookDecorator } from '../../../../utils/kibana_react.storybook_decorator';
+import { KibanaReactStorybookDecorator } from '../../../../../utils/kibana_react.storybook_decorator';
import { ApmLatencyIndicatorTypeForm as Component } from './apm_latency_indicator_type_form';
-import { SLO_EDIT_FORM_DEFAULT_VALUES } from '../../constants';
+import { SLO_EDIT_FORM_DEFAULT_VALUES } from '../../../constants';
export default {
component: Component,
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/apm_latency/apm_latency_indicator_type_form.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/apm_latency/apm_latency_indicator_type_form.tsx
similarity index 91%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/apm_latency/apm_latency_indicator_type_form.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/apm_latency/apm_latency_indicator_type_form.tsx
index 03b47aafe4150..0d7b86d0b88d3 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/apm_latency/apm_latency_indicator_type_form.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/apm_latency/apm_latency_indicator_type_form.tsx
@@ -12,14 +12,14 @@ import React from 'react';
import { Controller, useFormContext } from 'react-hook-form';
import { useApmDefaultValues } from '../apm_common/use_apm_default_values';
import { DATA_VIEW_FIELD } from '../custom_common/index_selection';
-import { GroupByField } from '../common/group_by_field';
-import { useCreateDataView } from '../../../../hooks/use_create_data_view';
-import { useFetchApmIndex } from '../../../../hooks/use_fetch_apm_indices';
-import { CreateSLOForm } from '../../types';
+import { GroupByField } from '../../common/group_by_field';
+import { useCreateDataView } from '../../../../../hooks/use_create_data_view';
+import { useFetchApmIndex } from '../../../../../hooks/use_fetch_apm_indices';
+import { CreateSLOForm } from '../../../types';
import { FieldSelector } from '../apm_common/field_selector';
-import { DataPreviewChart } from '../common/data_preview_chart';
-import { QueryBuilder } from '../common/query_builder';
-import { formatAllFilters } from '../../helpers/format_filters';
+import { DataPreviewChart } from '../../common/data_preview_chart';
+import { QueryBuilder } from '../../common/query_builder';
+import { formatAllFilters } from '../../../helpers/format_filters';
import { getGroupByCardinalityFilters } from '../apm_common/get_group_by_cardinality_filters';
export function ApmLatencyIndicatorTypeForm() {
@@ -58,8 +58,8 @@ export function ApmLatencyIndicatorTypeForm() {
});
return (
-
-
+
+
-
+
();
const index = watch('indicator.params.index');
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_common/index_selection.stories.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_common/index_selection.stories.tsx
similarity index 84%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_common/index_selection.stories.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_common/index_selection.stories.tsx
index 4b8dce62f43bb..b1739a63881f5 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_common/index_selection.stories.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_common/index_selection.stories.tsx
@@ -9,9 +9,9 @@ import React from 'react';
import { ComponentStory } from '@storybook/react';
import { FormProvider, useForm } from 'react-hook-form';
-import { KibanaReactStorybookDecorator } from '../../../../utils/kibana_react.storybook_decorator';
+import { KibanaReactStorybookDecorator } from '../../../../../utils/kibana_react.storybook_decorator';
import { IndexSelection as Component } from './index_selection';
-import { SLO_EDIT_FORM_DEFAULT_VALUES } from '../../constants';
+import { SLO_EDIT_FORM_DEFAULT_VALUES } from '../../../constants';
export default {
component: Component,
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_common/index_selection.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_common/index_selection.tsx
similarity index 63%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_common/index_selection.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_common/index_selection.tsx
index 146d11be84ac8..9d5489ddd283f 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_common/index_selection.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_common/index_selection.tsx
@@ -8,37 +8,47 @@
import { EuiFormRow } from '@elastic/eui';
import { DataView } from '@kbn/data-views-plugin/public';
import { i18n } from '@kbn/i18n';
+import { ALL_VALUE } from '@kbn/slo-schema';
+import { DataViewPicker } from '@kbn/unified-search-plugin/public';
import React, { useEffect } from 'react';
import { Controller, useFormContext } from 'react-hook-form';
-import { DataViewPicker } from '@kbn/unified-search-plugin/public';
-import { getDataViewPattern, useAdhocDataViews } from './use_adhoc_data_views';
-import { SLOPublicPluginsStart } from '../../../..';
-import { useKibana } from '../../../../hooks/use_kibana';
-import { CreateSLOForm } from '../../types';
+import { SLOPublicPluginsStart } from '../../../../..';
+import { useKibana } from '../../../../../hooks/use_kibana';
+import { CreateSLOForm } from '../../../types';
+import { getDataViewPatternOrId, useAdhocDataViews } from './use_adhoc_data_views';
const BTN_MAX_WIDTH = 515;
export const DATA_VIEW_FIELD = 'indicator.params.dataViewId';
const INDEX_FIELD = 'indicator.params.index';
-const TIMESTAMP_FIELD = 'indicator.params.timestampField';
+const INDICATOR_TIMESTAMP_FIELD = 'indicator.params.timestampField';
+const GROUP_BY_FIELD = 'groupBy';
+const SETTINGS_SYNC_FIELD = 'settings.syncField';
export function IndexSelection({ selectedDataView }: { selectedDataView?: DataView }) {
const { control, getFieldState, setValue, watch } = useFormContext();
- const { dataViews: dataViewsService, dataViewFieldEditor } = useKibana().services;
-
- const { dataViewEditor } = useKibana().services;
+ const {
+ dataViews: dataViewsService,
+ dataViewFieldEditor,
+ dataViewEditor,
+ } = useKibana().services;
const currentIndexPattern = watch(INDEX_FIELD);
const currentDataViewId = watch(DATA_VIEW_FIELD);
- const { dataViewsList, isDataViewsLoading, adHocDataViews, setAdHocDataViews, refetch } =
- useAdhocDataViews({
- currentIndexPattern,
- });
+ const {
+ dataViewsList,
+ isDataViewsLoading,
+ adHocDataViews,
+ setAdHocDataViews,
+ refetchDataViewsList,
+ } = useAdhocDataViews({
+ currentIndexPattern,
+ });
useEffect(() => {
- const indPatternId = getDataViewPattern({
- byPatten: currentIndexPattern,
+ const indPatternId = getDataViewPatternOrId({
+ byPattern: currentIndexPattern,
dataViewsList,
adHocDataViews,
});
@@ -54,13 +64,24 @@ export function IndexSelection({ selectedDataView }: { selectedDataView?: DataVi
setValue,
]);
+ const updateDataViewDependantFields = (indexPattern?: string, timestampField?: string) => {
+ setValue(INDEX_FIELD, indexPattern ?? '');
+ setValue(INDICATOR_TIMESTAMP_FIELD, timestampField ?? '');
+ setValue(GROUP_BY_FIELD, ALL_VALUE);
+ setValue(SETTINGS_SYNC_FIELD, null);
+ };
+
return (
-
+
(
{
- setValue(
- INDEX_FIELD,
- getDataViewPattern({ byId: newId, adHocDataViews, dataViewsList })!
- );
field.onChange(newId);
+
dataViewsService.get(newId).then((dataView) => {
- if (dataView.timeFieldName) {
- setValue(TIMESTAMP_FIELD, dataView.timeFieldName);
- }
+ updateDataViewDependantFields(
+ getDataViewPatternOrId({ byId: newId, adHocDataViews, dataViewsList })!,
+ dataView.timeFieldName
+ );
});
}}
onAddField={
@@ -97,8 +116,8 @@ export function IndexSelection({ selectedDataView }: { selectedDataView?: DataVi
}
currentDataViewId={
field.value ??
- getDataViewPattern({
- byPatten: currentIndexPattern,
+ getDataViewPatternOrId({
+ byPattern: currentIndexPattern,
dataViewsList,
adHocDataViews,
})
@@ -108,17 +127,13 @@ export function IndexSelection({ selectedDataView }: { selectedDataView?: DataVi
allowAdHocDataView: true,
onSave: (dataView: DataView) => {
if (!dataView.isPersisted()) {
- setAdHocDataViews([...adHocDataViews, dataView]);
- field.onChange(dataView.id);
- setValue(INDEX_FIELD, dataView.getIndexPattern());
+ setAdHocDataViews((prev) => [...prev, dataView]);
} else {
- refetch();
- field.onChange(dataView.id);
- setValue(INDEX_FIELD, dataView.getIndexPattern());
- }
- if (dataView.timeFieldName) {
- setValue(TIMESTAMP_FIELD, dataView.timeFieldName);
+ refetchDataViewsList();
}
+
+ field.onChange(dataView.id);
+ updateDataViewDependantFields(dataView.getIndexPattern(), dataView.timeFieldName);
},
});
}}
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_common/use_adhoc_data_views.ts b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_common/use_adhoc_data_views.ts
similarity index 79%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_common/use_adhoc_data_views.ts
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_common/use_adhoc_data_views.ts
index 67792b056408d..986b681c9bca9 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_common/use_adhoc_data_views.ts
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_common/use_adhoc_data_views.ts
@@ -8,16 +8,16 @@
import { useEffect, useState } from 'react';
import { DataView, DataViewListItem } from '@kbn/data-views-plugin/common';
import { useFetchDataViews } from '@kbn/observability-plugin/public';
-import { useKibana } from '../../../../hooks/use_kibana';
+import { useKibana } from '../../../../../hooks/use_kibana';
-export const getDataViewPattern = ({
+export const getDataViewPatternOrId = ({
byId,
- byPatten,
+ byPattern,
dataViewsList,
adHocDataViews,
}: {
byId?: string;
- byPatten?: string;
+ byPattern?: string;
dataViewsList: DataViewListItem[];
adHocDataViews: DataView[];
}) => {
@@ -28,20 +28,24 @@ export const getDataViewPattern = ({
if (byId) {
return allDataViews.find((dv) => dv.id === byId)?.title;
}
- if (byPatten) {
- return allDataViews.find((dv) => dv.title === byPatten)?.id;
+ if (byPattern) {
+ return allDataViews.find((dv) => dv.title === byPattern)?.id;
}
};
export const useAdhocDataViews = ({ currentIndexPattern }: { currentIndexPattern: string }) => {
- const { isLoading: isDataViewsLoading, data: dataViewsList = [], refetch } = useFetchDataViews();
+ const {
+ isLoading: isDataViewsLoading,
+ data: dataViewsList = [],
+ refetch: refetchDataViewsList,
+ } = useFetchDataViews();
const { dataViews: dataViewsService } = useKibana().services;
const [adHocDataViews, setAdHocDataViews] = useState([]);
useEffect(() => {
if (!isDataViewsLoading) {
- const missingDataView = getDataViewPattern({
- byPatten: currentIndexPattern,
+ const missingDataView = getDataViewPatternOrId({
+ byPattern: currentIndexPattern,
dataViewsList,
adHocDataViews,
});
@@ -70,6 +74,6 @@ export const useAdhocDataViews = ({ currentIndexPattern }: { currentIndexPattern
setAdHocDataViews,
dataViewsList,
isDataViewsLoading,
- refetch,
+ refetchDataViewsList,
};
};
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_kql/custom_kql_indicator_type_form.stories.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_kql/custom_kql_indicator_type_form.stories.tsx
similarity index 84%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_kql/custom_kql_indicator_type_form.stories.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_kql/custom_kql_indicator_type_form.stories.tsx
index 5eb0b68070789..1ecf3f57c1496 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_kql/custom_kql_indicator_type_form.stories.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_kql/custom_kql_indicator_type_form.stories.tsx
@@ -9,9 +9,9 @@ import React from 'react';
import { ComponentStory } from '@storybook/react';
import { FormProvider, useForm } from 'react-hook-form';
-import { KibanaReactStorybookDecorator } from '../../../../utils/kibana_react.storybook_decorator';
+import { KibanaReactStorybookDecorator } from '../../../../../utils/kibana_react.storybook_decorator';
import { CustomKqlIndicatorTypeForm as Component } from './custom_kql_indicator_type_form';
-import { SLO_EDIT_FORM_DEFAULT_VALUES } from '../../constants';
+import { SLO_EDIT_FORM_DEFAULT_VALUES } from '../../../constants';
export default {
component: Component,
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_kql/custom_kql_indicator_type_form.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_kql/custom_kql_indicator_type_form.tsx
similarity index 91%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_kql/custom_kql_indicator_type_form.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_kql/custom_kql_indicator_type_form.tsx
index 92ba2cac50e7f..ccebca1fbb36f 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_kql/custom_kql_indicator_type_form.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_kql/custom_kql_indicator_type_form.tsx
@@ -9,12 +9,12 @@ import { EuiFlexGroup, EuiFlexItem, EuiIconTip } from '@elastic/eui';
import { i18n } from '@kbn/i18n';
import React from 'react';
import { useFormContext } from 'react-hook-form';
+import { useCreateDataView } from '../../../../../hooks/use_create_data_view';
+import { CreateSLOForm } from '../../../types';
+import { DataPreviewChart } from '../../common/data_preview_chart';
+import { GroupByField } from '../../common/group_by_field';
+import { QueryBuilder } from '../../common/query_builder';
import { IndexAndTimestampField } from '../custom_common/index_and_timestamp_field';
-import { GroupByField } from '../common/group_by_field';
-import { useCreateDataView } from '../../../../hooks/use_create_data_view';
-import { CreateSLOForm } from '../../types';
-import { DataPreviewChart } from '../common/data_preview_chart';
-import { QueryBuilder } from '../common/query_builder';
import { DATA_VIEW_FIELD } from '../custom_common/index_selection';
export function CustomKqlIndicatorTypeForm() {
@@ -28,7 +28,7 @@ export function CustomKqlIndicatorTypeForm() {
});
return (
-
+
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_metric/custom_metric_type_form.stories.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_metric/custom_metric_type_form.stories.tsx
similarity index 89%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_metric/custom_metric_type_form.stories.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_metric/custom_metric_type_form.stories.tsx
index 1abbff61a0dc8..771405a539f1b 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_metric/custom_metric_type_form.stories.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_metric/custom_metric_type_form.stories.tsx
@@ -9,9 +9,9 @@ import React from 'react';
import { ComponentStory } from '@storybook/react';
import { FormProvider, useForm } from 'react-hook-form';
-import { KibanaReactStorybookDecorator } from '../../../../utils/kibana_react.storybook_decorator';
+import { KibanaReactStorybookDecorator } from '../../../../../utils/kibana_react.storybook_decorator';
import { CustomMetricIndicatorTypeForm as Component } from './custom_metric_type_form';
-import { SLO_EDIT_FORM_DEFAULT_VALUES_CUSTOM_METRIC } from '../../constants';
+import { SLO_EDIT_FORM_DEFAULT_VALUES_CUSTOM_METRIC } from '../../../constants';
export default {
component: Component,
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_metric/custom_metric_type_form.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_metric/custom_metric_type_form.tsx
similarity index 91%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_metric/custom_metric_type_form.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_metric/custom_metric_type_form.tsx
index ee9bcf8d99649..365205ed6b4bf 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_metric/custom_metric_type_form.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_metric/custom_metric_type_form.tsx
@@ -18,11 +18,11 @@ import { FormattedMessage } from '@kbn/i18n-react';
import React from 'react';
import { useFormContext } from 'react-hook-form';
import { IndexAndTimestampField } from '../custom_common/index_and_timestamp_field';
-import { GroupByField } from '../common/group_by_field';
-import { useCreateDataView } from '../../../../hooks/use_create_data_view';
-import { CreateSLOForm } from '../../types';
-import { DataPreviewChart } from '../common/data_preview_chart';
-import { QueryBuilder } from '../common/query_builder';
+import { GroupByField } from '../../common/group_by_field';
+import { useCreateDataView } from '../../../../../hooks/use_create_data_view';
+import { CreateSLOForm } from '../../../types';
+import { DataPreviewChart } from '../../common/data_preview_chart';
+import { QueryBuilder } from '../../common/query_builder';
import { DATA_VIEW_FIELD } from '../custom_common/index_selection';
import { MetricIndicator } from './metric_indicator';
@@ -55,7 +55,7 @@ export function CustomMetricIndicatorTypeForm() {
-
+
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_metric/metric_indicator.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_metric/metric_indicator.tsx
similarity index 60%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_metric/metric_indicator.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_metric/metric_indicator.tsx
index 03939dce314b6..519167be5db27 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/custom_metric/metric_indicator.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/custom_metric/metric_indicator.tsx
@@ -26,10 +26,10 @@ import { Controller, useFieldArray, useFormContext } from 'react-hook-form';
import {
aggValueToLabel,
CUSTOM_METRIC_AGGREGATION_OPTIONS,
-} from '../../helpers/aggregation_options';
-import { createOptionsFromFields, Option } from '../../helpers/create_options';
-import { CreateSLOForm } from '../../types';
-import { QueryBuilder } from '../common/query_builder';
+} from '../../../helpers/aggregation_options';
+import { createOptionsFromFields, Option } from '../../../helpers/create_options';
+import { CreateSLOForm } from '../../../types';
+import { QueryBuilder } from '../../common/query_builder';
interface MetricIndicatorProps {
type: 'good' | 'total';
@@ -134,95 +134,28 @@ export function MetricIndicator({
{fields?.map((metric, index, arr) => (
-
-
-
-
- {i18n.translate('xpack.slo.sloEdit.customMetric.aggregationLabel', {
- defaultMessage: 'Aggregation',
- })}{' '}
- {metric.name}
-
- }
- >
- (
- {
- if (selected.length) {
- return field.onChange(selected[0].value);
- }
- field.onChange('');
- }}
- selectedOptions={
- !!indexPattern &&
- !!field.value &&
- CUSTOM_METRIC_AGGREGATION_OPTIONS.some((agg) => agg.value === field.value)
- ? [
- {
- value: field.value,
- label: aggValueToLabel(field.value),
- },
- ]
- : []
- }
- onSearchChange={(searchValue: string) => {
- setAggregationOptions(
- CUSTOM_METRIC_AGGREGATION_OPTIONS.filter(({ value }) =>
- value.includes(searchValue)
- )
- );
- }}
- options={aggregationOptions}
- />
- )}
- />
-
-
- {watch(`indicator.params.${type}.metrics.${index}.aggregation`) !== 'doc_count' && (
+
+
+
- {metricLabel} {metric.name} {metricTooltip}
+ {i18n.translate('xpack.slo.sloEdit.customMetric.aggregationLabel', {
+ defaultMessage: 'Aggregation',
+ })}{' '}
+ {metric.name}
}
>
(
metricField.name === field.value)
+ CUSTOM_METRIC_AGGREGATION_OPTIONS.some(
+ (agg) => agg.value === field.value
+ )
? [
{
value: field.value,
- label: field.value,
+ label: aggValueToLabel(field.value),
},
]
: []
}
onSearchChange={(searchValue: string) => {
- setOptions(
- createOptionsFromFields(metricFields, ({ value }) =>
+ setAggregationOptions(
+ CUSTOM_METRIC_AGGREGATION_OPTIONS.filter(({ value }) =>
value.includes(searchValue)
)
);
}}
- options={options}
+ options={aggregationOptions}
/>
)}
/>
- )}
-
-
-
+ {watch(`indicator.params.${type}.metrics.${index}.aggregation`) !== 'doc_count' && (
+
+
+ {metricLabel} {metric.name} {metricTooltip}
+
+ }
+ >
+ (
+ {
+ if (selected.length) {
+ return field.onChange(selected[0].value);
+ }
+ field.onChange('');
+ }}
+ selectedOptions={
+ !!indexPattern &&
+ !!field.value &&
+ metricFields.some((metricField) => metricField.name === field.value)
+ ? [
+ {
+ value: field.value,
+ label: field.value,
+ },
+ ]
+ : []
+ }
+ onSearchChange={(searchValue: string) => {
+ setOptions(
+ createOptionsFromFields(metricFields, ({ value }) =>
+ value.includes(searchValue)
+ )
+ );
+ }}
+ options={options}
+ />
+ )}
+ />
+
+
+ )}
+
+
+
+
+
+ }
+ />
-
- }
- />
{index !== arr.length - 1 && }
))}
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/histogram/histogram_indicator.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/histogram/histogram_indicator.tsx
similarity index 98%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/histogram/histogram_indicator.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/histogram/histogram_indicator.tsx
index 009504e5e6979..3b435fa52494b 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/histogram/histogram_indicator.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/histogram/histogram_indicator.tsx
@@ -19,9 +19,9 @@ import { DataView, FieldSpec } from '@kbn/data-views-plugin/common';
import { i18n } from '@kbn/i18n';
import React, { Fragment, useEffect, useState } from 'react';
import { Controller, useFormContext } from 'react-hook-form';
-import { createOptionsFromFields, Option } from '../../helpers/create_options';
-import { CreateSLOForm } from '../../types';
-import { QueryBuilder } from '../common/query_builder';
+import { createOptionsFromFields, Option } from '../../../helpers/create_options';
+import { CreateSLOForm } from '../../../types';
+import { QueryBuilder } from '../../common/query_builder';
interface HistogramIndicatorProps {
type: 'good' | 'total';
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/histogram/histogram_indicator_type_form.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/histogram/histogram_indicator_type_form.tsx
similarity index 91%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/histogram/histogram_indicator_type_form.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/histogram/histogram_indicator_type_form.tsx
index 6bb1918dba3c2..2e934c74d9d0e 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/histogram/histogram_indicator_type_form.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/histogram/histogram_indicator_type_form.tsx
@@ -18,11 +18,11 @@ import { FormattedMessage } from '@kbn/i18n-react';
import React from 'react';
import { useFormContext } from 'react-hook-form';
import { IndexAndTimestampField } from '../custom_common/index_and_timestamp_field';
-import { useCreateDataView } from '../../../../hooks/use_create_data_view';
-import { GroupByField } from '../common/group_by_field';
-import { CreateSLOForm } from '../../types';
-import { DataPreviewChart } from '../common/data_preview_chart';
-import { QueryBuilder } from '../common/query_builder';
+import { useCreateDataView } from '../../../../../hooks/use_create_data_view';
+import { GroupByField } from '../../common/group_by_field';
+import { CreateSLOForm } from '../../../types';
+import { DataPreviewChart } from '../../common/data_preview_chart';
+import { QueryBuilder } from '../../common/query_builder';
import { DATA_VIEW_FIELD } from '../custom_common/index_selection';
import { HistogramIndicator } from './histogram_indicator';
@@ -49,7 +49,7 @@ export function HistogramIndicatorTypeForm() {
-
+
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/synthetics_availability/synthetics_availability_indicator_type_form.test.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/synthetics_availability/synthetics_availability_indicator_type_form.test.tsx
similarity index 100%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/synthetics_availability/synthetics_availability_indicator_type_form.test.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/synthetics_availability/synthetics_availability_indicator_type_form.test.tsx
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/synthetics_availability/synthetics_availability_indicator_type_form.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/synthetics_availability/synthetics_availability_indicator_type_form.tsx
similarity index 93%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/synthetics_availability/synthetics_availability_indicator_type_form.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/synthetics_availability/synthetics_availability_indicator_type_form.tsx
index 07f2f86663292..88dbb16d667b6 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/synthetics_availability/synthetics_availability_indicator_type_form.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/synthetics_availability/synthetics_availability_indicator_type_form.tsx
@@ -17,12 +17,12 @@ import moment from 'moment';
import React, { useEffect, useState } from 'react';
import { useFormContext } from 'react-hook-form';
import { DATA_VIEW_FIELD } from '../custom_common/index_selection';
-import { useCreateDataView } from '../../../../hooks/use_create_data_view';
-import { formatAllFilters } from '../../helpers/format_filters';
-import { CreateSLOForm } from '../../types';
-import { DataPreviewChart } from '../common/data_preview_chart';
-import { GroupByCardinality } from '../common/group_by_cardinality';
-import { QueryBuilder } from '../common/query_builder';
+import { useCreateDataView } from '../../../../../hooks/use_create_data_view';
+import { formatAllFilters } from '../../../helpers/format_filters';
+import { CreateSLOForm } from '../../../types';
+import { DataPreviewChart } from '../../common/data_preview_chart';
+import { GroupByCardinality } from '../../common/group_by_cardinality';
+import { QueryBuilder } from '../../common/query_builder';
import { FieldSelector } from '../synthetics_common/field_selector';
export function SyntheticsAvailabilityIndicatorTypeForm() {
@@ -74,8 +74,8 @@ export function SyntheticsAvailabilityIndicatorTypeForm() {
}, [currentMonitors, setValue]);
return (
-
-
+
+
-
+
{fields?.map((metric, index, arr) => (
-
-
-
-
-
+
+
+
-
+
+
+
+
+
+ }
+ />
-
- }
- />
{index !== arr.length - 1 && }
))}
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/timeslice_metric/metric_input.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/timeslice_metric/metric_input.tsx
similarity index 97%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/timeslice_metric/metric_input.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/timeslice_metric/metric_input.tsx
index ebb539b97dab2..ef798305b20d6 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/timeslice_metric/metric_input.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/timeslice_metric/metric_input.tsx
@@ -16,9 +16,9 @@ import { FieldSpec } from '@kbn/data-views-plugin/common';
import { i18n } from '@kbn/i18n';
import React, { useEffect, useState } from 'react';
import { Controller, useFormContext } from 'react-hook-form';
-import { AGGREGATION_OPTIONS, aggValueToLabel } from '../../helpers/aggregation_options';
-import { createOptionsFromFields, Option } from '../../helpers/create_options';
-import { CreateSLOForm } from '../../types';
+import { AGGREGATION_OPTIONS, aggValueToLabel } from '../../../helpers/aggregation_options';
+import { createOptionsFromFields, Option } from '../../../helpers/create_options';
+import { CreateSLOForm } from '../../../types';
const fieldLabel = i18n.translate('xpack.slo.sloEdit.sliType.timesliceMetric.fieldLabel', {
defaultMessage: 'Field',
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/timeslice_metric/timeslice_metric_indicator.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/timeslice_metric/timeslice_metric_indicator.tsx
similarity index 88%
rename from x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/timeslice_metric/timeslice_metric_indicator.tsx
rename to x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/timeslice_metric/timeslice_metric_indicator.tsx
index 86eede0ba65e2..73bc3135d91ac 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/timeslice_metric/timeslice_metric_indicator.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/indicator_section/timeslice_metric/timeslice_metric_indicator.tsx
@@ -19,15 +19,15 @@ import { FormattedMessage } from '@kbn/i18n-react';
import React from 'react';
import { useFormContext } from 'react-hook-form';
import { IndexAndTimestampField } from '../custom_common/index_and_timestamp_field';
-import { useKibana } from '../../../../hooks/use_kibana';
-import { GroupByField } from '../common/group_by_field';
-import { CreateSLOForm } from '../../types';
-import { DataPreviewChart } from '../common/data_preview_chart';
-import { QueryBuilder } from '../common/query_builder';
+import { useKibana } from '../../../../../hooks/use_kibana';
+import { GroupByField } from '../../common/group_by_field';
+import { CreateSLOForm } from '../../../types';
+import { DataPreviewChart } from '../../common/data_preview_chart';
+import { QueryBuilder } from '../../common/query_builder';
import { DATA_VIEW_FIELD } from '../custom_common/index_selection';
import { MetricIndicator } from './metric_indicator';
-import { COMPARATOR_MAPPING } from '../../constants';
-import { useCreateDataView } from '../../../../hooks/use_create_data_view';
+import { COMPARATOR_MAPPING } from '../../../constants';
+import { useCreateDataView } from '../../../../../hooks/use_create_data_view';
export { NEW_TIMESLICE_METRIC } from './metric_indicator';
@@ -54,7 +54,7 @@ export function TimesliceMetricIndicatorTypeForm() {
-
+
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form.tsx
index 7ffc274ffce12..9082d5367670e 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form.tsx
@@ -5,43 +5,56 @@
* 2.0.
*/
-import { EuiFlexGroup, EuiSpacer, EuiSteps } from '@elastic/eui';
+import { EuiFlexGroup, EuiSteps } from '@elastic/eui';
import { i18n } from '@kbn/i18n';
-import type { GetSLOResponse } from '@kbn/slo-schema';
+import type { CreateSLOInput, GetSLOResponse } from '@kbn/slo-schema';
+import { RecursivePartial } from '@kbn/utility-types';
import React from 'react';
import { FormProvider, useForm } from 'react-hook-form';
-import { RecursivePartial } from '@kbn/utility-types';
-import { SloEditFormFooter } from './slo_edit_form_footer';
import { SLO_EDIT_FORM_DEFAULT_VALUES } from '../constants';
-import { transformSloResponseToCreateSloForm } from '../helpers/process_slo_form_values';
+import {
+ transformPartialSLOStateToFormState,
+ transformSloResponseToCreateSloForm,
+} from '../helpers/process_slo_form_values';
import { useParseUrlState } from '../hooks/use_parse_url_state';
import { useSectionFormValidation } from '../hooks/use_section_form_validation';
import { useShowSections } from '../hooks/use_show_sections';
import { CreateSLOForm } from '../types';
import { SloEditFormDescriptionSection } from './slo_edit_form_description_section';
+import { SloEditFormFooter } from './slo_edit_form_footer';
import { SloEditFormIndicatorSection } from './slo_edit_form_indicator_section';
import { SloEditFormObjectiveSection } from './slo_edit_form_objective_section';
export interface Props {
slo?: GetSLOResponse;
- initialValues?: RecursivePartial;
+ initialValues?: RecursivePartial;
onSave?: () => void;
}
-export const maxWidth = 900;
-
export function SloEditForm({ slo, initialValues, onSave }: Props) {
const isEditMode = slo !== undefined;
+ const isFlyoutMode = initialValues !== undefined && onSave !== undefined;
- const sloFormValuesFromUrlState = useParseUrlState() ?? (initialValues as CreateSLOForm);
+ const sloFormValuesFromFlyoutState = isFlyoutMode
+ ? transformPartialSLOStateToFormState(initialValues)
+ : undefined;
+ const sloFormValuesFromUrlState = useParseUrlState();
const sloFormValuesFromSloResponse = transformSloResponseToCreateSloForm(slo);
- const methods = useForm({
- defaultValues: sloFormValuesFromUrlState ?? SLO_EDIT_FORM_DEFAULT_VALUES,
- values: sloFormValuesFromUrlState ? sloFormValuesFromUrlState : sloFormValuesFromSloResponse,
+ const form = useForm({
+ defaultValues: isFlyoutMode
+ ? sloFormValuesFromFlyoutState
+ : sloFormValuesFromUrlState
+ ? sloFormValuesFromUrlState
+ : sloFormValuesFromSloResponse ?? SLO_EDIT_FORM_DEFAULT_VALUES,
+ values: isFlyoutMode
+ ? sloFormValuesFromFlyoutState
+ : sloFormValuesFromUrlState
+ ? sloFormValuesFromUrlState
+ : sloFormValuesFromSloResponse,
mode: 'all',
});
- const { watch, getFieldState, getValues, formState } = methods;
+ const { watch, getFieldState, getValues, formState } = form;
const { isIndicatorSectionValid, isObjectiveSectionValid, isDescriptionSectionValid } =
useSectionFormValidation({
@@ -59,41 +72,37 @@ export function SloEditForm({ slo, initialValues, onSave }: Props) {
);
return (
- <>
-
-
- ,
- status: isIndicatorSectionValid ? 'complete' : 'incomplete',
- },
- {
- title: i18n.translate('xpack.slo.sloEdit.objectives.title', {
- defaultMessage: 'Set objectives',
- }),
- children: showObjectiveSection ? : null,
- status: showObjectiveSection && isObjectiveSectionValid ? 'complete' : 'incomplete',
- },
- {
- title: i18n.translate('xpack.slo.sloEdit.description.title', {
- defaultMessage: 'Describe SLO',
- }),
- children: showDescriptionSection ? : null,
- status:
- showDescriptionSection && isDescriptionSectionValid ? 'complete' : 'incomplete',
- },
- ]}
- />
-
-
+
+
+ ,
+ status: isIndicatorSectionValid ? 'complete' : 'incomplete',
+ },
+ {
+ title: i18n.translate('xpack.slo.sloEdit.objectives.title', {
+ defaultMessage: 'Set objectives',
+ }),
+ children: showObjectiveSection ? : null,
+ status: showObjectiveSection && isObjectiveSectionValid ? 'complete' : 'incomplete',
+ },
+ {
+ title: i18n.translate('xpack.slo.sloEdit.description.title', {
+ defaultMessage: 'Describe SLO',
+ }),
+ children: showDescriptionSection ? : null,
+ status:
+ showDescriptionSection && isDescriptionSectionValid ? 'complete' : 'incomplete',
+ },
+ ]}
+ />
-
-
-
- >
+
+
+
);
}
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form_description_section.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form_description_section.tsx
index a210021674f6b..f242669e566d2 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form_description_section.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form_description_section.tsx
@@ -9,8 +9,6 @@ import {
EuiComboBox,
EuiComboBoxOptionOption,
EuiFieldText,
- EuiFlexGroup,
- EuiFlexItem,
EuiFormRow,
EuiPanel,
EuiTextArea,
@@ -20,9 +18,9 @@ import { i18n } from '@kbn/i18n';
import React from 'react';
import { Controller, useFormContext } from 'react-hook-form';
import { useFetchSLOSuggestions } from '../hooks/use_fetch_suggestions';
-import { OptionalText } from './common/optional_text';
import { CreateSLOForm } from '../types';
-import { maxWidth } from './slo_edit_form';
+import { OptionalText } from './common/optional_text';
+import { MAX_WIDTH } from '../constants';
export function SloEditFormDescriptionSection() {
const { control, getFieldState } = useFormContext();
@@ -37,129 +35,117 @@ export function SloEditFormDescriptionSection() {
hasBorder={false}
hasShadow={false}
paddingSize="none"
- style={{ maxWidth }}
+ style={{ maxWidth: MAX_WIDTH }}
data-test-subj="sloEditFormDescriptionSection"
>
-
-
-
- (
-
- )}
+
+ (
+
-
-
+ )}
+ />
+
-
- }
- >
- (
-
+ }
+ >
+ (
+
-
-
+ )}
+ />
+
-
-
- (
- {
- if (selected.length) {
- return field.onChange(selected.map((opts) => opts.value));
- }
+
+ (
+ {
+ if (selected.length) {
+ return field.onChange(selected.map((opts) => opts.value));
+ }
- field.onChange([]);
- }}
- onCreateOption={(
- searchValue: string,
- options: EuiComboBoxOptionOption[] = []
- ) => {
- const normalizedSearchValue = searchValue.trim().toLowerCase();
+ field.onChange([]);
+ }}
+ onCreateOption={(searchValue: string, options: EuiComboBoxOptionOption[] = []) => {
+ const normalizedSearchValue = searchValue.trim().toLowerCase();
- if (!normalizedSearchValue) {
- return;
- }
- const values = field.value ?? [];
+ if (!normalizedSearchValue) {
+ return;
+ }
+ const values = field.value ?? [];
- if (
- values.findIndex(
- (tag) => tag.trim().toLowerCase() === normalizedSearchValue
- ) === -1
- ) {
- field.onChange([...values, searchValue]);
- }
- }}
- isClearable
- data-test-subj="sloEditTagsSelector"
- />
- )}
+ if (
+ values.findIndex((tag) => tag.trim().toLowerCase() === normalizedSearchValue) ===
+ -1
+ ) {
+ field.onChange([...values, searchValue]);
+ }
+ }}
+ isClearable
+ data-test-subj="sloEditTagsSelector"
/>
-
-
-
+ )}
+ />
+
);
}
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form_indicator_section.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form_indicator_section.tsx
index 156f45c2c982c..4d30bef7ac692 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form_indicator_section.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form_indicator_section.tsx
@@ -7,19 +7,20 @@
import { EuiFormRow, EuiPanel, EuiSelect, EuiSpacer } from '@elastic/eui';
import { i18n } from '@kbn/i18n';
+import { assertNever } from '@kbn/std';
import React, { useMemo } from 'react';
import { Controller, useFormContext } from 'react-hook-form';
import { SLI_OPTIONS } from '../constants';
import { useUnregisterFields } from '../hooks/use_unregister_fields';
import { CreateSLOForm } from '../types';
-import { ApmAvailabilityIndicatorTypeForm } from './apm_availability/apm_availability_indicator_type_form';
-import { ApmLatencyIndicatorTypeForm } from './apm_latency/apm_latency_indicator_type_form';
-import { SyntheticsAvailabilityIndicatorTypeForm } from './synthetics_availability/synthetics_availability_indicator_type_form';
-import { CustomKqlIndicatorTypeForm } from './custom_kql/custom_kql_indicator_type_form';
-import { CustomMetricIndicatorTypeForm } from './custom_metric/custom_metric_type_form';
-import { HistogramIndicatorTypeForm } from './histogram/histogram_indicator_type_form';
-import { maxWidth } from './slo_edit_form';
-import { TimesliceMetricIndicatorTypeForm } from './timeslice_metric/timeslice_metric_indicator';
+import { MAX_WIDTH } from '../constants';
+import { ApmAvailabilityIndicatorTypeForm } from './indicator_section/apm_availability/apm_availability_indicator_type_form';
+import { ApmLatencyIndicatorTypeForm } from './indicator_section/apm_latency/apm_latency_indicator_type_form';
+import { CustomKqlIndicatorTypeForm } from './indicator_section/custom_kql/custom_kql_indicator_type_form';
+import { CustomMetricIndicatorTypeForm } from './indicator_section/custom_metric/custom_metric_type_form';
+import { HistogramIndicatorTypeForm } from './indicator_section/histogram/histogram_indicator_type_form';
+import { SyntheticsAvailabilityIndicatorTypeForm } from './indicator_section/synthetics_availability/synthetics_availability_indicator_type_form';
+import { TimesliceMetricIndicatorTypeForm } from './indicator_section/timeslice_metric/timeslice_metric_indicator';
interface SloEditFormIndicatorSectionProps {
isEditMode: boolean;
@@ -48,7 +49,7 @@ export function SloEditFormIndicatorSection({ isEditMode }: SloEditFormIndicator
case 'sli.metric.timeslice':
return ;
default:
- return null;
+ assertNever(indicatorType);
}
}, [indicatorType]);
@@ -57,7 +58,7 @@ export function SloEditFormIndicatorSection({ isEditMode }: SloEditFormIndicator
hasBorder={false}
hasShadow={false}
paddingSize="none"
- style={{ maxWidth }}
+ style={{ maxWidth: MAX_WIDTH }}
data-test-subj="sloEditFormIndicatorSection"
>
{!isEditMode && (
@@ -78,7 +79,7 @@ export function SloEditFormIndicatorSection({ isEditMode }: SloEditFormIndicator
)}
/>
-
+
>
)}
{indicatorTypeForm}
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form_objective_section.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form_objective_section.tsx
index 15c51b1b86ce4..65e4a25a86c39 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form_objective_section.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/components/slo_edit_form_objective_section.tsx
@@ -7,15 +7,14 @@
import {
EuiCallOut,
- EuiCheckbox,
EuiFieldNumber,
EuiFlexGrid,
+ EuiFlexGroup,
EuiFlexItem,
EuiFormRow,
EuiIconTip,
EuiPanel,
EuiSelect,
- EuiSpacer,
useGeneratedHtmlId,
} from '@elastic/eui';
import { i18n } from '@kbn/i18n';
@@ -30,7 +29,8 @@ import {
TIMEWINDOW_TYPE_OPTIONS,
} from '../constants';
import { CreateSLOForm } from '../types';
-import { maxWidth } from './slo_edit_form';
+import { MAX_WIDTH } from '../constants';
+import { AdvancedSettings } from './indicator_section/advanced_settings/advanced_settings';
import { SloEditFormObjectiveSectionTimeslices } from './slo_edit_form_objective_section_timeslices';
export function SloEditFormObjectiveSection() {
@@ -44,7 +44,6 @@ export function SloEditFormObjectiveSection() {
const budgetingSelect = useGeneratedHtmlId({ prefix: 'budgetingSelect' });
const timeWindowTypeSelect = useGeneratedHtmlId({ prefix: 'timeWindowTypeSelect' });
const timeWindowSelect = useGeneratedHtmlId({ prefix: 'timeWindowSelect' });
- const preventBackfillCheckbox = useGeneratedHtmlId({ prefix: 'preventBackfill' });
const timeWindowType = watch('timeWindow.type');
const indicator = watch('indicator.type');
@@ -91,237 +90,199 @@ export function SloEditFormObjectiveSection() {
hasBorder={false}
hasShadow={false}
paddingSize="none"
- style={{ maxWidth }}
+ style={{ maxWidth: MAX_WIDTH }}
data-test-subj="sloEditFormObjectiveSection"
>
-
-
-
- {i18n.translate('xpack.slo.sloEdit.timeWindowType.label', {
- defaultMessage: 'Time window',
- })}{' '}
-
-
- }
- >
- (
-
- )}
- />
-
-
-
-
- {i18n.translate('xpack.slo.sloEdit.timeWindowDuration.label', {
- defaultMessage: 'Duration',
- })}{' '}
-
-
- }
- >
- (
-
- )}
- />
-
-
-
-
-
- {indicator === 'sli.metric.timeslice' && (
-
-
-
-
+
+
+
+ {i18n.translate('xpack.slo.sloEdit.timeWindowType.label', {
+ defaultMessage: 'Time window',
+ })}{' '}
+
+
+ }
+ >
+ (
+
+ )}
/>
-
-
-
-
- )}
-
- {indicator === 'sli.synthetics.availability' && (
-
-
-
-
+
+
+
+ {i18n.translate('xpack.slo.sloEdit.timeWindowDuration.label', {
+ defaultMessage: 'Duration',
+ })}{' '}
+
+
+ }
+ >
+ (
+
+ )}
/>
-
-
-
-
- )}
+
+
+
-
-
-
- {i18n.translate('xpack.slo.sloEdit.budgetingMethod.label', {
- defaultMessage: 'Budgeting method',
- })}{' '}
-
-
- }
- >
- (
-
+
+
+
- )}
- />
-
-
+
+
+
+ )}
- {watch('budgetingMethod') === 'timeslices' ? (
-
- ) : null}
-
+ {indicator === 'sli.synthetics.availability' && (
+
+
+
+
+
+
+
+ )}
-
+
+
+
+ {i18n.translate('xpack.slo.sloEdit.budgetingMethod.label', {
+ defaultMessage: 'Budgeting method',
+ })}{' '}
+
+
+ }
+ >
+ (
+
+ )}
+ />
+
+
-
-
-
- {i18n.translate('xpack.slo.sloEdit.targetSlo.label', {
- defaultMessage: 'Target / SLO (%)',
- })}{' '}
-
-
- }
- >
- (
- onChange(event.target.value)}
- />
- )}
- />
-
-
-
+ {watch('budgetingMethod') === 'timeslices' ? (
+
+ ) : null}
+
-
+
+
+
+ {i18n.translate('xpack.slo.sloEdit.targetSlo.label', {
+ defaultMessage: 'Target / SLO (%)',
+ })}{' '}
+
+
+ }
+ >
+ (
+ onChange(event.target.value)}
+ />
+ )}
+ />
+
+
+
-
-
-
- (
-
- {i18n.translate('xpack.slo.sloEdit.settings.preventInitialBackfill.label', {
- defaultMessage: 'Prevent initial backfill of data',
- })}
-
-
- }
- checked={Boolean(field.value)}
- onChange={(event: any) => onChange(event.target.checked)}
- />
- )}
- />
-
-
-
+
+
);
}
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/constants.ts b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/constants.ts
index 123ebdc660947..55dfec93f8a33 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/constants.ts
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/constants.ts
@@ -33,6 +33,8 @@ import {
import { SYNTHETICS_DEFAULT_GROUPINGS, SYNTHETICS_INDEX_PATTERN } from '../../../common/constants';
import { CreateSLOForm } from './types';
+export const MAX_WIDTH = 900;
+
export const SLI_OPTIONS: Array<{
value: IndicatorType;
text: string;
@@ -205,6 +207,13 @@ export const SYNTHETICS_AVAILABILITY_DEFAULT_VALUES: SyntheticsAvailabilityIndic
},
};
+export const SETTINGS_DEFAULT_VALUES = {
+ frequency: 1,
+ preventInitialBackfill: false,
+ syncDelay: 1,
+ syncField: null,
+};
+
export const SLO_EDIT_FORM_DEFAULT_VALUES: CreateSLOForm = {
name: '',
description: '',
@@ -219,9 +228,7 @@ export const SLO_EDIT_FORM_DEFAULT_VALUES: CreateSLOForm = {
target: 99,
},
groupBy: ALL_VALUE,
- settings: {
- preventInitialBackfill: false,
- },
+ settings: SETTINGS_DEFAULT_VALUES,
};
export const SLO_EDIT_FORM_DEFAULT_VALUES_CUSTOM_METRIC: CreateSLOForm = {
@@ -238,9 +245,7 @@ export const SLO_EDIT_FORM_DEFAULT_VALUES_CUSTOM_METRIC: CreateSLOForm = {
target: 99,
},
groupBy: ALL_VALUE,
- settings: {
- preventInitialBackfill: false,
- },
+ settings: SETTINGS_DEFAULT_VALUES,
};
export const SLO_EDIT_FORM_DEFAULT_VALUES_SYNTHETICS_AVAILABILITY: CreateSLOForm = {
@@ -257,9 +262,7 @@ export const SLO_EDIT_FORM_DEFAULT_VALUES_SYNTHETICS_AVAILABILITY: CreateSLOForm
target: 99,
},
groupBy: SYNTHETICS_DEFAULT_GROUPINGS,
- settings: {
- preventInitialBackfill: false,
- },
+ settings: SETTINGS_DEFAULT_VALUES,
};
export const COMPARATOR_GT = i18n.translate('xpack.slo.sloEdit.sliType.timesliceMetric.gtLabel', {
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/__snapshots__/process_slo_form_values.test.ts.snap b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/__snapshots__/process_slo_form_values.test.ts.snap
index 3f7ac0ce83beb..78f63a4b8f7bc 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/__snapshots__/process_slo_form_values.test.ts.snap
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/__snapshots__/process_slo_form_values.test.ts.snap
@@ -26,7 +26,10 @@ Object {
"target": 99,
},
"settings": Object {
+ "frequency": 1,
"preventInitialBackfill": false,
+ "syncDelay": 1,
+ "syncField": null,
},
"tags": Array [],
"timeWindow": Object {
@@ -74,7 +77,10 @@ Object {
"target": 99,
},
"settings": Object {
+ "frequency": 1,
"preventInitialBackfill": false,
+ "syncDelay": 1,
+ "syncField": null,
},
"tags": Array [],
"timeWindow": Object {
@@ -104,7 +110,10 @@ Object {
"target": 99,
},
"settings": Object {
+ "frequency": 1,
"preventInitialBackfill": false,
+ "syncDelay": 1,
+ "syncField": null,
},
"tags": Array [],
"timeWindow": Object {
@@ -146,7 +155,10 @@ Object {
"target": 99,
},
"settings": Object {
+ "frequency": 1,
"preventInitialBackfill": false,
+ "syncDelay": 1,
+ "syncField": null,
},
"tags": Array [],
"timeWindow": Object {
@@ -178,7 +190,10 @@ Object {
"timesliceWindow": "2",
},
"settings": Object {
+ "frequency": 1,
"preventInitialBackfill": false,
+ "syncDelay": 1,
+ "syncField": null,
},
"tags": Array [],
"timeWindow": Object {
@@ -208,7 +223,10 @@ Object {
"target": 99,
},
"settings": Object {
+ "frequency": 1,
"preventInitialBackfill": false,
+ "syncDelay": 1,
+ "syncField": null,
},
"tags": Array [],
"timeWindow": Object {
@@ -218,6 +236,105 @@ Object {
}
`;
+exports[`Transform partial URL state into form state settings handles optional 'syncField' URL state 1`] = `
+Object {
+ "budgetingMethod": "occurrences",
+ "description": "",
+ "groupBy": "*",
+ "indicator": Object {
+ "params": Object {
+ "filter": "",
+ "good": "",
+ "index": "",
+ "timestampField": "",
+ "total": "",
+ },
+ "type": "sli.kql.custom",
+ },
+ "name": "",
+ "objective": Object {
+ "target": 99,
+ },
+ "settings": Object {
+ "frequency": 1,
+ "preventInitialBackfill": false,
+ "syncDelay": 1,
+ "syncField": "override-field",
+ },
+ "tags": Array [],
+ "timeWindow": Object {
+ "duration": "30d",
+ "type": "rolling",
+ },
+}
+`;
+
+exports[`Transform partial URL state into form state settings handles partial 'settings' URL state 1`] = `
+Object {
+ "budgetingMethod": "occurrences",
+ "description": "",
+ "groupBy": "*",
+ "indicator": Object {
+ "params": Object {
+ "filter": "",
+ "good": "",
+ "index": "",
+ "timestampField": "",
+ "total": "",
+ },
+ "type": "sli.kql.custom",
+ },
+ "name": "",
+ "objective": Object {
+ "target": 99,
+ },
+ "settings": Object {
+ "frequency": 1,
+ "preventInitialBackfill": false,
+ "syncDelay": 12,
+ "syncField": null,
+ },
+ "tags": Array [],
+ "timeWindow": Object {
+ "duration": "30d",
+ "type": "rolling",
+ },
+}
+`;
+
+exports[`Transform partial URL state into form state settings handles the 'settings' URL state 1`] = `
+Object {
+ "budgetingMethod": "occurrences",
+ "description": "",
+ "groupBy": "*",
+ "indicator": Object {
+ "params": Object {
+ "filter": "",
+ "good": "",
+ "index": "",
+ "timestampField": "",
+ "total": "",
+ },
+ "type": "sli.kql.custom",
+ },
+ "name": "",
+ "objective": Object {
+ "target": 99,
+ },
+ "settings": Object {
+ "frequency": 1,
+ "preventInitialBackfill": true,
+ "syncDelay": 180,
+ "syncField": null,
+ },
+ "tags": Array [],
+ "timeWindow": Object {
+ "duration": "30d",
+ "type": "rolling",
+ },
+}
+`;
+
exports[`Transform partial URL state into form state with 'indicator' in URL state handles partial APM Availability state 1`] = `
Object {
"budgetingMethod": "occurrences",
@@ -239,7 +356,10 @@ Object {
"target": 99,
},
"settings": Object {
+ "frequency": 1,
"preventInitialBackfill": false,
+ "syncDelay": 1,
+ "syncField": null,
},
"tags": Array [],
"timeWindow": Object {
@@ -271,7 +391,10 @@ Object {
"target": 99,
},
"settings": Object {
+ "frequency": 1,
"preventInitialBackfill": false,
+ "syncDelay": 1,
+ "syncField": null,
},
"tags": Array [],
"timeWindow": Object {
@@ -301,7 +424,10 @@ Object {
"target": 99,
},
"settings": Object {
+ "frequency": 1,
"preventInitialBackfill": false,
+ "syncDelay": 1,
+ "syncField": null,
},
"tags": Array [],
"timeWindow": Object {
@@ -331,7 +457,10 @@ Object {
"target": 99,
},
"settings": Object {
+ "frequency": 1,
"preventInitialBackfill": false,
+ "syncDelay": 1,
+ "syncField": null,
},
"tags": Array [],
"timeWindow": Object {
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/format_filters.test.ts b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/format_filters.test.ts
index 16ad733619e65..c79571d4ab77b 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/format_filters.test.ts
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/format_filters.test.ts
@@ -4,7 +4,7 @@
* 2.0; you may not use this file except in compliance with the Elastic License
* 2.0.
*/
-import { getGroupByCardinalityFilters } from '../components/synthetics_availability/synthetics_availability_indicator_type_form';
+import { getGroupByCardinalityFilters } from '../components/indicator_section/synthetics_availability/synthetics_availability_indicator_type_form';
import { formatAllFilters } from './format_filters';
describe('formatAllFilters', () => {
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/process_slo_form_values.test.ts b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/process_slo_form_values.test.ts
index a69cd1152985c..7518e1c679c87 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/process_slo_form_values.test.ts
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/process_slo_form_values.test.ts
@@ -5,7 +5,7 @@
* 2.0.
*/
-import { transformPartialUrlStateToFormState as transform } from './process_slo_form_values';
+import { transformPartialSLOStateToFormState as transform } from './process_slo_form_values';
describe('Transform partial URL state into form state', () => {
describe("with 'indicator' in URL state", () => {
@@ -121,4 +121,20 @@ describe('Transform partial URL state into form state', () => {
})
).toMatchSnapshot();
});
+
+ describe('settings', () => {
+ it("handles the 'settings' URL state", () => {
+ expect(
+ transform({ settings: { preventInitialBackfill: true, syncDelay: '3h' } })
+ ).toMatchSnapshot();
+ });
+
+ it("handles partial 'settings' URL state", () => {
+ expect(transform({ settings: { syncDelay: '12m' } })).toMatchSnapshot();
+ });
+
+ it("handles optional 'syncField' URL state", () => {
+ expect(transform({ settings: { syncField: 'override-field' } })).toMatchSnapshot();
+ });
+ });
});
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/process_slo_form_values.ts b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/process_slo_form_values.ts
index 8bbbcf9d2fee9..81d6714dac2e5 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/process_slo_form_values.ts
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/helpers/process_slo_form_values.ts
@@ -9,13 +9,14 @@ import { CreateSLOInput, GetSLOResponse, Indicator, UpdateSLOInput } from '@kbn/
import { assertNever } from '@kbn/std';
import { RecursivePartial } from '@kbn/utility-types';
import { cloneDeep } from 'lodash';
-import { toDuration } from '../../../utils/slo/duration';
+import { toDuration, toMinutes } from '../../../utils/slo/duration';
import {
APM_AVAILABILITY_DEFAULT_VALUES,
APM_LATENCY_DEFAULT_VALUES,
CUSTOM_KQL_DEFAULT_VALUES,
CUSTOM_METRIC_DEFAULT_VALUES,
HISTOGRAM_DEFAULT_VALUES,
+ SETTINGS_DEFAULT_VALUES,
SLO_EDIT_FORM_DEFAULT_VALUES,
SLO_EDIT_FORM_DEFAULT_VALUES_SYNTHETICS_AVAILABILITY,
SYNTHETICS_AVAILABILITY_DEFAULT_VALUES,
@@ -52,6 +53,13 @@ export function transformSloResponseToCreateSloForm(
tags: values.tags,
settings: {
preventInitialBackfill: values.settings?.preventInitialBackfill ?? false,
+ syncDelay: values.settings?.syncDelay
+ ? toMinutes(toDuration(values.settings.syncDelay))
+ : SETTINGS_DEFAULT_VALUES.syncDelay,
+ frequency: values.settings?.frequency
+ ? toMinutes(toDuration(values.settings.frequency))
+ : SETTINGS_DEFAULT_VALUES.frequency,
+ syncField: values.settings?.syncField ?? null,
},
};
}
@@ -80,7 +88,10 @@ export function transformCreateSLOFormToCreateSLOInput(values: CreateSLOForm): C
tags: values.tags,
groupBy: [values.groupBy].flat(),
settings: {
- preventInitialBackfill: values.settings?.preventInitialBackfill ?? false,
+ preventInitialBackfill: values.settings.preventInitialBackfill,
+ syncDelay: `${values.settings.syncDelay ?? SETTINGS_DEFAULT_VALUES.syncDelay}m`,
+ frequency: `${values.settings.frequency ?? SETTINGS_DEFAULT_VALUES.frequency}m`,
+ syncField: values.settings.syncField,
},
};
}
@@ -109,7 +120,10 @@ export function transformValuesToUpdateSLOInput(values: CreateSLOForm): UpdateSL
tags: values.tags,
groupBy: [values.groupBy].flat(),
settings: {
- preventInitialBackfill: values.settings?.preventInitialBackfill ?? false,
+ preventInitialBackfill: values.settings.preventInitialBackfill,
+ syncDelay: `${values.settings.syncDelay ?? SETTINGS_DEFAULT_VALUES.syncDelay}m`,
+ frequency: `${values.settings.frequency ?? SETTINGS_DEFAULT_VALUES.frequency}m`,
+ syncField: values.settings.syncField,
},
};
}
@@ -165,7 +179,7 @@ function transformPartialIndicatorState(
}
}
-export function transformPartialUrlStateToFormState(
+export function transformPartialSLOStateToFormState(
values: RecursivePartial
): CreateSLOForm {
let state: CreateSLOForm;
@@ -189,8 +203,8 @@ export function transformPartialUrlStateToFormState(
if (values.description) {
state.description = values.description;
}
- if (!!values.tags) {
- state.tags = values.tags as string[];
+ if (values.tags) {
+ state.tags = [values.tags].flat().filter((tag) => !!tag) as string[];
}
if (values.objective) {
@@ -220,8 +234,19 @@ export function transformPartialUrlStateToFormState(
state.timeWindow = { duration: values.timeWindow.duration, type: values.timeWindow.type };
}
- if (!!values.settings?.preventInitialBackfill) {
- state.settings = { preventInitialBackfill: values.settings.preventInitialBackfill };
+ if (!!values.settings) {
+ if (values.settings.preventInitialBackfill) {
+ state.settings.preventInitialBackfill = values.settings.preventInitialBackfill;
+ }
+ if (values.settings.syncDelay) {
+ state.settings.syncDelay = toMinutes(toDuration(values.settings.syncDelay));
+ }
+ if (values.settings.frequency) {
+ state.settings.frequency = toMinutes(toDuration(values.settings.frequency));
+ }
+ if (values.settings.syncField) {
+ state.settings.syncField = values.settings.syncField;
+ }
}
return state;
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/hooks/use_parse_url_state.ts b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/hooks/use_parse_url_state.ts
index 2c305feda3c06..9ada81ea84387 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/hooks/use_parse_url_state.ts
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/hooks/use_parse_url_state.ts
@@ -10,7 +10,7 @@ import { CreateSLOInput } from '@kbn/slo-schema';
import { RecursivePartial } from '@kbn/utility-types';
import { useHistory } from 'react-router-dom';
import { useMemo } from 'react';
-import { transformPartialUrlStateToFormState } from '../helpers/process_slo_form_values';
+import { transformPartialSLOStateToFormState } from '../helpers/process_slo_form_values';
import { CreateSLOForm } from '../types';
export function useParseUrlState(): CreateSLOForm | undefined {
@@ -25,6 +25,6 @@ export function useParseUrlState(): CreateSLOForm | undefined {
const urlState = urlStateStorage.get>('_a');
- return !!urlState ? transformPartialUrlStateToFormState(urlState) : undefined;
+ return !!urlState ? transformPartialSLOStateToFormState(urlState) : undefined;
}, [history]);
}
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/hooks/use_section_form_validation.ts b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/hooks/use_section_form_validation.ts
index 7d75359f4cd40..94ffc92adedb4 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/hooks/use_section_form_validation.ts
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/hooks/use_section_form_validation.ts
@@ -220,8 +220,10 @@ export function useSectionFormValidation({ getFieldState, getValues, formState,
'objective.target',
'objective.timesliceTarget',
'objective.timesliceWindow',
+ 'settings.syncDelay',
+ 'settings.frequency',
] as const
- ).every((field) => getFieldState(field).error === undefined);
+ ).every((field) => !getFieldState(field).invalid);
const isDescriptionSectionValid =
!getFieldState('name').invalid &&
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/hooks/use_unregister_fields.ts b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/hooks/use_unregister_fields.ts
index 9d7752f190344..eb7a77f822660 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/hooks/use_unregister_fields.ts
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/hooks/use_unregister_fields.ts
@@ -19,8 +19,8 @@ import {
CUSTOM_METRIC_DEFAULT_VALUES,
HISTOGRAM_DEFAULT_VALUES,
SLO_EDIT_FORM_DEFAULT_VALUES,
- TIMESLICE_METRIC_DEFAULT_VALUES,
SLO_EDIT_FORM_DEFAULT_VALUES_SYNTHETICS_AVAILABILITY,
+ TIMESLICE_METRIC_DEFAULT_VALUES,
} from '../constants';
import { CreateSLOForm } from '../types';
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/shared_flyout/slo_add_form_flyout.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/shared_flyout/slo_add_form_flyout.tsx
index 98c76b190aa1a..f71d7caa80d17 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/shared_flyout/slo_add_form_flyout.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/shared_flyout/slo_add_form_flyout.tsx
@@ -7,12 +7,11 @@
import { EuiFlyout, EuiFlyoutBody, EuiFlyoutFooter, EuiFlyoutHeader, EuiTitle } from '@elastic/eui';
import { FormattedMessage } from '@kbn/i18n-react';
+import { CreateSLOInput } from '@kbn/slo-schema';
import { RecursivePartial } from '@kbn/utility-types';
-import { merge } from 'lodash';
import React from 'react';
import { OutPortal, createHtmlPortalNode } from 'react-reverse-portal';
import { SloEditForm } from '../components/slo_edit_form';
-import { CreateSLOForm } from '../types';
export const sloEditFormFooterPortal = createHtmlPortalNode();
@@ -22,7 +21,7 @@ export default function SloAddFormFlyout({
initialValues,
}: {
onClose: () => void;
- initialValues?: RecursivePartial;
+ initialValues?: RecursivePartial;
}) {
return (
-
+
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/slo_edit.test.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/slo_edit.test.tsx
index abc60d6a00352..8d52ed914302c 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/slo_edit.test.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/slo_edit.test.tsx
@@ -423,11 +423,11 @@ describe('SLO Edit Page', () => {
jest.spyOn(Router, 'useParams').mockReturnValue({ sloId: '123' });
history.push(
- '/slos/123/edit?_a=(name:%27updated-name%27,indicator:(params:(environment:prod,service:cartService),type:sli.apm.transactionDuration),objective:(target:0.92))'
+ '/slos/edit/123?_a=(name:%27updated-name%27,indicator:(params:(environment:prod,service:cartService),type:sli.apm.transactionDuration),objective:(target:0.92))'
);
jest
.spyOn(Router, 'useLocation')
- .mockReturnValue({ pathname: '/slos/123/edit', search: '', state: '', hash: '' });
+ .mockReturnValue({ pathname: '/slos/edit/123', search: '', state: '', hash: '' });
useFetchSloMock.mockReturnValue({ isLoading: false, data: slo });
@@ -463,8 +463,7 @@ describe('SLO Edit Page', () => {
jest.spyOn(Router, 'useParams').mockReturnValue({ sloId: '123' });
jest
.spyOn(Router, 'useLocation')
- .mockReturnValue({ pathname: '/slos/123/edit', search: '', state: '', hash: '' });
-
+ .mockReturnValue({ pathname: '/slos/edit/123', search: '', state: '', hash: '' });
useFetchSloMock.mockReturnValue({ isLoading: false, data: slo });
const { getByTestId } = render();
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/slo_edit.tsx b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/slo_edit.tsx
index b014bdb1d6dec..0a563bbe75b44 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/slo_edit.tsx
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/slo_edit.tsx
@@ -12,10 +12,10 @@ import { useParams } from 'react-router-dom';
import { paths } from '../../../common/locators/paths';
import { HeaderMenu } from '../../components/header_menu/header_menu';
import { useFetchSloDetails } from '../../hooks/use_fetch_slo_details';
+import { useKibana } from '../../hooks/use_kibana';
import { useLicense } from '../../hooks/use_license';
import { usePermissions } from '../../hooks/use_permissions';
import { usePluginContext } from '../../hooks/use_plugin_context';
-import { useKibana } from '../../hooks/use_kibana';
import { SloEditForm } from './components/slo_edit_form';
export function SloEditPage() {
diff --git a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/types.ts b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/types.ts
index 5eef9a2d0e5ba..6584e52404bc5 100644
--- a/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/types.ts
+++ b/x-pack/plugins/observability_solution/slo/public/pages/slo_edit/types.ts
@@ -25,5 +25,8 @@ export interface CreateSLOForm {
groupBy: string[] | string;
settings: {
preventInitialBackfill: boolean;
+ syncDelay: number; // in minutes
+ frequency: number; // in minutes
+ syncField: string | null;
};
}
diff --git a/x-pack/plugins/observability_solution/slo/public/utils/slo/remote_slo_urls.test.ts b/x-pack/plugins/observability_solution/slo/public/utils/slo/remote_slo_urls.test.ts
index 3c0495fd1bc9b..6f44d13150819 100644
--- a/x-pack/plugins/observability_solution/slo/public/utils/slo/remote_slo_urls.test.ts
+++ b/x-pack/plugins/observability_solution/slo/public/utils/slo/remote_slo_urls.test.ts
@@ -51,7 +51,7 @@ describe('remote SLO URLs Utils', () => {
`"https://cloud.elast.co/app/slos/edit/fixed-id"`
);
expect(createRemoteSloCloneUrl(remoteSlo)).toMatchInlineSnapshot(
- `"https://cloud.elast.co/app/slos/create?_a=(budgetingMethod:occurrences,createdAt:%272022-12-29T10:11:12.000Z%27,description:%27some%20description%20useful%27,enabled:!t,groupBy:%27*%27,groupings:(),indicator:(params:(filter:%27baz:%20foo%20and%20bar%20%3E%202%27,good:%27http_status:%202xx%27,index:some-index,timestampField:custom_timestamp,total:%27a%20query%27),type:sli.kql.custom),instanceId:%27*%27,meta:(),name:%27[Copy]%20super%20important%20level%20service%27,objective:(target:0.98),remote:(kibanaUrl:%27https:/cloud.elast.co/kibana%27,remoteName:remote_cluster),revision:1,settings:(frequency:%271m%27,preventInitialBackfill:!f,syncDelay:%271m%27),summary:(errorBudget:(consumed:0.064,initial:0.02,isEstimated:!f,remaining:0.936),fiveMinuteBurnRate:0,oneDayBurnRate:0,oneHourBurnRate:0,sliValue:0.99872,status:HEALTHY),tags:!(k8s,production,critical),timeWindow:(duration:%2730d%27,type:rolling),updatedAt:%272022-12-29T10:11:12.000Z%27,version:2)"`
+ `"https://cloud.elast.co/app/slos/create?_a=(budgetingMethod:occurrences,createdAt:%272022-12-29T10:11:12.000Z%27,description:%27some%20description%20useful%27,enabled:!t,groupBy:%27*%27,groupings:(),indicator:(params:(dataViewId:some-data-view-id,filter:%27baz:%20foo%20and%20bar%20%3E%202%27,good:%27http_status:%202xx%27,index:some-index,timestampField:custom_timestamp,total:%27a%20query%27),type:sli.kql.custom),instanceId:%27*%27,meta:(),name:%27[Copy]%20super%20important%20level%20service%27,objective:(target:0.98),remote:(kibanaUrl:%27https:/cloud.elast.co/kibana%27,remoteName:remote_cluster),revision:1,settings:(frequency:%271m%27,preventInitialBackfill:!f,syncDelay:%271m%27),summary:(errorBudget:(consumed:0.064,initial:0.02,isEstimated:!f,remaining:0.936),fiveMinuteBurnRate:0,oneDayBurnRate:0,oneHourBurnRate:0,sliValue:0.99872,status:HEALTHY),tags:!(k8s,production,critical),timeWindow:(duration:%2730d%27,type:rolling),updatedAt:%272022-12-29T10:11:12.000Z%27,version:2)"`
);
});
@@ -71,7 +71,7 @@ describe('remote SLO URLs Utils', () => {
`"https://cloud.elast.co/s/my-custom-space/app/slos/edit/fixed-id"`
);
expect(createRemoteSloCloneUrl(remoteSlo, 'my-custom-space')).toMatchInlineSnapshot(
- `"https://cloud.elast.co/s/my-custom-space/app/slos/create?_a=(budgetingMethod:occurrences,createdAt:%272022-12-29T10:11:12.000Z%27,description:%27some%20description%20useful%27,enabled:!t,groupBy:%27*%27,groupings:(),indicator:(params:(filter:%27baz:%20foo%20and%20bar%20%3E%202%27,good:%27http_status:%202xx%27,index:some-index,timestampField:custom_timestamp,total:%27a%20query%27),type:sli.kql.custom),instanceId:%27*%27,meta:(),name:%27[Copy]%20super%20important%20level%20service%27,objective:(target:0.98),remote:(kibanaUrl:%27https:/cloud.elast.co/kibana%27,remoteName:remote_cluster),revision:1,settings:(frequency:%271m%27,preventInitialBackfill:!f,syncDelay:%271m%27),summary:(errorBudget:(consumed:0.064,initial:0.02,isEstimated:!f,remaining:0.936),fiveMinuteBurnRate:0,oneDayBurnRate:0,oneHourBurnRate:0,sliValue:0.99872,status:HEALTHY),tags:!(k8s,production,critical),timeWindow:(duration:%2730d%27,type:rolling),updatedAt:%272022-12-29T10:11:12.000Z%27,version:2)"`
+ `"https://cloud.elast.co/s/my-custom-space/app/slos/create?_a=(budgetingMethod:occurrences,createdAt:%272022-12-29T10:11:12.000Z%27,description:%27some%20description%20useful%27,enabled:!t,groupBy:%27*%27,groupings:(),indicator:(params:(dataViewId:some-data-view-id,filter:%27baz:%20foo%20and%20bar%20%3E%202%27,good:%27http_status:%202xx%27,index:some-index,timestampField:custom_timestamp,total:%27a%20query%27),type:sli.kql.custom),instanceId:%27*%27,meta:(),name:%27[Copy]%20super%20important%20level%20service%27,objective:(target:0.98),remote:(kibanaUrl:%27https:/cloud.elast.co/kibana%27,remoteName:remote_cluster),revision:1,settings:(frequency:%271m%27,preventInitialBackfill:!f,syncDelay:%271m%27),summary:(errorBudget:(consumed:0.064,initial:0.02,isEstimated:!f,remaining:0.936),fiveMinuteBurnRate:0,oneDayBurnRate:0,oneHourBurnRate:0,sliValue:0.99872,status:HEALTHY),tags:!(k8s,production,critical),timeWindow:(duration:%2730d%27,type:rolling),updatedAt:%272022-12-29T10:11:12.000Z%27,version:2)"`
);
});
});
diff --git a/x-pack/plugins/observability_solution/slo/server/services/create_slo.ts b/x-pack/plugins/observability_solution/slo/server/services/create_slo.ts
index e7c09c352bd66..a8e01fb4681f4 100644
--- a/x-pack/plugins/observability_solution/slo/server/services/create_slo.ts
+++ b/x-pack/plugins/observability_solution/slo/server/services/create_slo.ts
@@ -9,6 +9,7 @@ import { TransformPutTransformRequest } from '@elastic/elasticsearch/lib/api/typ
import { ElasticsearchClient, IBasePath, IScopedClusterClient, Logger } from '@kbn/core/server';
import { ALL_VALUE, CreateSLOParams, CreateSLOResponse } from '@kbn/slo-schema';
import { asyncForEach } from '@kbn/std';
+import { merge } from 'lodash';
import { v4 as uuidv4 } from 'uuid';
import {
SLO_MODEL_VERSION,
@@ -46,8 +47,10 @@ export class CreateSLO {
const slo = this.toSLO(params);
validateSLO(slo);
- await this.assertSLOInexistant(slo);
- await assertExpectedIndicatorSourceIndexPrivileges(slo, this.esClient);
+ await Promise.all([
+ this.assertSLOInexistant(slo),
+ assertExpectedIndicatorSourceIndexPrivileges(slo, this.esClient),
+ ]);
const rollbackOperations = [];
const createPromise = this.repository.create(slo);
@@ -201,11 +204,14 @@ export class CreateSLO {
return {
...params,
id: params.id ?? uuidv4(),
- settings: {
- syncDelay: params.settings?.syncDelay ?? new Duration(1, DurationUnit.Minute),
- frequency: params.settings?.frequency ?? new Duration(1, DurationUnit.Minute),
- preventInitialBackfill: params.settings?.preventInitialBackfill ?? false,
- },
+ settings: merge(
+ {
+ syncDelay: new Duration(1, DurationUnit.Minute),
+ frequency: new Duration(1, DurationUnit.Minute),
+ preventInitialBackfill: false,
+ },
+ params.settings
+ ),
revision: params.revision ?? 1,
enabled: true,
tags: params.tags ?? [],
diff --git a/x-pack/plugins/observability_solution/slo/server/services/slo_repository.ts b/x-pack/plugins/observability_solution/slo/server/services/slo_repository.ts
index 4f9cf439e8ed1..afbdb999fc064 100644
--- a/x-pack/plugins/observability_solution/slo/server/services/slo_repository.ts
+++ b/x-pack/plugins/observability_solution/slo/server/services/slo_repository.ts
@@ -9,6 +9,7 @@ import { SavedObjectsClientContract } from '@kbn/core-saved-objects-api-server';
import { Logger } from '@kbn/core/server';
import { ALL_VALUE, Paginated, Pagination, sloDefinitionSchema } from '@kbn/slo-schema';
import { isLeft } from 'fp-ts/lib/Either';
+import { merge } from 'lodash';
import { SLO_MODEL_VERSION } from '../../common/constants';
import { SLODefinition, StoredSLODefinition } from '../domain/models';
import { SLONotFound } from '../errors';
@@ -155,10 +156,10 @@ export class KibanaSavedObjectsSLORepository implements SLORepository {
// We would need to call the _reset api on this SLO.
version: storedSLO.version ?? 1,
// settings.preventInitialBackfill was added in 8.15.0
- settings: {
- ...storedSLO.settings,
- preventInitialBackfill: storedSLO.settings?.preventInitialBackfill ?? false,
- },
+ settings: merge(
+ { preventInitialBackfill: false, syncDelay: '1m', frequency: '1m' },
+ storedSLO.settings
+ ),
});
if (isLeft(result)) {
diff --git a/x-pack/plugins/observability_solution/slo/server/services/transform_generators/__snapshots__/transform_generator.test.ts.snap b/x-pack/plugins/observability_solution/slo/server/services/transform_generators/__snapshots__/transform_generator.test.ts.snap
index 7d8e989c1140d..f49785cf936c5 100644
--- a/x-pack/plugins/observability_solution/slo/server/services/transform_generators/__snapshots__/transform_generator.test.ts.snap
+++ b/x-pack/plugins/observability_solution/slo/server/services/transform_generators/__snapshots__/transform_generator.test.ts.snap
@@ -63,3 +63,11 @@ Object {
},
}
`;
+
+exports[`Transform Generator settings builds the transform settings 1`] = `
+Object {
+ "frequency": "2m",
+ "sync_delay": "10m",
+ "sync_field": "my_timestamp_sync_field",
+}
+`;
diff --git a/x-pack/plugins/observability_solution/slo/server/services/transform_generators/apm_transaction_duration.ts b/x-pack/plugins/observability_solution/slo/server/services/transform_generators/apm_transaction_duration.ts
index d1f05605dab36..99361fa776789 100644
--- a/x-pack/plugins/observability_solution/slo/server/services/transform_generators/apm_transaction_duration.ts
+++ b/x-pack/plugins/observability_solution/slo/server/services/transform_generators/apm_transaction_duration.ts
@@ -42,7 +42,7 @@ export class ApmTransactionDurationTransformGenerator extends TransformGenerator
this.buildDestination(slo),
this.buildGroupBy(slo, slo.indicator),
this.buildAggregations(slo, slo.indicator),
- this.buildSettings(slo),
+ this.buildSettings(slo, '@timestamp'),
slo
);
}
diff --git a/x-pack/plugins/observability_solution/slo/server/services/transform_generators/apm_transaction_error_rate.ts b/x-pack/plugins/observability_solution/slo/server/services/transform_generators/apm_transaction_error_rate.ts
index 6adbd1d3eae9f..a65e4ae1d50dd 100644
--- a/x-pack/plugins/observability_solution/slo/server/services/transform_generators/apm_transaction_error_rate.ts
+++ b/x-pack/plugins/observability_solution/slo/server/services/transform_generators/apm_transaction_error_rate.ts
@@ -41,7 +41,7 @@ export class ApmTransactionErrorRateTransformGenerator extends TransformGenerato
this.buildDestination(slo),
this.buildGroupBy(slo, slo.indicator),
this.buildAggregations(slo),
- this.buildSettings(slo),
+ this.buildSettings(slo, '@timestamp'),
slo
);
}
diff --git a/x-pack/plugins/observability_solution/slo/server/services/transform_generators/transform_generator.test.ts b/x-pack/plugins/observability_solution/slo/server/services/transform_generators/transform_generator.test.ts
index e70d406d75396..2df8a1e40eebb 100644
--- a/x-pack/plugins/observability_solution/slo/server/services/transform_generators/transform_generator.test.ts
+++ b/x-pack/plugins/observability_solution/slo/server/services/transform_generators/transform_generator.test.ts
@@ -5,6 +5,7 @@
* 2.0.
*/
+import { Duration, DurationUnit } from '../../domain/models';
import { createAPMTransactionErrorRateIndicator, createSLO } from '../fixtures/slo';
import { ApmTransactionErrorRateTransformGenerator } from './apm_transaction_error_rate';
import { dataViewsService } from '@kbn/data-views-plugin/server/mocks';
@@ -45,4 +46,46 @@ describe('Transform Generator', () => {
expect(runtimeMappings).toEqual({});
});
});
+
+ describe('settings', () => {
+ const defaultSettings = {
+ syncDelay: new Duration(10, DurationUnit.Minute),
+ frequency: new Duration(2, DurationUnit.Minute),
+ preventInitialBackfill: true,
+ };
+
+ it('builds the transform settings', async () => {
+ const slo = createSLO({
+ settings: {
+ ...defaultSettings,
+ syncField: 'my_timestamp_sync_field',
+ },
+ });
+ const settings = generator.buildSettings(slo);
+ expect(settings).toMatchSnapshot();
+ });
+
+ it('builds the transform settings using the provided settings.syncField', async () => {
+ const slo = createSLO({
+ settings: {
+ ...defaultSettings,
+ syncField: 'my_timestamp_sync_field',
+ },
+ });
+ const settings = generator.buildSettings(slo, '@timestamp');
+ expect(settings.sync_field).toEqual('my_timestamp_sync_field');
+ });
+
+ it('builds the transform settings using provided fallback when no settings.syncField is configured', async () => {
+ const slo = createSLO({ settings: defaultSettings });
+ const settings = generator.buildSettings(slo, '@timestamp2');
+ expect(settings.sync_field).toEqual('@timestamp2');
+ });
+
+ it("builds the transform settings using '@timestamp' default fallback when no settings.syncField is configured", async () => {
+ const slo = createSLO({ settings: defaultSettings });
+ const settings = generator.buildSettings(slo);
+ expect(settings.sync_field).toEqual('@timestamp');
+ });
+ });
});
diff --git a/x-pack/plugins/observability_solution/slo/server/services/transform_generators/transform_generator.ts b/x-pack/plugins/observability_solution/slo/server/services/transform_generators/transform_generator.ts
index 6c44471fd6566..ea27ebbc7aa38 100644
--- a/x-pack/plugins/observability_solution/slo/server/services/transform_generators/transform_generator.ts
+++ b/x-pack/plugins/observability_solution/slo/server/services/transform_generators/transform_generator.ts
@@ -88,8 +88,9 @@ export abstract class TransformGenerator {
): TransformSettings {
return {
frequency: slo.settings.frequency.format(),
- sync_field: sourceIndexTimestampField, // timestamp field defined in the source index
sync_delay: slo.settings.syncDelay.format(),
+ // 8.17: use settings.syncField if truthy or default to sourceIndexTimestampField which is the indicator timestampField
+ sync_field: !!slo.settings.syncField ? slo.settings.syncField : sourceIndexTimestampField,
};
}
}
diff --git a/x-pack/plugins/observability_solution/slo/server/services/update_slo.ts b/x-pack/plugins/observability_solution/slo/server/services/update_slo.ts
index d1dfb2e70e00c..402ca82acecd4 100644
--- a/x-pack/plugins/observability_solution/slo/server/services/update_slo.ts
+++ b/x-pack/plugins/observability_solution/slo/server/services/update_slo.ts
@@ -43,9 +43,10 @@ export class UpdateSLO {
public async execute(sloId: string, params: UpdateSLOParams): Promise {
const originalSlo = await this.repository.findById(sloId);
- let updatedSlo: SLODefinition = Object.assign({}, originalSlo, params, {
+ let updatedSlo: SLODefinition = Object.assign({}, originalSlo, {
+ ...params,
groupBy: !!params.groupBy ? params.groupBy : originalSlo.groupBy,
- settings: mergePartialSettings(originalSlo.settings, params.settings),
+ settings: Object.assign({}, originalSlo.settings, params.settings),
});
if (isEqual(originalSlo, updatedSlo)) {
@@ -263,13 +264,3 @@ export class UpdateSLO {
return updateSLOResponseSchema.encode(slo);
}
}
-
-/**
- * Settings are merged by overwriting the original settings with the optional new partial settings.
- */
-function mergePartialSettings(
- originalSettings: SLODefinition['settings'],
- newPartialSettings: UpdateSLOParams['settings']
-) {
- return Object.assign({}, originalSettings, newPartialSettings);
-}
diff --git a/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_create_slo.ts b/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_create_slo.ts
index c75bc5e489208..03c2c2ace9210 100644
--- a/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_create_slo.ts
+++ b/x-pack/plugins/observability_solution/synthetics/public/apps/synthetics/components/monitors_page/hooks/use_create_slo.ts
@@ -41,10 +41,6 @@ export function useCreateSLO({
tags: [],
},
},
- budgetingMethod: 'occurrences',
- objective: {
- target: 0.99,
- },
tags: tags || [],
groupBy: ['monitor.name', 'observer.geo.name', 'monitor.id'],
},