Authentication

Api key auth (http_api_key)

You must create an API key and use the encoded value in the request header. To learn about creating keys, go to API keys.

Alerting

Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.

Alerting documentation

Unmute an alert

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute
Api key auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • rule_id string Required

    The identifier for the rule.

  • alert_id string Required

    The identifier for the alert.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule or alert with the given ID does not exist.

POST /api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute 
curl \
 --request POST 'https://<KIBANA_URL>/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Create or update agent configuration

PUT /api/apm/settings/agent-configuration
Api key auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • overwrite boolean

    If the config exists ?overwrite=true is required

application/json

Body Required

  • agent_name string

    The agent name is used by the UI to determine which settings to display.

  • service object Required

    Service

    Hide service attributes Show service attributes object
  • settings object Required

    Agent configuration settings

    Hide settings attribute Show settings attribute object
    • * string Additional properties

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
PUT /api/apm/settings/agent-configuration 
curl \
 --request PUT 'https://<KIBANA_URL>/api/apm/settings/agent-configuration' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '"{\n    \"service\": {\n        \"name\": \"frontend\",\n        \"environment\": \"production\"\n    },\n    \"settings\": {\n        \"transaction_sample_rate\": \"0.4\",\n        \"capture_body\": \"off\",\n        \"transaction_max_spans\": \"500\"\n    },\n    \"agent_name\": \"nodejs\"\n}\n"'
Request example
Run `PUT /api/apm/settings/agent-configuration` to create or update configuration details. 
{
    "service": {
        "name": "frontend",
        "environment": "production"
    },
    "settings": {
        "transaction_sample_rate": "0.4",
        "capture_body": "off",
        "transaction_max_spans": "500"
    },
    "agent_name": "nodejs"
}

Search for annotations

GET /api/apm/services/{serviceName}/annotation/search
Api key auth

Search for annotations related to a specific service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Path parameters

Query parameters

  • environment string

    The environment to filter annotations by

  • start string

    The start date for the search

  • end string

    The end date for the search

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal Server Error response

    Hide response attributes Show response attributes object
GET /api/apm/services/{serviceName}/annotation/search 
curl \
 --request GET 'https://<KIBANA_URL>/api/apm/services/{serviceName}/annotation/search' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

Get CCR Remote synced integrations status

GET /api/fleet/remote_synced_integrations/status
Api key auth

[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.

Responses

GET /api/fleet/remote_synced_integrations/status 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/remote_synced_integrations/status' \
 --header "Authorization: $API_KEY"

Get connector types

GET /api/actions/connector_types
Api key auth

You do not need any Kibana feature privileges to run this API.

Query parameters

  • feature_id string

    A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).

Responses

  • 200 application/json

    Indicates a successful call.

GET /api/actions/connector_types 
curl \
 --request GET 'https://<KIBANA_URL>/api/actions/connector_types' \
 --header "Authorization: $API_KEY"
Response examples (200) 
[
  {
    "id": ".gen-ai",
    "name": "OpenAI",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".bedrock",
    "name": "AWS Bedrock",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity",
      "generativeAIForObservability",
      "generativeAIForSearchPlayground"
    ],
    "minimum_license_required": "enterprise"
  },
  {
    "id": ".gemini",
    "name": "Google Gemini",
    "enabled": true,
    "enabled_in_config": true,
    "enabled_in_license": true,
    "is_system_action_type": false,
    "supported_feature_ids": [
      "generativeAIForSecurity"
    ],
    "minimum_license_required": "enterprise"
  }
]

Get a list of dashboards Technical Preview

GET /api/dashboards/dashboard
Api key auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Query parameters

  • page number

    The page number to return. Default is "1".

    Minimum value is 1. Default value is 1.

  • perPage number

    The number of dashboards to display on each page (max 1000). Default is "20".

    Minimum value is 1, maximum value is 1000.

Responses

GET /api/dashboards/dashboard 
curl \
 --request GET 'https://<KIBANA_URL>/api/dashboards/dashboard' \
 --header "Authorization: $API_KEY"

Get data streams

GET /api/fleet/data_streams
Api key auth

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.

Responses

GET /api/fleet/data_streams 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/data_streams' \
 --header "Authorization: $API_KEY"

Get data streams

GET /api/fleet/epm/data_streams
Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Query parameters

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attribute Show items attribute object
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/epm/data_streams 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/epm/data_streams' \
 --header "Authorization: $API_KEY"

Create or update a runtime field

PUT /api/data_views/data_view/{viewId}/runtime_field
Api key auth

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    The ID of the data view fields you want to update.

application/json

Body Required

  • name string Required

    The name for a runtime field.

  • runtimeField object Required

    The runtime field definition object.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
PUT /api/data_views/data_view/{viewId}/runtime_field 
curl \
 --request PUT 'https://<KIBANA_URL>/api/data_views/data_view/{viewId}/runtime_field' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"name":"runtimeFoo","runtimeField":{"type":"long","script":{"source":"emit(doc[\"foo\"].value)"}}}'
Request example 
{
  "name": "runtimeFoo",
  "runtimeField": {
    "type": "long",
    "script": {
      "source": "emit(doc[\"foo\"].value)"
    }
  }
}

Create a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field
Api key auth

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • name string Required

    The name for a runtime field.

  • runtimeField object Required

    The runtime field definition object.

Responses

  • 200 application/json

    Indicates a successful call.
POST /api/data_views/data_view/{viewId}/runtime_field 
curl \
 --request POST 'https://<KIBANA_URL>/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"name":"runtimeFoo","runtimeField":{"type":"long","script":{"source":"emit(doc[\"foo\"].value)"}}}'
Request example 
{
  "name": "runtimeFoo",
  "runtimeField": {
    "type": "long",
    "script": {
      "source": "emit(doc[\"foo\"].value)"
    }
  }
}

Reassign an agent

POST /api/fleet/agents/{agentId}/reassign
Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body

Responses

POST /api/fleet/agents/{agentId}/reassign 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/agents/{agentId}/reassign' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"policy_id":"string"}'

Bulk reassign agents

POST /api/fleet/agents/bulk_reassign
Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/agents/bulk_reassign 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/agents/bulk_reassign' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agents":["string"],"batchSize":42.0,"includeInactive":false,"policy_id":"string"}'

Get agent policies

GET /api/fleet/agent_policies
Api key auth

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-agents-read OR fleet-setup.

Query parameters

Responses

GET /api/fleet/agent_policies 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agent_policies' \
 --header "Authorization: $API_KEY"

Get auto upgrade agent status

GET /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status
Api key auth

Get auto upgrade agent status

[Required authorization] Route required privileges: fleet-agents-read.

Responses

GET /api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agent_policies/{agentPolicyId}/auto_upgrade_agents_status' \
 --header "Authorization: $API_KEY"

Download an agent policy

GET /api/fleet/agent_policies/{agentPolicyId}/download
Api key auth

Download an agent policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-setup.

Responses

GET /api/fleet/agent_policies/{agentPolicyId}/download 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agent_policies/{agentPolicyId}/download' \
 --header "Authorization: $API_KEY"

Get outputs for agent policies

POST /api/fleet/agent_policies/outputs
Api key auth

Get a list of outputs associated with agent policies.

[Required authorization] Route required privileges: fleet-agent-policies-read AND fleet-settings-read.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • ids array[string] Required

    list of package policy ids

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • items array[object] Required
      Hide items attributes Show items attributes object
      • agentPolicyId string
      • data object Required

        Additional properties are NOT allowed.

        Hide data attributes Show data attributes object
      • monitoring object Required

        Additional properties are NOT allowed.

        Hide monitoring attribute Show monitoring attribute object
        • output object Required

          Additional properties are NOT allowed.

          Hide output attributes Show output attributes object
  • 400 application/json
    Hide response attributes Show response attributes object
POST /api/fleet/agent_policies/outputs 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/agent_policies/outputs' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"ids":["string"]}'

Elastic Agents

Update package settings

PUT /api/fleet/epm/packages/{pkgName}/{pkgVersion}
Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

PUT /api/fleet/epm/packages/{pkgName}/{pkgVersion} 
curl \
 --request PUT 'https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/{pkgVersion}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"keepPoliciesUpToDate":true}'

Install a package from the registry

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion}
Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Query parameters

application/json

Body

Responses

POST /api/fleet/epm/packages/{pkgName}/{pkgVersion} 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/{pkgVersion}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":false,"ignore_constraints":false}'

Get package stats

GET /api/fleet/epm/packages/{pkgName}/stats
Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Responses

GET /api/fleet/epm/packages/{pkgName}/stats 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/stats' \
 --header "Authorization: $API_KEY"

Get installed packages

GET /api/fleet/epm/packages/installed
Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Query parameters

Responses

GET /api/fleet/epm/packages/installed 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/epm/packages/installed' \
 --header "Authorization: $API_KEY"

Get a limited package list

GET /api/fleet/epm/packages/limited
Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Responses

GET /api/fleet/epm/packages/limited 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/epm/packages/limited' \
 --header "Authorization: $API_KEY"

Get an inputs template

GET /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs
Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Path parameters

Query parameters

Responses

GET /api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs' \
 --header "Authorization: $API_KEY"

Get a package signature verification key ID

GET /api/fleet/epm/verification_key_id
Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Responses

GET /api/fleet/epm/verification_key_id 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/epm/verification_key_id' \
 --header "Authorization: $API_KEY"

Fleet outputs

Get a package policy

GET /api/fleet/package_policies/{packagePolicyId}
Api key auth

Get a package policy by ID.

Query parameters

  • format string

    Values are simplified or legacy.

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • additional_datastreams_permissions array[string] | null

        Additional datastream permissions, that will be added to the agent policy.

      • agents number
      • created_at string Required
      • created_by string Required
      • description string

        Package policy description

      • elasticsearch object

        Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • privileges object

          Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
      • enabled boolean Required
      • id string Required

      • inputs array[object] | object Required

        Any of:
        array-1 array[object] object-2 object
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
        • enabled boolean Required
        • id string
        • keep_enabled boolean
        • policy_template string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
          • enabled boolean Required
          • id string
          • keep_enabled boolean
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
      • is_managed boolean
      • name string Required

        Package policy name (should be unique)

      • namespace string

        The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
      • policy_id string | null Deprecated

        Agent policy ID where that package policy will be added

      • policy_ids array[string]

        Agent policy IDs where that package policy will be added

      • revision number Required
      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • updated_at string Required
      • updated_by string Required

      • vars object

        Any of:
        object-1 object object-2 object

        Package variable (see integration documentation for more information)

        Hide attribute Show attribute
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
      • version string
  • 400 application/json
    Hide response attributes Show response attributes object
  • 404 application/json
    Hide response attribute Show response attribute object
GET /api/fleet/package_policies/{packagePolicyId} 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/package_policies/{packagePolicyId}' \
 --header "Authorization: $API_KEY"

Delete a package policy

DELETE /api/fleet/package_policies/{packagePolicyId}
Api key auth

Delete a package policy by ID.

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

DELETE /api/fleet/package_policies/{packagePolicyId} 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/fleet/package_policies/{packagePolicyId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get proxies

GET /api/fleet/proxies
Api key auth

[Required authorization] Route required privileges: fleet-settings-read.

Responses

GET /api/fleet/proxies 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/proxies' \
 --header "Authorization: $API_KEY"

Update a proxy

PUT /api/fleet/proxies/{itemId}
Api key auth

Update a proxy by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

PUT /api/fleet/proxies/{itemId} 
curl \
 --request PUT 'https://<KIBANA_URL>/api/fleet/proxies/{itemId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"certificate":"string","certificate_authorities":"string","certificate_key":"string","name":"string","proxy_headers":{},"url":"string"}'

Update a Fleet Server host

PUT /api/fleet/fleet_server_hosts/{itemId}
Api key auth

Update a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

PUT /api/fleet/fleet_server_hosts/{itemId} 
curl \
 --request PUT 'https://<KIBANA_URL>/api/fleet/fleet_server_hosts/{itemId}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"host_urls":["string"],"is_default":true,"is_internal":true,"name":"string","proxy_id":"string","secrets":{"ssl":{"es_key":{"id":"string"},"key":{"id":"string"}}},"ssl":{"certificate":"string","certificate_authorities":["string"],"client_auth":"optional","es_certificate":"string","es_certificate_authorities":["string"],"es_key":"string","key":"string"}}'

Fleet service tokens

Fleet uninstall tokens

Apply a bulk action to prompts

POST /api/security_ai_assistant/prompts/_bulk_action
Api key auth

Apply a bulk action to multiple prompts. The bulk action is applied to all prompts that match the filter or to the list of prompts by their IDs.

application/json

Body

Responses

POST /api/security_ai_assistant/prompts/_bulk_action 
curl \
 --request POST 'https://<KIBANA_URL>/api/security_ai_assistant/prompts/_bulk_action' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"create":[{"categories":["string"],"color":"string","consumer":"string","content":"string","isDefault":true,"isNewConversationDefault":true,"name":"string","promptType":"system"}],"delete":{"ids":["string"],"query":"string"},"update":[{"categories":["string"],"color":"string","consumer":"string","content":"string","id":"string","isDefault":true,"isNewConversationDefault":true}]}'

Import detection rules

POST /api/detection_engine/rules/_import
Api key auth

Import detection rules from an .ndjson file, including actions and exception lists. The request must include:

  • The Content-Type: multipart/form-data HTTP header.
  • A link to the .ndjson file containing the rules.

When used with API key authentication, the user's key gets assigned to the affected rules. If the user's key gets deleted or the user becomes inactive, the rules will stop running.

If the API key that is used for authorization has different privileges than the key that created or most recently updated the rule, the rule behavior might change.

info To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges. Refer to Enable and access detections for more information.


Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.

You can use Kibana’s Saved Objects UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before importing detection rules.

Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the Manage value lists UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately.

Query parameters

  • overwrite boolean

    Determines whether existing rules with the same rule_id are overwritten.

    Default value is false.

  • overwrite_exceptions boolean

    Determines whether existing exception lists with the same list_id are overwritten. Both the exception list container and its items are overwritten.

    Default value is false.

  • overwrite_action_connectors boolean

    Determines whether existing actions with the same kibana.alert.rule.actions.id are overwritten.

    Default value is false.

  • as_new_list boolean

    Generates a new list ID for each imported exception list.

    Default value is false.

multipart/form-data

Body Required

  • file string(binary)

    The .ndjson file containing the rules.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • action_connectors_errors array[object] Required
      Hide action_connectors_errors attributes Show action_connectors_errors attributes object
      • error object Required
        Hide error attributes Show error attributes object
      • id string
      • item_id string

        Minimum length is 1.

      • list_id string

        Minimum length is 1.

      • rule_id string

        A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

    • action_connectors_success boolean Required
    • action_connectors_success_count integer Required

      Minimum value is 0.

    • action_connectors_warnings array[object] Required
      Hide action_connectors_warnings attributes Show action_connectors_warnings attributes object
    • errors array[object] Required
      Hide errors attributes Show errors attributes object
      • error object Required
        Hide error attributes Show error attributes object
      • id string
      • item_id string

        Minimum length is 1.

      • list_id string

        Minimum length is 1.

      • rule_id string

        A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

    • exceptions_errors array[object] Required
      Hide exceptions_errors attributes Show exceptions_errors attributes object
      • error object Required
        Hide error attributes Show error attributes object
      • id string
      • item_id string

        Minimum length is 1.

      • list_id string

        Minimum length is 1.

      • rule_id string

        A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

    • exceptions_success boolean Required
    • exceptions_success_count integer Required

      Minimum value is 0.

    • rules_count integer Required

      Minimum value is 0.

    • success boolean Required
    • success_count integer Required

      Minimum value is 0.
POST /api/detection_engine/rules/_import 
curl -X POST "<KibanaURL>/api/detection_engine/rules/_import"
-u <username>:<password> -H 'kbn-xsrf: true'
-H 'Content-Type: multipart/form-data'
--form "file=@<link to file>"
Response examples (200) 
{
  "errors": [],
  "success": true,
  "rules_count": 1,
  "success_count": 1,
  "exceptions_errors": [],
  "exceptions_success": true,
  "exceptions_success_count": 0
}

Get response actions status

GET /api/endpoint/action_status
Api key auth

Get the status of response actions for the specified agent IDs.

Query parameters

Responses

GET /api/endpoint/action_status 
curl \
 --request GET 'https://<KIBANA_URL>/api/endpoint/action_status?query=%7B%7D' \
 --header "Authorization: $API_KEY"

Isolate an endpoint

POST /api/endpoint/action/isolate
Api key auth

Isolate an endpoint from the network. The endpoint remains isolated until it's released.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object

    Optional parameters object

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/isolate 
curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/action/isolate' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"Locked down, pending further investigation","endpoint_ids":["9972d10e-4b9e-41aa-a534-a85e2a28ea42","bc0e4f0c-3bca-4633-9fee-156c0b505d16","fa89271b-b9d4-43f2-a684-307cffddeb5a"]}'
Request examples 
{
  "comment": "Locked down, pending further investigation",
  "endpoint_ids": [
    "9972d10e-4b9e-41aa-a534-a85e2a28ea42",
    "bc0e4f0c-3bca-4633-9fee-156c0b505d16",
    "fa89271b-b9d4-43f2-a684-307cffddeb5a"
  ]
}
{
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
{
  "comment": "Isolating as initial response",
  "case_ids": [
    "4976be38-c134-4554-bd5e-0fd89ce63667"
  ],
  "endpoint_ids": [
    "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0",
    "b30a11bf-1395-4707-b508-fbb45ef9793e"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "233db9ea-6733-4849-9226-5a7039c7161d",
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "errors": [],
    "command": "suspend-process",
    "comment": "suspend the process",
    "outputs": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "type": "json",
        "content": {
          "key": "value"
        }
      }
    },
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2022-07-29T19:08:49.126Z",
    "parameters": {
      "entity_id": "abc123"
    },
    "completedAt": "2022-07-29T19:09:44.961Z",
    "isCompleted": true,
    "wasSuccessful": true
  },
  "action": "233db9ea-6733-4849-9226-5a7039c7161d"
}

Release an isolated endpoint

POST /api/endpoint/action/unisolate
Api key auth

Release an isolated endpoint, allowing it to rejoin a network.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object

    Optional parameters object

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/unisolate 
curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/action/unisolate' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"Benign process identified, releasing group","endpoint_ids":["9972d10e-4b9e-41aa-a534-a85e2a28ea42","bc0e4f0c-3bca-4633-9fee-156c0b505d16","fa89271b-b9d4-43f2-a684-307cffddeb5a"]}'
Request examples 
{
  "comment": "Benign process identified, releasing group",
  "endpoint_ids": [
    "9972d10e-4b9e-41aa-a534-a85e2a28ea42",
    "bc0e4f0c-3bca-4633-9fee-156c0b505d16",
    "fa89271b-b9d4-43f2-a684-307cffddeb5a"
  ]
}
{
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
{
  "comment": "Remediation complete, restoring network",
  "case_ids": [
    "4976be38-c134-4554-bd5e-0fd89ce63667"
  ],
  "endpoint_ids": [
    "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0",
    "b30a11bf-1395-4707-b508-fbb45ef9793e"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "233db9ea-6733-4849-9226-5a7039c7161d",
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "errors": [],
    "command": "suspend-process",
    "comment": "suspend the process",
    "outputs": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "type": "json",
        "content": {
          "key": "value"
        }
      }
    },
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2022-07-29T19:08:49.126Z",
    "parameters": {
      "entity_id": "abc123"
    },
    "completedAt": "2022-07-29T19:09:44.961Z",
    "isCompleted": true,
    "wasSuccessful": true
  },
  "action": "233db9ea-6733-4849-9226-5a7039c7161d"
}

Get a protection updates note

GET /api/endpoint/protection_updates_note/{package_policy_id}
Api key auth

Responses

  • 200 application/json

    OK

    Hide response attribute Show response attribute object
GET /api/endpoint/protection_updates_note/{package_policy_id} 
curl \
 --request GET 'https://<KIBANA_URL>/api/endpoint/protection_updates_note/{package_policy_id}' \
 --header "Authorization: $API_KEY"

Security entity analytics

Upsert an asset criticality record

POST /api/asset_criticality
Api key auth

Create or update an asset criticality record for a specific entity.

If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created.

application/json

Body Required

  • id_field string Required

    Values are host.name, user.name, service.name, or entity.id.

  • id_value string Required

    The ID value of the asset.

  • criticality_level string Required

    The criticality level of the asset.

    Values are low_impact, medium_impact, high_impact, or extreme_impact.

  • refresh string

    If 'wait_for' the request will wait for the index refresh.

    Value is wait_for.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object

    The deleted record if it existed.

    • id_field string Required

      Values are host.name, user.name, service.name, or entity.id.

    • id_value string Required

      The ID value of the asset.

    • criticality_level string Required

      The criticality level of the asset.

      Values are low_impact, medium_impact, high_impact, or extreme_impact.

    • asset object Required
      Hide asset attribute Show asset attribute object
      • criticality string

        The criticality level of the asset.

        Values are low_impact, medium_impact, high_impact, or extreme_impact.

    • host object
      Hide host attributes Show host attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • service object
      Hide service attributes Show service attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • user object
      Hide user attributes Show user attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • @timestamp string(date-time) Required

      The time the record was created or updated.
  • 400

    Invalid request

POST /api/asset_criticality 
curl \
 --request POST 'https://<KIBANA_URL>/api/asset_criticality' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"id_field":"host.name","id_value":"my_host","criticality_level":"high_impact"}'
Request example 
{
  "id_field": "host.name",
  "id_value": "my_host",
  "criticality_level": "high_impact"
}
Response examples (200) 
{
  "host": {
    "name": "my_host",
    "asset": {
      "criticality": "high_impact"
    }
  },
  "asset": {
    "criticality": "high_impact"
  },
  "id_field": "host.name",
  "id_value": "my_host",
  "@timestamp": "2024-08-02T11:15:34.290Z",
  "criticality_level": "high_impact"
}

Health check on Privilege Monitoring

GET /api/entity_analytics/monitoring/privileges/health
Api key auth

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
GET /api/entity_analytics/monitoring/privileges/health 
curl \
 --request GET 'https://<KIBANA_URL>/api/entity_analytics/monitoring/privileges/health' \
 --header "Authorization: $API_KEY"

Run the risk scoring engine

POST /api/risk_score/engine/schedule_now
Api key auth

Schedule the risk scoring engine to run as soon as possible. You can use this to recalculate entity risk scores after updating their asset criticality.

application/json

Body

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Task manager is unavailable

    Hide response attributes Show response attributes object
  • default application/json

    Unexpected error

    Hide response attributes Show response attributes object
POST /api/risk_score/engine/schedule_now 
curl \
 --request POST 'https://<KIBANA_URL>/api/risk_score/engine/schedule_now' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json"

Get exception list details

GET /api/exception_lists
Api key auth

Get the details of an exception list using the id or list_id field.

Query parameters

  • id string(nonempty)

    Exception list's identifier. Either id or list_id must be specified.

    Minimum length is 1.

  • list_id string(nonempty)

    Human readable exception list string identifier, e.g. trusted-linux-processes. Either id or list_id must be specified.

    Minimum length is 1.

  • namespace_type string

    Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

    • single: Only available in the Kibana space in which it is created.
    • agnostic: Available in all Kibana spaces.

    Values are agnostic or single. Default value is single.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • id string(nonempty) Required

      Exception list's identifier.

      Minimum length is 1.

    • immutable boolean Required
    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Placeholder for metadata about the list container.

      Additional properties are allowed.

    • name string Required

      The name of the exception list.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Use this field to specify the operating system. Only enter one value.

      Values are linux, macos, or windows.

    • tags array[string]

      String array containing words and phrases to help categorize exception containers.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      The type of exception list to be created. Different list types may denote where they can be utilized.

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • version integer Required

      The document version, automatically increasd on updates.

      Minimum value is 1.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    Exception list item not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
GET /api/exception_lists 
curl \
 --request GET 'https://<KIBANA_URL>/api/exception_lists' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
  "name": "Sample Detection Exception List",
  "tags": [
    "malware"
  ],
  "type": "detection",
  "list_id": "simple_list",
  "version": 1,
  "_version": "WzIsMV0=",
  "os_types": [
    "linux"
  ],
  "immutable": false,
  "created_at": "2025-01-07T19:34:27.942Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T19:34:27.942Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception list.",
  "namespace_type": "single",
  "tie_breaker_id": "78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3"
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [GET /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}
Response examples (404) 
{
  "message\"": "exception list id: \"foo\" does not exist",
  "status_code\"": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Delete an exception list

DELETE /api/exception_lists
Api key auth

Delete an exception list using the id or list_id field.

Query parameters

  • id string(nonempty)

    Exception list's identifier. Either id or list_id must be specified.

    Minimum length is 1.

  • list_id string(nonempty)

    Human readable exception list string identifier, e.g. trusted-linux-processes. Either id or list_id must be specified.

    Minimum length is 1.

  • namespace_type string

    Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

    • single: Only available in the Kibana space in which it is created.
    • agnostic: Available in all Kibana spaces.

    Values are agnostic or single. Default value is single.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • id string(nonempty) Required

      Exception list's identifier.

      Minimum length is 1.

    • immutable boolean Required
    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Placeholder for metadata about the list container.

      Additional properties are allowed.

    • name string Required

      The name of the exception list.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Use this field to specify the operating system. Only enter one value.

      Values are linux, macos, or windows.

    • tags array[string]

      String array containing words and phrases to help categorize exception containers.

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      The type of exception list to be created. Different list types may denote where they can be utilized.

      Values are detection, rule_default, endpoint, endpoint_trusted_apps, endpoint_events, endpoint_host_isolation_exceptions, or endpoint_blocklists.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • version integer Required

      The document version, automatically increasd on updates.

      Minimum value is 1.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    Exception list not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
DELETE /api/exception_lists 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/exception_lists' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85",
  "name": "Sample Detection Exception List",
  "tags": [
    "malware"
  ],
  "type": "detection",
  "list_id": "simple_list",
  "version": 1,
  "_version": "WzIsMV0=",
  "os_types": [
    "linux"
  ],
  "immutable": false,
  "created_at": "2025-01-07T19:34:27.942Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T19:34:27.942Z",
  "updated_by": "elastic",
  "description": "This is a sample detection type exception list.",
  "namespace_type": "single",
  "tie_breaker_id": "78f1aca1-f8ee-4eb5-9ceb-f5c3ee656cb3"
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [DELETE /api/exception_lists?list_id=simple_list&namespace_type=single] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404) 
{
  "message": "exception list list_id: \"foo\" does not exist",
  "status_code": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Update an exception list item

PUT /api/exception_lists/items
Api key auth

Update an exception list item using the id or item_id field.

application/json

Body Required

Exception list item's properties

  • _version string

    The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

  • comments array[object]

    Default value is [] (empty).

    Hide comments attributes Show comments attributes object
    • comment string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • id string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • description string Required

    Describes the exception list.

  • entries array[object] Required
    Any of:
    Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
    Hide attributes Show attributes
    • field string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • operator string Required

      Values are excluded or included.

    • type string Required Discriminator

      Value is match.

    • value string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • expire_time string(date-time)

    The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

  • id string(nonempty)

    Exception's identifier.

    Minimum length is 1.

  • item_id string(nonempty)

    Human readable string identifier, e.g. trusted-linux-processes

    Minimum length is 1.

  • list_id string(nonempty)

    Exception list's human readable string identifier, e.g. trusted-linux-processes.

    Minimum length is 1.

  • meta object

    Additional properties are allowed.

  • name string(nonempty) Required

    Exception list name.

    Minimum length is 1.

  • namespace_type string

    Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

    • single: Only available in the Kibana space in which it is created.
    • agnostic: Available in all Kibana spaces.

    Values are agnostic or single. Default value is single.

  • os_types array[string]

    Use this field to specify the operating system.

    Values are linux, macos, or windows. Default value is [] (empty).

  • tags array[string(nonempty)]

    String array containing words and phrases to help categorize exception items.

    Minimum length of each is 1. Default value is [] (empty).

  • type string Required

    Value is simple.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the item was retrieved. Use it ensure updates are done against the latest version.

    • comments array[object] Required

      Array of comment fields:

      • comment (string): Comments about the exception item.
      Hide comments attributes Show comments attributes object
      • comment string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • id string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • updated_at string(date-time)

        Autogenerated date of last object update.

      • updated_by string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string Required

      Describes the exception list.

    • entries array[object] Required
      Any of:
      Security_Exceptions_API_ExceptionListItemEntryMatch object Security_Exceptions_API_ExceptionListItemEntryMatchAny object Security_Exceptions_API_ExceptionListItemEntryList object Security_Exceptions_API_ExceptionListItemEntryExists object Security_Exceptions_API_ExceptionListItemEntryNested object Security_Exceptions_API_ExceptionListItemEntryMatchWildcard object
      Hide attributes Show attributes
      • field string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • operator string Required

        Values are excluded or included.

      • type string Required Discriminator

        Value is match.

      • value string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • expire_time string(date-time)

      The exception item’s expiration date, in ISO format. This field is only available for regular exception items, not endpoint exceptions.

    • id string(nonempty) Required

      Exception's identifier.

      Minimum length is 1.

    • item_id string(nonempty) Required

      Human readable string identifier, e.g. trusted-linux-processes

      Minimum length is 1.

    • list_id string(nonempty) Required

      Exception list's human readable string identifier, e.g. trusted-linux-processes.

      Minimum length is 1.

    • meta object

      Additional properties are allowed.

    • name string(nonempty) Required

      Exception list name.

      Minimum length is 1.

    • namespace_type string Required

      Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

      • single: Only available in the Kibana space in which it is created.
      • agnostic: Available in all Kibana spaces.

      Values are agnostic or single. Default value is single.

    • os_types array[string]

      Use this field to specify the operating system.

      Values are linux, macos, or windows. Default value is [] (empty).

    • tags array[string(nonempty)]

      String array containing words and phrases to help categorize exception items.

      Minimum length of each is 1. Default value is [] (empty).

    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Value is simple.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Exceptions_API_PlatformErrorResponse object Security_Exceptions_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    Exception list item not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
PUT /api/exception_lists/items 
curl \
 --request PUT 'https://<KIBANA_URL>/api/exception_lists/items' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"name":"Updated name","tags":[],"type":"simple","entries":[{"type":"match","field":"host.name","value":"rock01","operator":"included"}],"item_id":"simple_list_item","comments":[],"description":"Updated description","namespace_type":"single"}'
Request example 
{
  "name": "Updated name",
  "tags": [],
  "type": "simple",
  "entries": [
    {
      "type": "match",
      "field": "host.name",
      "value": "rock01",
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "comments": [],
  "description": "Updated description",
  "namespace_type": "single"
}
Response examples (200) 
{
  "id": "459c5e7e-f8b2-4f0b-b136-c1fc702f72da",
  "name": "Updated name",
  "tags": [],
  "type": "simple",
  "entries": [
    {
      "type": "match",
      "field": "host.name",
      "value": "rock01",
      "operator": "included"
    }
  ],
  "item_id": "simple_list_item",
  "list_id": "simple_list",
  "_version": "WzEyLDFd",
  "comments": [],
  "os_types": [],
  "created_at": "2025-01-07T21:12:25.512Z",
  "created_by": "elastic",
  "updated_at": "2025-01-07T21:34:50.233Z",
  "updated_by": "elastic",
  "description": "Updated description",
  "namespace_type": "single",
  "tie_breaker_id": "ad0754ff-7b19-49ca-b73e-e6aff6bfa2d0"
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "[request body]: item_id: Expected string, received number",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [PUT /api/exception_lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404) 
{
  "message": "exception list item item_id: \\\"foo\\\" does not exist",
  "status_code": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Patch a value list item

PATCH /api/lists/items
Api key auth

Update specific fields of an existing value list item using the item id.

application/json

Body Required

Value list item's properties

  • _version string

    The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

  • id string(nonempty) Required

    Value list item's identifier.

    Minimum length is 1.

  • meta object

    Placeholder for metadata about the value list item.

    Additional properties are allowed.

  • refresh string

    Determines when changes made by the request are made visible to search.

    Values are true, false, or wait_for.

  • value string(nonempty)

    The value used to evaluate exceptions.

    Minimum length is 1.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

    • @timestamp string(date-time)
    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • deserializer string

      Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

      • {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
      • {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
      • {{{gte}}},{{{lte}}} - Date range values.
    • id string(nonempty) Required

      Value list item's identifier.

      Minimum length is 1.

    • list_id string(nonempty) Required

      Value list's identifier.

      Minimum length is 1.

    • meta object

      Placeholder for metadata about the value list item.

      Additional properties are allowed.

    • serializer string

      Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

      • (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
      • (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

      • keyword: Many ECS fields are Elasticsearch keywords
      • ip: IP addresses
      • ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

      Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • value string(nonempty) Required

      The value used to evaluate exceptions.

      Minimum length is 1.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    List item not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
PATCH /api/lists/items 
curl \
 --request PATCH 'https://<KIBANA_URL>/api/lists/items' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"id":"pd1WRJQBs4HAK3VQeHFI","value":"255.255.255.255"}'
Request example 
{
  "id": "pd1WRJQBs4HAK3VQeHFI",
  "value": "255.255.255.255"
}
Response examples (200) 
{
  "id": "pd1WRJQBs4HAK3VQeHFI",
  "type": "ip",
  "value": "255.255.255.255",
  "list_id": "ip_list",
  "_version": "WzE5LDFd",
  "@timestamp": "2025-01-08T05:15:05.159Z",
  "created_at": "2025-01-08T05:15:05.159Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T05:23:37.602Z",
  "updated_by": "elastic",
  "tie_breaker_id": "eee41dc7-1666-4876-982f-8b0f7b59eca3"
}
Response examples (400) 
{
  "message": "{\"took\":15,\"timed_out\":false,\"total\":1,\"updated\":0,\"deleted\":0,\"batches\":1,\"version_conflicts\":0,\"noops\":0,\"retries\":{\"bulk\":0,\"search\":0},\"throttled_millis\":0,\"requests_per_second\":-1,\"throttled_until_millis\":0,\"failures\":[{\"index\":\".ds-.items-default-2025.01.09-000001\",\"id\":\"ip_item\",\"cause\":{\"type\":\"document_parsing_exception\",\"reason\":\"[1:107] failed to parse field [ip] of type [ip] in document with id ip_item. Preview of fields value: 2\",\"caused_by\":{\"type\":\"illegal_argument_exception\",\"reason\":\"2 is not an IP string literal.\"}},\"status\":400}]}",
  "status_code": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404) 
{
  "message": "list item id: \\\"foo\\\" not found",
  "status_code": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Import value list items

POST /api/lists/items/_import
Api key auth

Import value list items from a TXT or CSV file. The maximum file size is 9 million bytes.

You can import items to a new or existing list.

Query parameters

  • list_id string(nonempty)

    List's id.

    Required when importing to an existing list.

    Minimum length is 1.

  • type string

    Type of the importing list.

    Required when importing a new list whose list id is not specified.

    Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

  • serializer string

    Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

    • (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
    • (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
  • deserializer string

    Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

    • {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
    • {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
    • {{{gte}}},{{{lte}}} - Date range values.
  • refresh string

    Determines when changes made by the request are made visible to search.

    Values are true, false, or wait_for.

multipart/form-data

Body Required

  • file string(binary)

    A .txt or .csv file containing newline separated list items.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

    • @timestamp string(date-time)
    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string(nonempty) Required

      Describes the value list.

      Minimum length is 1.

    • deserializer string

      Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

      • {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
      • {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
      • {{{gte}}},{{{lte}}} - Date range values.
    • id string(nonempty) Required

      Value list's identifier.

      Minimum length is 1.

    • immutable boolean Required
    • meta object

      Placeholder for metadata about the value list.

      Additional properties are allowed.

    • name string(nonempty) Required

      Value list's name.

      Minimum length is 1.

    • serializer string

      Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

      • (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
      • (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

      • keyword: Many ECS fields are Elasticsearch keywords
      • ip: IP addresses
      • ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

      Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • version integer Required

      The document version number.

      Minimum value is 1.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 409 application/json

    List with specified list_id does not exist response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
POST /api/lists/items/_import 
curl \
 --request POST 'https://<KIBANA_URL>/api/lists/items/_import' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: multipart/form-data" \
 --form "file=127.0.0.1
127.0.0.2
127.0.0.3
127.0.0.4
127.0.0.5
127.0.0.6
127.0.0.7
127.0.0.8
127.0.0.9
"
Response examples (200) 
{
  "id": "ip_list",
  "name": "Simple list with an ip",
  "type": "ip",
  "version": 1,
  "_version": "WzAsMV0=",
  "immutable": false,
  "@timestamp": "2025-01-08T04:47:34.273Z",
  "created_at": "2025-01-08T04:47:34.273Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T04:47:34.273Z",
  "updated_by": "elastic",
  "description": "This list describes bad internet ip",
  "tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
}
Response examples (400) 
{
  "message": "Either type or list_id need to be defined in the query",
  "status_code": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [POST /api/lists/items/_import?list_id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Security Osquery

Run live queries, manage packs and saved queries.

Security timeline

You can create Timelines and Timeline templates via the API, as well as import new Timelines from an ndjson file.

Service level objectives

SLO APIs enable you to define, manage and track service-level objectives