Alerting

Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.

Alerting documentation

Delete a rule

DELETE /api/alerting/rule/{id}
Api key auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

DELETE /api/alerting/rule/{id} 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/alerting/rule/{id}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get a list of agent configurations

GET /api/apm/settings/agent-configuration
Api key auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
    • configurations array[object]

      Agent configuration

      Agent configuration

      Hide configurations attributes Show configurations attributes object
      • @timestamp number Required

        Timestamp

      • agent_name string

        Agent name

      • applied_by_agent boolean

        Applied by agent

      • etag string Required

        etag is sent by the APM agent to indicate the etag of the last successfully applied configuration. If the etag matches an existing configuration its applied_by_agent property will be set to true. Every time a configuration is edited applied_by_agent is reset to false.

      • service object Required

        Service

        Hide service attributes Show service attributes object
      • settings object Required

        Agent configuration settings

        Hide settings attribute Show settings attribute object
        • * string Additional properties
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration 
curl \
 --request GET 'https://<KIBANA_URL>/api/apm/settings/agent-configuration' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"
Response examples (200)
An example of a successful response from `GET /api/apm/settings/agent-configuration`. 
[
  {
      "agent_name": "go",
      "service": {
      "name": "opbeans-go",
      "environment": "production"
      },
      "settings": {
      "transaction_sample_rate": "1",
      "capture_body": "off",
      "transaction_max_spans": "200"
      },
      "@timestamp": 1581934104843,
      "applied_by_agent": false,
      "etag": "1e58c178efeebae15c25c539da740d21dee422fc"
  },
  {
      "agent_name": "go",
      "service": {
      "name": "opbeans-go"
      },
      "settings": {
      "transaction_sample_rate": "1",
      "capture_body": "off",
      "transaction_max_spans": "300"
      },
      "@timestamp": 1581934111727,
      "applied_by_agent": false,
      "etag": "3eed916d3db434d9fb7f039daa681c7a04539a64"
  },
  {
      "agent_name": "nodejs",
      "service": {
      "name": "frontend"
      },
      "settings": {
      "transaction_sample_rate": "1",
      },
      "@timestamp": 1582031336265,
      "applied_by_agent": false,
      "etag": "5080ed25785b7b19f32713681e79f46996801a5b"
  }
]

Get single agent configuration

GET /api/apm/settings/agent-configuration/view
Api key auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

Query parameters

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • id string Required
    • @timestamp number Required

      Timestamp

    • agent_name string

      Agent name

    • applied_by_agent boolean

      Applied by agent

    • etag string Required

      etag is sent by the APM agent to indicate the etag of the last successfully applied configuration. If the etag matches an existing configuration its applied_by_agent property will be set to true. Every time a configuration is edited applied_by_agent is reset to false.

    • service object Required

      Service

      Hide service attributes Show service attributes object
    • settings object Required

      Agent configuration settings

      Hide settings attribute Show settings attribute object
      • * string Additional properties
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
GET /api/apm/settings/agent-configuration/view 
curl \
 --request GET 'https://<KIBANA_URL>/api/apm/settings/agent-configuration/view' \
 --header "Authorization: $API_KEY" \
 --header "elastic-api-version: 2023-10-31"

APM annotations

Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.

Create a service annotation

POST /api/apm/services/{serviceName}/annotation
Api key auth

Create a new annotation for a specific service.

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body Required

  • @timestamp string Required

    The date and time of the annotation. It must be in ISO 8601 format.

  • message string

    The message displayed in the annotation. It defaults to service.version.

  • service object Required

    The service that identifies the configuration to create or update.

    Hide service attributes Show service attributes object
  • tags array[string]

    Tags are used by the Applications UI to distinguish APM annotations from other annotations. Tags may have additional functionality in future releases. It defaults to [apm]. While you can add additional tags, you cannot remove the apm tag.

Responses

  • 200 application/json

    Annotation created successfully

    Hide response attributes Show response attributes object
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/services/{serviceName}/annotation 
curl -X POST \
http://localhost:5601/api/apm/services/opbeans-java/annotation \
-H 'Content-Type: application/json' \
-H 'kbn-xsrf: true' \
-H 'Authorization: Basic YhUlubWZhM0FDbnlQeE6WRtaW49FQmSGZ4RUWXdX' \
-d '{
    "@timestamp": "2020-05-08T10:31:30.452Z",
    "service": {
        "version": "1.2"
    },
    "message": "Deployment 1.2"
    }'
Response examples (200)
An example of a successful response from `POST /api/apm/services/opbeans-java/annotation`, which creates an annotation for a service named `opbeans-java`. 
{
  "_index": "observability-annotations",
  "_id": "Lc9I93EBh6DbmkeV7nFX",
  "_version": 1,
  "_seq_no": 12,
  "_primary_term": 1,
  "found": true,
  "_source": {
    "message": "Deployment 1.2",
    "@timestamp": "2020-05-08T10:31:30.452Z",
    "service": {
      "version": "1.2",
      "name": "opbeans-java"
    },
    "tags": [
      "apm",
      "elastic.co",
      "customer"
    ],
    "annotation": {
      "type": "deployment"
    },
    "event": {
      "created": "2020-05-09T02:34:43.937Z"
    }
  }
}

APM server schema

Create APM fleet server schema.

Save APM server schema

POST /api/apm/fleet/apm_server_schema
Api key auth

Headers

  • elastic-api-version string Required

    The version of the API to use

    Value is 2023-10-31. Default value is 2023-10-31.

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body Required

  • schema object

    Schema object

    Additional properties are allowed.

Responses

  • 200 application/json

    Successful response

    Additional properties are NOT allowed.
  • 400 application/json

    Bad Request response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Forbidden response

    Hide response attributes Show response attributes object
  • 404 application/json

    Not found response

    Hide response attributes Show response attributes object
POST /api/apm/fleet/apm_server_schema 
curl \
 --request POST 'https://<KIBANA_URL>/api/apm/fleet/apm_server_schema' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "elastic-api-version: 2023-10-31" \
 --header "kbn-xsrf: true" \
 --data '{"schema":{"foo":"bar"}}'

CCR Remote synced integrations

Connectors

Connectors provide a central place to store connection information for services and integrations with Elastic or third party systems. Alerting rules can use connectors to run actions when rule conditions are met.

Connector documentation

Get a list of dashboards Technical Preview

GET /api/dashboards/dashboard
Api key auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Query parameters

  • page number

    The page number to return. Default is "1".

    Minimum value is 1. Default value is 1.

  • perPage number

    The number of dashboards to display on each page (max 1000). Default is "20".

    Minimum value is 1, maximum value is 1000.

Responses

GET /api/dashboards/dashboard 
curl \
 --request GET 'https://<KIBANA_URL>/api/dashboards/dashboard' \
 --header "Authorization: $API_KEY"

Delete a dashboard Technical Preview

DELETE /api/dashboards/dashboard/{id}
Api key auth

This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    A unique identifier for the dashboard.

DELETE /api/dashboards/dashboard/{id} 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/dashboards/dashboard/{id}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get data streams

GET /api/fleet/data_streams
Api key auth

[Required authorization] Route required privileges: fleet-agents-all AND fleet-agent-policies-all AND fleet-settings-all.

Responses

GET /api/fleet/data_streams 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/data_streams' \
 --header "Authorization: $API_KEY"

Create a runtime field

POST /api/data_views/data_view/{viewId}/runtime_field
Api key auth

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • viewId string Required

    An identifier for the data view.

application/json

Body Required

  • name string Required

    The name for a runtime field.

  • runtimeField object Required

    The runtime field definition object.

Responses

  • 200 application/json

    Indicates a successful call.
POST /api/data_views/data_view/{viewId}/runtime_field 
curl \
 --request POST 'https://<KIBANA_URL>/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"name":"runtimeFoo","runtimeField":{"type":"long","script":{"source":"emit(doc[\"foo\"].value)"}}}'
Request example 
{
  "name": "runtimeFoo",
  "runtimeField": {
    "type": "long",
    "script": {
      "source": "emit(doc[\"foo\"].value)"
    }
  }
}

Get the default data view

GET /api/data_views/default
Api key auth

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
GET /api/data_views/default 
curl \
 --request GET 'https://<KIBANA_URL>/api/data_views/default' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}

Set the default data view

POST /api/data_views/default
Api key auth

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • data_view_id string | null Required

    The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use null to unset the default data view.

  • force boolean

    Update an existing default data view identifier.

    Default value is false.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
POST /api/data_views/default 
curl \
 --request POST 'https://<KIBANA_URL>/api/data_views/default' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"force":true,"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f"}'
Request example 
{
  "force": true,
  "data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}

Swap saved object references

POST /api/data_views/swap_references
Api key auth

Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

application/json

Body Required

  • delete boolean

    Deletes referenced saved object if all references are removed.

  • forId string | array[string]

    Limit the affected saved objects to one or more by identifier.

    One of:
    string-1 string array-2 array[string]
  • forType string

    Limit the affected saved objects by type.

  • fromId string Required

    The saved object reference to change.

  • fromType string

    Specify the type of the saved object reference to alter. The default value is index-pattern for data views.

  • toId string Required

    New saved object reference value to replace the old value.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
POST /api/data_views/swap_references 
curl \
 --request POST 'https://<KIBANA_URL>/api/data_views/swap_references' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"toId":"xyz-123","delete":true,"fromId":"abcd-efg"}'
Request example 
{
  "toId": "xyz-123",
  "delete": true,
  "fromId": "abcd-efg"
}

Elastic Agent actions

Request agent diagnostics

POST /api/fleet/agents/{agentId}/request_diagnostics
Api key auth

[Required authorization] Route required privileges: fleet-agents-read.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

application/json

Body

Responses

POST /api/fleet/agents/{agentId}/request_diagnostics 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/agents/{agentId}/request_diagnostics' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"additional_metrics":["CPU"]}'

Cancel an agent action

POST /api/fleet/agents/actions/{actionId}/cancel
Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Responses

POST /api/fleet/agents/actions/{actionId}/cancel 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/agents/actions/{actionId}/cancel' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Bulk reassign agents

POST /api/fleet/agents/bulk_reassign
Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/agents/bulk_reassign 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/agents/bulk_reassign' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"agents":["string"],"batchSize":42.0,"includeInactive":false,"policy_id":"string"}'

Get agent binary download sources

GET /api/fleet/agent_download_sources
Api key auth

[Required authorization] Route required privileges: fleet-agent-policies-read OR fleet-settings-read.

Responses

GET /api/fleet/agent_download_sources 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agent_download_sources' \
 --header "Authorization: $API_KEY"

Elastic Agent status

Get an agent

GET /api/fleet/agents/{agentId}
Api key auth

Get an agent by ID.

[Required authorization] Route required privileges: fleet-agents-read.

Query parameters

Responses

GET /api/fleet/agents/{agentId} 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agents/{agentId}' \
 --header "Authorization: $API_KEY"

Get agent uploads

GET /api/fleet/agents/{agentId}/uploads
Api key auth

[Required authorization] Route required privileges: fleet-agents-read.

Responses

GET /api/fleet/agents/{agentId}/uploads 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agents/{agentId}/uploads' \
 --header "Authorization: $API_KEY"

Initiate agent setup

POST /api/fleet/agents/setup
Api key auth

[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

POST /api/fleet/agents/setup 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/agents/setup' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get agent tags

GET /api/fleet/agents/tags
Api key auth

[Required authorization] Route required privileges: fleet-agents-read.

Query parameters

Responses

GET /api/fleet/agents/tags 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/agents/tags' \
 --header "Authorization: $API_KEY"

Delete Kibana assets for a package

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets
Api key auth

[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

Responses

DELETE /api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Get a package signature verification key ID

GET /api/fleet/epm/verification_key_id
Api key auth

[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.

Responses

GET /api/fleet/epm/verification_key_id 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/epm/verification_key_id' \
 --header "Authorization: $API_KEY"

Get an enrollment API key

GET /api/fleet/enrollment_api_keys/{keyId}
Api key auth

Get an enrollment API key by ID.

[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.

Responses

  • 200 application/json
    Hide response attribute Show response attribute object
    • item object Required

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • active boolean Required

        When false, the enrollment API key is revoked and cannot be used for enrolling Elastic Agents.

      • api_key string Required

        The enrollment API key (token) used for enrolling Elastic Agents.

      • api_key_id string Required

        The ID of the API key in the Security API.

      • created_at string Required
      • hidden boolean
      • id string Required
      • name string

        The name of the enrollment API key.

      • policy_id string

        The ID of the agent policy the Elastic Agent will be enrolled in.
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/enrollment_api_keys/{keyId} 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/enrollment_api_keys/{keyId}' \
 --header "Authorization: $API_KEY"

Revoke an enrollment API key

DELETE /api/fleet/enrollment_api_keys/{keyId}
Api key auth

Revoke an enrollment API key by ID by marking it as inactive.

[Required authorization] Route required privileges: fleet-agents-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

DELETE /api/fleet/enrollment_api_keys/{keyId} 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/fleet/enrollment_api_keys/{keyId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Fleet outputs

Get the latest output health

GET /api/fleet/outputs/{outputId}/health
Api key auth

[Required authorization] Route required privileges: fleet-settings-read.

Responses

  • 200 application/json
    Hide response attributes Show response attributes object
    • message string Required

      long message if unhealthy

    • state string Required

      state of output, HEALTHY or DEGRADED

    • timestamp string Required

      timestamp of reported state
  • 400 application/json
    Hide response attributes Show response attributes object
GET /api/fleet/outputs/{outputId}/health 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/outputs/{outputId}/health' \
 --header "Authorization: $API_KEY"

Bulk delete package policies

POST /api/fleet/package_policies/delete
Api key auth

[Required authorization] Route required privileges: fleet-agent-policies-all AND integrations-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/package_policies/delete 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/package_policies/delete' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"force":true,"packagePolicyIds":["string"]}'

Get proxies

GET /api/fleet/proxies
Api key auth

[Required authorization] Route required privileges: fleet-settings-read.

Responses

GET /api/fleet/proxies 
curl \
 --request GET 'https://<KIBANA_URL>/api/fleet/proxies' \
 --header "Authorization: $API_KEY"

Create a proxy

POST /api/fleet/proxies
Api key auth

[Required authorization] Route required privileges: fleet-settings-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

Responses

POST /api/fleet/proxies 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/proxies' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"certificate":"string","certificate_authorities":"string","certificate_key":"string","id":"string","is_preconfigured":false,"name":"string","proxy_headers":{},"url":"string"}'

Delete a Fleet Server host

DELETE /api/fleet/fleet_server_hosts/{itemId}
Api key auth

Delete a Fleet Server host by ID.

[Required authorization] Route required privileges: fleet-settings-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Responses

DELETE /api/fleet/fleet_server_hosts/{itemId} 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/fleet/fleet_server_hosts/{itemId}' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Create a service token

POST /api/fleet/service_tokens
Api key auth

[Required authorization] Route required privileges: fleet-agents-all.

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

application/json

Body

  • remote boolean

    Default value is false.

Responses

POST /api/fleet/service_tokens 
curl \
 --request POST 'https://<KIBANA_URL>/api/fleet/service_tokens' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: true" \
 --data '{"remote":false}'

Update a conversation

PUT /api/security_ai_assistant/current_user/conversations/{id}
Api key auth

Update an existing conversation using the conversation ID.

Path parameters

  • id string(nonempty) Required

    The conversation's id value.

    Minimum length is 1.

application/json

Body Required

  • apiConfig object

    LLM API configuration.

    Hide apiConfig attributes Show apiConfig attributes object
  • category string

    The conversation category.

    Values are assistant or insights.

  • excludeFromLastConversationStorage boolean

    excludeFromLastConversationStorage.

  • id string(nonempty) Required

    A string that does not contain only whitespace characters

    Minimum length is 1.

  • messages array[object]

    The conversation messages.

    AI assistant conversation message.

    Hide messages attributes Show messages attributes object
    • content string Required

      Message content.

    • isError boolean

      Is error message.

    • metadata object

      metadata

      Hide metadata attribute Show metadata attribute object
    • reader object

      Message content.

      Additional properties are allowed.

    • role string Required

      Message role.

      Values are system, user, or assistant.

    • timestamp string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • traceData object

      trace Data

      Hide traceData attributes Show traceData attributes object
      • traceId string

        Could be any string, not necessarily a UUID

      • transactionId string

        Could be any string, not necessarily a UUID

  • replacements object

    Replacements object used to anonymize/deanomymize messsages

    Hide replacements attribute Show replacements attribute object
    • * string Additional properties
  • summary object
    Hide summary attributes Show summary attributes object
    • confidence string

      How confident you are about this being a correct and useful learning.

      Values are low, medium, or high.

    • content string

      Summary text of the conversation over time.

    • public boolean

      Define if summary is marked as publicly available.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

  • title string

    The conversation title.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • apiConfig object

      LLM API configuration.

      Hide apiConfig attributes Show apiConfig attributes object
    • category string Required

      The conversation category.

      Values are assistant or insights.

    • createdAt string Required

      The time conversation was created.

    • excludeFromLastConversationStorage boolean

      excludeFromLastConversationStorage.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • messages array[object]

      The conversation messages.

      AI assistant conversation message.

      Hide messages attributes Show messages attributes object
      • content string Required

        Message content.

      • isError boolean

        Is error message.

      • metadata object

        metadata

        Hide metadata attribute Show metadata attribute object
      • reader object

        Message content.

        Additional properties are allowed.

      • role string Required

        Message role.

        Values are system, user, or assistant.

      • timestamp string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • traceData object

        trace Data

        Hide traceData attributes Show traceData attributes object
        • traceId string

          Could be any string, not necessarily a UUID

        • transactionId string

          Could be any string, not necessarily a UUID

    • namespace string Required

      Kibana space

    • replacements object

      Replacements object used to anonymize/deanomymize messsages

      Hide replacements attribute Show replacements attribute object
      • * string Additional properties
    • summary object
      Hide summary attributes Show summary attributes object
      • confidence string

        How confident you are about this being a correct and useful learning.

        Values are low, medium, or high.

      • content string

        Summary text of the conversation over time.

      • public boolean

        Define if summary is marked as publicly available.

      • timestamp string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • title string Required

      The conversation title.

    • updatedAt string

      The last time conversation was updated.

    • users array[object] Required

      Could be any string, not necessarily a UUID

      Hide users attributes Show users attributes object
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
PUT /api/security_ai_assistant/current_user/conversations/{id} 
curl \
 --request PUT 'https://<KIBANA_URL>/api/security_ai_assistant/current_user/conversations/{id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"apiConfig":{"actionTypeId":"string","connectorId":"string","defaultSystemPromptId":"string","model":"string","provider":"OpenAI"},"category":"assistant","excludeFromLastConversationStorage":true,"id":"string","messages":[{"content":"string","isError":true,"metadata":{"contentReferences":{}},"reader":{},"role":"system","timestamp":"string","traceData":{"traceId":"string","transactionId":"string"}}],"replacements":{"additionalProperty1":"string","additionalProperty2":"string"},"summary":{"confidence":"low","content":"string","public":true,"timestamp":"string"},"title":"string"}'

Delete a conversation

DELETE /api/security_ai_assistant/current_user/conversations/{id}
Api key auth

Delete an existing conversation using the conversation ID.

Path parameters

  • id string(nonempty) Required

    The conversation's id value.

    Minimum length is 1.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • apiConfig object

      LLM API configuration.

      Hide apiConfig attributes Show apiConfig attributes object
    • category string Required

      The conversation category.

      Values are assistant or insights.

    • createdAt string Required

      The time conversation was created.

    • excludeFromLastConversationStorage boolean

      excludeFromLastConversationStorage.

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • messages array[object]

      The conversation messages.

      AI assistant conversation message.

      Hide messages attributes Show messages attributes object
      • content string Required

        Message content.

      • isError boolean

        Is error message.

      • metadata object

        metadata

        Hide metadata attribute Show metadata attribute object
      • reader object

        Message content.

        Additional properties are allowed.

      • role string Required

        Message role.

        Values are system, user, or assistant.

      • timestamp string(nonempty) Required

        A string that does not contain only whitespace characters

        Minimum length is 1.

      • traceData object

        trace Data

        Hide traceData attributes Show traceData attributes object
        • traceId string

          Could be any string, not necessarily a UUID

        • transactionId string

          Could be any string, not necessarily a UUID

    • namespace string Required

      Kibana space

    • replacements object

      Replacements object used to anonymize/deanomymize messsages

      Hide replacements attribute Show replacements attribute object
      • * string Additional properties
    • summary object
      Hide summary attributes Show summary attributes object
      • confidence string

        How confident you are about this being a correct and useful learning.

        Values are low, medium, or high.

      • content string

        Summary text of the conversation over time.

      • public boolean

        Define if summary is marked as publicly available.

      • timestamp string(nonempty)

        A string that does not contain only whitespace characters

        Minimum length is 1.

    • timestamp string(nonempty)

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • title string Required

      The conversation title.

    • updatedAt string

      The last time conversation was updated.

    • users array[object] Required

      Could be any string, not necessarily a UUID

      Hide users attributes Show users attributes object
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
DELETE /api/security_ai_assistant/current_user/conversations/{id} 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/security_ai_assistant/current_user/conversations/{id}' \
 --header "Authorization: $API_KEY"

Read a KnowledgeBase

GET /api/security_ai_assistant/knowledge_base/{resource}
Api key auth

Read a single KB

Path parameters

  • resource string

    The KnowledgeBase resource value.

Responses

GET /api/security_ai_assistant/knowledge_base/{resource} 
curl \
 --request GET 'https://<KIBANA_URL>/api/security_ai_assistant/knowledge_base/{resource}' \
 --header "Authorization: $API_KEY"

Create a KnowledgeBase

POST /api/security_ai_assistant/knowledge_base/{resource}
Api key auth

Create a KnowledgeBase

Path parameters

  • resource string

    The KnowledgeBase resource value.

Query parameters

  • modelId string

    Optional ELSER modelId to use when setting up the Knowledge Base

  • ignoreSecurityLabs boolean

    Indicates whether we should or should not install Security Labs docs when setting up the Knowledge Base

    Default value is false.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attribute Show response attribute object
    • success boolean

      Identify the success of the method execution.
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
POST /api/security_ai_assistant/knowledge_base/{resource} 
curl \
 --request POST 'https://<KIBANA_URL>/api/security_ai_assistant/knowledge_base/{resource}' \
 --header "Authorization: $API_KEY"

Deletes a single Knowledge Base Entry using the `id` field

DELETE /api/security_ai_assistant/knowledge_base/entries/{id}
Api key auth

Deletes a single Knowledge Base Entry using the id field

Path parameters

  • id string(nonempty) Required

    The Knowledge Base Entry's id value

    Minimum length is 1.

Responses

  • 200 application/json

    Successful request returning the deleted Knowledge Base Entry's ID

    Hide response attribute Show response attribute object
    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
DELETE /api/security_ai_assistant/knowledge_base/entries/{id} 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/security_ai_assistant/knowledge_base/entries/{id}' \
 --header "Authorization: $API_KEY"

Security detections

Use the detections APIs to create and manage detection rules. Detection rules search events and external alerts sent to Elastic Security and generate detection alerts from any hits. Alerts are displayed on the Alerts page and can be assigned and triaged, using the alert status to mark them as open, closed, or acknowledged.

This API supports both key-based authentication and basic authentication.

To use key-based authentication, create an API key, then specify the key in the header of your API calls.

To use basic authentication, provide a username and password; this automatically creates an API key that matches the current user’s privileges.

In both cases, the API key is subsequently used for authorization when the rule runs.

If the API key used for authorization has different privileges than the key that created or most recently updated a rule, the rule behavior might change.

If the API key that created a rule is deleted, or the user that created the rule becomes inactive, the rule will stop running.

To create and run rules, the user must meet specific requirements for the Kibana space. Refer to the Detections requirements for a complete list of requirements.

Returns user privileges for the Kibana space

GET /api/detection_engine/privileges
Api key auth

Retrieves whether or not the user is authenticated, and the user's Kibana space and index privileges, which determine if the user can create an index for the Elastic Security alerts generated by detection engine rules.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
GET /api/detection_engine/privileges 
curl \
 --request GET 'https://<KIBANA_URL>/api/detection_engine/privileges' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "index": {
    ".alerts-security.alerts-default": {
      "all": true,
      "read": true,
      "index": true,
      "write": true,
      "create": true,
      "delete": true,
      "manage": true,
      "monitor": true,
      "create_doc": true,
      "maintenance": true,
      "create_index": true,
      "delete_index": true,
      "view_index_metadata": true
    }
  },
  "cluster": {
    "all": true,
    "manage": true,
    "monitor": true,
    "manage_ml": true,
    "monitor_ml": true,
    "manage_api_key": true,
    "manage_pipeline": true,
    "manage_security": true,
    "manage_transform": true,
    "monitor_transform": true,
    "manage_own_api_key": true,
    "manage_index_templates": true
  },
  "username": "elastic",
  "application": {},
  "is_authenticated": true,
  "has_all_requested": true,
  "has_encryption_key": true
}

Export detection rules

POST /api/detection_engine/rules/_export
Api key auth

Export detection rules to an .ndjson file. The following configuration items are also included in the .ndjson file:

  • Actions
  • Exception lists

Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.

You can use Kibana’s Saved Objects UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before importing detection rules.

Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the Manage value lists UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately.

Query parameters

  • exclude_export_details boolean

    Determines whether a summary of the exported rules is returned.

    Default value is false.

  • file_name string

    File name for saving the exported rules.

    When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL.

    Default value is export.ndjson.

application/json

Body

  • objects array[object] Required

    Array of rule_id fields. Exports all rules when unspecified.

    Hide objects attribute Show objects attribute object
    • rule_id string Required

      A stable unique identifier for the rule object. It can be assigned during rule creation. It can be any string, but often is a UUID. It should be unique not only within a given Kibana space, but also across spaces and Elastic environments. The same prebuilt Elastic rule, when installed in two different Kibana spaces or two different Elastic environments, will have the same rule_ids.

Responses

  • 200 application/ndjson

    Indicates a successful call.

    An .ndjson file containing the returned rules.

    Each line in the file represents an object (a rule, exception list parent container, or exception list item), and the last line includes a summary of what was exported.
POST /api/detection_engine/rules/_export 
curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'
{
  "objects": [
    {
      "rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900"
    },
    {
      "rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d"
    }
  ]
}

Find and/or aggregate detection alerts

POST /api/detection_engine/signals/search
Api key auth

Find and/or aggregate detection alerts that match the given query.

application/json

Body Required

Search and/or aggregation query

Responses

POST /api/detection_engine/signals/search 
curl \
 --request POST 'https://<KIBANA_URL>/api/detection_engine/signals/search' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"aggs":{"missingFields":{"missing":{"field":"host.name"}},"alertsByGrouping":{"terms":{"size":10,"field":"host.name"}}},"size":0,"query":{"bool":{"filter":[{"bool":{"must":[],"filter":[{"match_phrase":{"kibana.alert.workflow_status":"open"}}],"should":[],"must_not":[{"exists":{"field":"kibana.alert.building_block_type"}}]}},{"range":{"@timestamp":{"gte":"2025-01-17T08:00:00.000Z","lte":"2025-01-18T07:59:59.999Z"}}}]}},"runtime_mappings":{}}'
Request example 
{
  "aggs": {
    "missingFields": {
      "missing": {
        "field": "host.name"
      }
    },
    "alertsByGrouping": {
      "terms": {
        "size": 10,
        "field": "host.name"
      }
    }
  },
  "size": 0,
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "must": [],
            "filter": [
              {
                "match_phrase": {
                  "kibana.alert.workflow_status": "open"
                }
              }
            ],
            "should": [],
            "must_not": [
              {
                "exists": {
                  "field": "kibana.alert.building_block_type"
                }
              }
            ]
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2025-01-17T08:00:00.000Z",
              "lte": "2025-01-18T07:59:59.999Z"
            }
          }
        }
      ]
    }
  },
  "runtime_mappings": {}
}
Response examples (200) 
{
  "hits": {
    "hits": [],
    "total": {
      "value": 5,
      "relation": "eq"
    },
    "max_score": null
  },
  "took": 0,
  "_shards": {
    "total": 1,
    "failed": 0,
    "skipped": 0,
    "successful": 1
  },
  "timed_out": false,
  "aggregations": {
    "missingFields": {
      "doc_count": 0
    },
    "alertsByGrouping": {
      "buckets": [
        {
          "key": "Host-f43kkddfyc",
          "doc_count": 5
        }
      ],
      "sum_other_doc_count": 0,
      "doc_count_error_upper_bound": 0
    }
  }
}

Get response actions status

GET /api/endpoint/action_status
Api key auth

Get the status of response actions for the specified agent IDs.

Query parameters

Responses

GET /api/endpoint/action_status 
curl \
 --request GET 'https://<KIBANA_URL>/api/endpoint/action_status?query=%7B%7D' \
 --header "Authorization: $API_KEY"

Download a file

GET /api/endpoint/action/{action_id}/file/{file_id}/download
Api key auth

Download a file from an endpoint.

Path parameters

Responses

  • 200 application/json

    OK
GET /api/endpoint/action/{action_id}/file/{file_id}/download 
curl \
 --request GET 'https://<KIBANA_URL>/api/endpoint/action/{action_id}/file/{file_id}/download' \
 --header "Authorization: $API_KEY"

Run a script

POST /api/endpoint/action/runscript
Api key auth

Run a shell command on an endpoint.

application/json

Body Required

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/runscript 
curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/action/runscript' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"parameters":{"commandLine":"string","raw":"string","timeout":42}}'

Scan a file or directory

POST /api/endpoint/action/scan
Api key auth

Scan a specific file or directory on an endpoint for malware.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string(nonempty)]

    A list of alerts ids.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    Case IDs to be updated (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Optional parameters object

    Hide parameters attribute Show parameters attribute object
    • path string Required

      The folder or file’s full path (including the file name).

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/scan 
curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/action/scan' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"Scan the file for malware","parameters":{"path":"/usr/my-file.txt"},"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'
Request example 
{
  "comment": "Scan the file for malware",
  "parameters": {
    "path": "/usr/my-file.txt"
  },
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}
Response examples (200) 
{
  "data": {
    "id": "27ba1b42-7cc6-4e53-86ce-675c876092b2",
    "hosts": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "name": "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
      }
    },
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "status": "pending",
    "command": "scan",
    "outputs": {},
    "agentType": "endpoint",
    "createdBy": "myuser",
    "isExpired": false,
    "startedAt": "2023-07-28T19:00:03.911Z",
    "agentState": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "isCompleted": false,
        "wasSuccessful": false
      }
    },
    "parameters": {
      "path": "/usr/my-file.txt"
    },
    "isCompleted": false,
    "wasSuccessful": false
  }
}

Create or update a protection updates note

POST /api/endpoint/protection_updates_note/{package_policy_id}
Api key auth
application/json

Body Required

Responses

  • 200 application/json

    OK

    Hide response attribute Show response attribute object
POST /api/endpoint/protection_updates_note/{package_policy_id} 
curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/protection_updates_note/{package_policy_id}' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"note":"string"}'

Upsert an asset criticality record

POST /api/asset_criticality
Api key auth

Create or update an asset criticality record for a specific entity.

If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created.

application/json

Body Required

  • id_field string Required

    Values are host.name, user.name, service.name, or entity.id.

  • id_value string Required

    The ID value of the asset.

  • criticality_level string Required

    The criticality level of the asset.

    Values are low_impact, medium_impact, high_impact, or extreme_impact.

  • refresh string

    If 'wait_for' the request will wait for the index refresh.

    Value is wait_for.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object

    The deleted record if it existed.

    • id_field string Required

      Values are host.name, user.name, service.name, or entity.id.

    • id_value string Required

      The ID value of the asset.

    • criticality_level string Required

      The criticality level of the asset.

      Values are low_impact, medium_impact, high_impact, or extreme_impact.

    • asset object Required
      Hide asset attribute Show asset attribute object
      • criticality string

        The criticality level of the asset.

        Values are low_impact, medium_impact, high_impact, or extreme_impact.

    • host object
      Hide host attributes Show host attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • service object
      Hide service attributes Show service attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • user object
      Hide user attributes Show user attributes object
      • asset object
        Hide asset attribute Show asset attribute object
        • criticality string Required

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • name string Required
    • @timestamp string(date-time) Required

      The time the record was created or updated.
  • 400

    Invalid request

POST /api/asset_criticality 
curl \
 --request POST 'https://<KIBANA_URL>/api/asset_criticality' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"id_field":"host.name","id_value":"my_host","criticality_level":"high_impact"}'
Request example 
{
  "id_field": "host.name",
  "id_value": "my_host",
  "criticality_level": "high_impact"
}
Response examples (200) 
{
  "host": {
    "name": "my_host",
    "asset": {
      "criticality": "high_impact"
    }
  },
  "asset": {
    "criticality": "high_impact"
  },
  "id_field": "host.name",
  "id_value": "my_host",
  "@timestamp": "2024-08-02T11:15:34.290Z",
  "criticality_level": "high_impact"
}

Delete an asset criticality record

DELETE /api/asset_criticality
Api key auth

Delete the asset criticality record for a specific entity.

Query parameters

  • id_value string Required

    The ID value of the asset.

  • id_field string Required

    The field representing the ID.

    Values are host.name, user.name, service.name, or entity.id.

  • refresh string

    If 'wait_for' the request will wait for the index refresh.

    Value is wait_for.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • deleted boolean Required

      True if the record was deleted or false if the record did not exist.

    • record object

      The deleted record if it existed.

      Hide record attributes Show record attributes object
      • id_field string Required

        Values are host.name, user.name, service.name, or entity.id.

      • id_value string Required

        The ID value of the asset.

      • criticality_level string Required

        The criticality level of the asset.

        Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • asset object Required
        Hide asset attribute Show asset attribute object
        • criticality string

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • host object
        Hide host attributes Show host attributes object
        • asset object
          Hide asset attribute Show asset attribute object
          • criticality string Required

            The criticality level of the asset.

            Values are low_impact, medium_impact, high_impact, or extreme_impact.

        • name string Required
      • service object
        Hide service attributes Show service attributes object
        • asset object
          Hide asset attribute Show asset attribute object
          • criticality string Required

            The criticality level of the asset.

            Values are low_impact, medium_impact, high_impact, or extreme_impact.

        • name string Required
      • user object
        Hide user attributes Show user attributes object
        • asset object
          Hide asset attribute Show asset attribute object
          • criticality string Required

            The criticality level of the asset.

            Values are low_impact, medium_impact, high_impact, or extreme_impact.

        • name string Required
      • @timestamp string(date-time) Required

        The time the record was created or updated.
  • 400

    Invalid request

DELETE /api/asset_criticality 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/asset_criticality?id_value=my_host&id_field=host.name' \
 --header "Authorization: $API_KEY"

List asset criticality records

GET /api/asset_criticality/list
Api key auth

List asset criticality records, paging, sorting and filtering as needed.

Query parameters

  • sort_field string

    The field to sort by.

    Values are id_value, id_field, criticality_level, or \@timestamp.

  • sort_direction string

    The order to sort by.

    Values are asc or desc.

  • page integer

    The page number to return.

    Minimum value is 1.

  • per_page integer

    The number of records to return per page.

    Minimum value is 1, maximum value is 1000.

  • kuery string

    The kuery to filter by.

Responses

  • 200 application/json

    Successfully retrieved asset criticality records

    Hide response attributes Show response attributes object
    • page integer Required

      Minimum value is 1.

    • per_page integer Required

      Minimum value is 1, maximum value is 1000.

    • records array[object] Required

      The deleted record if it existed.

      Hide records attributes Show records attributes object

      The deleted record if it existed.

      • id_field string Required

        Values are host.name, user.name, service.name, or entity.id.

      • id_value string Required

        The ID value of the asset.

      • criticality_level string Required

        The criticality level of the asset.

        Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • asset object Required
        Hide asset attribute Show asset attribute object
        • criticality string

          The criticality level of the asset.

          Values are low_impact, medium_impact, high_impact, or extreme_impact.

      • host object
        Hide host attributes Show host attributes object
        • asset object
          Hide asset attribute Show asset attribute object
          • criticality string Required

            The criticality level of the asset.

            Values are low_impact, medium_impact, high_impact, or extreme_impact.

        • name string Required
      • service object
        Hide service attributes Show service attributes object
        • asset object
          Hide asset attribute Show asset attribute object
          • criticality string Required

            The criticality level of the asset.

            Values are low_impact, medium_impact, high_impact, or extreme_impact.

        • name string Required
      • user object
        Hide user attributes Show user attributes object
        • asset object
          Hide asset attribute Show asset attribute object
          • criticality string Required

            The criticality level of the asset.

            Values are low_impact, medium_impact, high_impact, or extreme_impact.

        • name string Required
      • @timestamp string(date-time) Required

        The time the record was created or updated.

    • total integer Required

      Minimum value is 0.
GET /api/asset_criticality/list 
curl \
 --request GET 'https://<KIBANA_URL>/api/asset_criticality/list' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "page": 1,
  "total": 2,
  "records": [
    {
      "host": {
        "name": "my_other_host",
        "asset": {
          "criticality": "medium_impact"
        }
      },
      "asset": {
        "criticality": "medium_impact"
      },
      "id_field": "host.name",
      "id_value": "my_other_host",
      "@timestamp": "2024-08-02T14:40:35.705Z",
      "criticality_level": "medium_impact"
    },
    {
      "host": {
        "name": "my_host",
        "asset": {
          "criticality": "high_impact"
        }
      },
      "asset": {
        "criticality": "high_impact"
      },
      "id_field": "host.name",
      "id_value": "my_host",
      "@timestamp": "2024-08-02T11:15:34.290Z",
      "criticality_level": "high_impact"
    }
  ],
  "per_page": 10
}

Health check on Privilege Monitoring

GET /api/entity_analytics/monitoring/privileges/health
Api key auth

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
GET /api/entity_analytics/monitoring/privileges/health 
curl \
 --request GET 'https://<KIBANA_URL>/api/entity_analytics/monitoring/privileges/health' \
 --header "Authorization: $API_KEY"

Cleanup the Risk Engine

DELETE /api/risk_score/engine/dangerously_delete_data
Api key auth

Cleaning up the the Risk Engine by removing the indices, mapping and transforms

Responses

  • 200 application/json

    Successful response

    Hide response attribute Show response attribute object
  • 400 application/json

    Task manager is unavailable

    Hide response attributes Show response attributes object
  • default application/json

    Unexpected error

    Hide response attributes Show response attributes object
DELETE /api/risk_score/engine/dangerously_delete_data 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/risk_score/engine/dangerously_delete_data' \
 --header "Authorization: $API_KEY"

Export an exception list

POST /api/exception_lists/_export
Api key auth

Export an exception list and its associated items to an NDJSON file.

Query parameters

  • id string(nonempty) Required

    Exception list's identifier.

    Minimum length is 1.

  • list_id string(nonempty) Required

    Exception list's human readable string identifier, e.g. trusted-linux-processes.

    Minimum length is 1.

  • namespace_type string Required

    Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:

    • single: Only available in the Kibana space in which it is created.
    • agnostic: Available in all Kibana spaces.

    Values are agnostic or single. Default value is single.

  • include_expired_exceptions string Required

    Determines whether to include expired exceptions in the exported list. Expiration date defined by expire_time.

    Values are true or false. Default value is true.

Responses

POST /api/exception_lists/_export 
curl \
 --request POST 'https://<KIBANA_URL>/api/exception_lists/_export?id=9e5fc75a-a3da-46c5-96e3-a2ec59c6bb85&list_id=simple_list&namespace_type=agnostic&include_expired_exceptions=true' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{"_version":"WzExNDU5LDFd","created_at":"2025-01-09T16:18:17.757Z","created_by":"elastic","description":"This is a sample detection type exception","id":"c86c2da0-2ab6-4343-b81c-216ef27e8d75","immutable":false,"list_id":"simple_list","name":"Sample Detection Exception List","namespace_type":"single","os_types":[],"tags":["user added string for a tag","malware"],"tie_breaker_id":"cf4a7b92-732d-47f0-a0d5-49a35a1736bf","type":"detection","updated_at":"2025-01-09T16:18:17.757Z","updated_by":"elastic","version":1}
{"_version":"WzExNDYxLDFd","comments":[],"created_at":"2025-01-09T16:18:42.308Z","created_by":"elastic","description":"This is a sample endpoint type exception","entries":[{"type":"exists","field":"actingProcess.file.signer","operator":"excluded"},{"type":"match_any","field":"host.name","value":["some host","another host"],"operator":"included"}],"id":"f37597ce-eaa7-4b64-9100-4301118f6806","item_id":"simple_list_item","list_id":"simple_list","name":"Sample Endpoint Exception List","namespace_type":"single","os_types":["linux"],"tags":["user added string for a tag","malware"],"tie_breaker_id":"4ca3ef3e-9721-42c0-8107-cf47e094d40f","type":"simple","updated_at":"2025-01-09T16:18:42.308Z","updated_by":"elastic"}
{"exported_exception_list_count":1,"exported_exception_list_item_count":1,"missing_exception_list_item_count":0,"missing_exception_list_items":[],"missing_exception_lists":[],"missing_exception_lists_count":0}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "[request query]: list_id: Required, namespace_type: Required",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [POST /api/exception_lists/_export] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404) 
{
  "message\"": "exception list id: \"foo\" does not exist",
  "status_code\"": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Security lists

Lists can be used with detection rule exceptions to define values that prevent a rule from generating alerts.

Lists are made up of:

  • List containers: A container for values of the same Elasticsearch data type. The following data types can be used:
    • boolean
    • byte
    • date
    • date_nanos
    • date_range
    • double
    • double_range
    • float
    • float_range
    • half_float
    • integer
    • integer_range
    • ip
    • ip_range
    • keyword
    • long
    • long_range
    • short
    • text
  • List items: The values used to determine whether the exception prevents an alert from being generated.

All list items in the same list container must be of the same data type, and each item defines a single value. For example, an IP list container named internal-ip-addresses-southport contains five items, where each item defines one internal IP address:

  1. 192.168.1.1
  2. 192.168.1.3
  3. 192.168.1.18
  4. 192.168.1.12
  5. 192.168.1.7

To use these IP addresses as values for defining rule exceptions, use the Security exceptions API to create an exception list item that references the internal-ip-addresses-southport list.

Lists cannot be added directly to rules, nor do they define the operators used to determine when exceptions are applied (is in list, is not in list). Use an exception item to define the operator and associate it with an exception container. You can then add the exception container to a rule's exceptions_list object.

Lists requirements

Before you can start using lists, you must create the .lists and .items data streams for the relevant Kibana space. To do this, use the Create list data streams endpoint. Once these data streams are created, your role needs privileges to manage rules. Refer to Enable and access detections for a complete list of requirements.

Delete a value list

DELETE /api/lists
Api key auth

Delete a value list using the list ID.

When you delete a list, all of its list items are also deleted.

Query parameters

  • id string(nonempty) Required

    Value list's identifier.

    Minimum length is 1.

  • deleteReferences boolean

    Determines whether exception items referencing this value list should be deleted.

    Default value is false.

  • ignoreReferences boolean

    Determines whether to delete value list without performing any additional checks of where this list may be utilized.

    Default value is false.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

    • @timestamp string(date-time)
    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • description string(nonempty) Required

      Describes the value list.

      Minimum length is 1.

    • deserializer string

      Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

      • {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
      • {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
      • {{{gte}}},{{{lte}}} - Date range values.
    • id string(nonempty) Required

      Value list's identifier.

      Minimum length is 1.

    • immutable boolean Required
    • meta object

      Placeholder for metadata about the value list.

      Additional properties are allowed.

    • name string(nonempty) Required

      Value list's name.

      Minimum length is 1.

    • serializer string

      Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

      • (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
      • (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

      • keyword: Many ECS fields are Elasticsearch keywords
      • ip: IP addresses
      • ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

      Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • version integer Required

      The document version number.

      Minimum value is 1.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    List not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
DELETE /api/lists 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/lists?id=21b01cfb-058d-44b9-838c-282be16c91cd' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "21b01cfb-058d-44b9-838c-282be16c91cd",
  "name": "Bad ips",
  "type": "ip",
  "version": 3,
  "_version": "WzIsMV0=",
  "immutable": false,
  "@timestamp": "2025-01-08T04:47:34.273Z",
  "created_at": "2025-01-08T04:47:34.273Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T05:39:39.292Z",
  "updated_by": "elastic",
  "description": "List of bad internet ips.",
  "tie_breaker_id": "f5508188-b1e9-4e6e-9662-d039a7d89899"
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "[request query]: id: Required",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [DELETE /api/lists?id=ip_list] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404) 
{
  "message": "list id: \\\"ip_list\\\" was not found",
  "status_code": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Get a value list item

GET /api/lists/items
Api key auth

Get the details of a value list item.

Query parameters

  • id string(nonempty)

    Value list item identifier. Required if list_id and value are not specified.

    Minimum length is 1.

  • list_id string(nonempty)

    Value list item list's id identfier. Required if id is not specified.

    Minimum length is 1.

  • value string

    The value used to evaluate exceptions. Required if id is not specified.

Responses

  • 200 application/json

    Successful response

    One of:
    Security_Lists_API_ListItem object array-2 array[object]
    Hide attributes Show attributes
    • _version string

      The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

    • @timestamp string(date-time)
    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • deserializer string

      Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

      • {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
      • {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
      • {{{gte}}},{{{lte}}} - Date range values.
    • id string(nonempty) Required

      Value list item's identifier.

      Minimum length is 1.

    • list_id string(nonempty) Required

      Value list's identifier.

      Minimum length is 1.

    • meta object

      Placeholder for metadata about the value list item.

      Additional properties are allowed.

    • serializer string

      Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

      • (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
      • (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

      • keyword: Many ECS fields are Elasticsearch keywords
      • ip: IP addresses
      • ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

      Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • value string(nonempty) Required

      The value used to evaluate exceptions.

      Minimum length is 1.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    List item not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
GET /api/lists/items 
curl \
 --request GET 'https://<KIBANA_URL>/api/lists/items' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "id": "qN1XRJQBs4HAK3VQs3Gc",
  "type": "ip",
  "value": "127.0.0.2",
  "list_id": "ip_list",
  "_version": "WzExLDFd",
  "@timestamp": "2025-01-08T05:16:25.882Z",
  "created_at": "2025-01-08T05:16:25.882Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T05:16:25.882Z",
  "updated_by": "elastic",
  "tie_breaker_id": "a9a34c02-a385-436e-86a0-02a3942f3537"
}
Response examples (400) 
{
  "message": "Either \\\"list_id\\\" or \\\"id\\\" needs to be defined in the request",
  "status_code": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [GET /api/lists/items?id=qN1XRJQBs4HAK3VQs3Gc] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}
Response examples (404) 
{
  "message": "list item id: \\\"foo\\\" not found",
  "status_code": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Update a value list item

PUT /api/lists/items
Api key auth

Update a value list item using the list item ID. The original list item is replaced, and all unspecified fields are deleted.

You cannot modify the id value.

application/json

Body Required

Value list item's properties

  • _version string

    The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

  • id string(nonempty) Required

    Value list item's identifier.

    Minimum length is 1.

  • meta object

    Placeholder for metadata about the value list item.

    Additional properties are allowed.

  • value string(nonempty) Required

    The value used to evaluate exceptions.

    Minimum length is 1.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • _version string

      The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

    • @timestamp string(date-time)
    • created_at string(date-time) Required

      Autogenerated date of object creation.

    • created_by string Required

      Autogenerated value - user that created object.

    • deserializer string

      Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

      • {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
      • {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
      • {{{gte}}},{{{lte}}} - Date range values.
    • id string(nonempty) Required

      Value list item's identifier.

      Minimum length is 1.

    • list_id string(nonempty) Required

      Value list's identifier.

      Minimum length is 1.

    • meta object

      Placeholder for metadata about the value list item.

      Additional properties are allowed.

    • serializer string

      Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

      • (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
      • (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
    • tie_breaker_id string Required

      Field used in search to ensure all containers are sorted and returned correctly.

    • type string Required

      Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

      • keyword: Many ECS fields are Elasticsearch keywords
      • ip: IP addresses
      • ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

      Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

    • updated_at string(date-time) Required

      Autogenerated date of last object update.

    • updated_by string Required

      Autogenerated value - user that last updated object.

    • value string(nonempty) Required

      The value used to evaluate exceptions.

      Minimum length is 1.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 404 application/json

    List item not found response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
PUT /api/lists/items 
curl \
 --request PUT 'https://<KIBANA_URL>/api/lists/items' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"id":"ip_item","value":"255.255.255.255"}'
Request example 
{
  "id": "ip_item",
  "value": "255.255.255.255"
}
Response examples (200) 
{
  "id": "pd1WRJQBs4HAK3VQeHFI",
  "type": "ip",
  "value": "255.255.255.255",
  "list_id": "ip_list",
  "_version": "WzIwLDFd",
  "@timestamp": "2025-01-08T05:15:05.159Z",
  "created_at": "2025-01-08T05:15:05.159Z",
  "created_by": "elastic",
  "updated_at": "2025-01-08T05:44:14.009Z",
  "updated_by": "elastic",
  "tie_breaker_id": "eee41dc7-1666-4876-982f-8b0f7b59eca3"
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "[request body]: id: Expected string, received number",
  "statusCode": 400
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [PATCH /api/lists/items] is unauthorized for user, this action is granted by the Kibana privileges [lists-all]",
  "statusCode": 403
}
Response examples (404) 
{
  "message": "list item id: \\\"foo\\\" not found",
  "status_code": 404
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Get value list items

GET /api/lists/items/_find
Api key auth

Get all value list items in the specified list.

Query parameters

  • list_id string(nonempty) Required

    Value list's identifier.

    Minimum length is 1.

  • page integer

    The page number to return.

  • per_page integer

    The number of list items to return per page.

  • sort_field string(nonempty)

    Determines which field is used to sort the results.

    Minimum length is 1.

  • sort_order string

    Determines the sort order, which can be desc or asc

    Values are desc or asc.

  • cursor string(nonempty)

    Returns the items that come after the last item returned in the previous call (use the cursor value returned in the previous call). This parameter uses the tie_breaker_id field to ensure all items are sorted and returned correctly.

    Minimum length is 1.

  • filter string

    Filters the returned results according to the value of the specified field, using the : syntax.

Responses

  • 200 application/json

    Successful response

    Hide response attributes Show response attributes object
    • cursor string(nonempty) Required

      Returns the items that come after the last item returned in the previous call (use the cursor value returned in the previous call). This parameter uses the tie_breaker_id field to ensure all items are sorted and returned correctly.

      Minimum length is 1.

    • data array[object] Required
      Hide data attributes Show data attributes object
      • _version string

        The version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.

      • @timestamp string(date-time)
      • created_at string(date-time) Required

        Autogenerated date of object creation.

      • created_by string Required

        Autogenerated value - user that created object.

      • deserializer string

        Determines how retrieved list item values are presented. By default list items are presented using these Handelbar expressions:

        • {{{value}}} - Single value item types, such as ip, long, date, keyword, and text.
        • {{{gte}}}-{{{lte}}} - Range value item types, such as ip_range, double_range, float_range, integer_range, and long_range.
        • {{{gte}}},{{{lte}}} - Date range values.
      • id string(nonempty) Required

        Value list item's identifier.

        Minimum length is 1.

      • list_id string(nonempty) Required

        Value list's identifier.

        Minimum length is 1.

      • meta object

        Placeholder for metadata about the value list item.

        Additional properties are allowed.

      • serializer string

        Determines how uploaded list item values are parsed. By default, list items are parsed using these named regex groups:

        • (?<value>.+) - Single value item types, such as ip, long, date, keyword, and text.
        • (?<gte>.+)-(?<lte>.+)|(?<value>.+) - Range value item types, such as date_range, ip_range, double_range, float_range, integer_range, and long_range.
      • tie_breaker_id string Required

        Field used in search to ensure all containers are sorted and returned correctly.

      • type string Required

        Specifies the Elasticsearch data type of excludes the list container holds. Some common examples:

        • keyword: Many ECS fields are Elasticsearch keywords
        • ip: IP addresses
        • ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)

        Values are binary, boolean, byte, date, date_nanos, date_range, double, double_range, float, float_range, geo_point, geo_shape, half_float, integer, integer_range, ip, ip_range, keyword, long, long_range, shape, short, or text.

      • updated_at string(date-time) Required

        Autogenerated date of last object update.

      • updated_by string Required

        Autogenerated value - user that last updated object.

      • value string(nonempty) Required

        The value used to evaluate exceptions.

        Minimum length is 1.

    • page integer Required

      Minimum value is 0.

    • per_page integer Required

      Minimum value is 0.

    • total integer Required

      Minimum value is 0.
  • 400 application/json

    Invalid input data response

    One of:
    Security_Lists_API_PlatformErrorResponse object Security_Lists_API_SiemErrorResponse object
    Hide attributes Show attributes
  • 401 application/json

    Unsuccessful authentication response

    Hide response attributes Show response attributes object
  • 403 application/json

    Not enough privileges response

    Hide response attributes Show response attributes object
  • 500 application/json

    Internal server error response

    Hide response attributes Show response attributes object
GET /api/lists/items/_find 
curl \
 --request GET 'https://<KIBANA_URL>/api/lists/items/_find?list_id=21b01cfb-058d-44b9-838c-282be16c91cd' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "id": "21b01cfb-058d-44b9-838c-282be16c91cc",
      "type": "ip",
      "value": "127.0.0.1",
      "list_id": "ip_list",
      "_version": "WzAsMV0=",
      "@timestamp": "2025-01-08T04:59:06.154Z",
      "created_at": "2025-01-08T04:59:06.154Z",
      "created_by": "elastic",
      "updated_at": "2025-01-08T04:59:06.154Z",
      "updated_by": "elastic",
      "tie_breaker_id": "b57c762c-3036-465c-9bfb-7bfb5e6e515a"
    }
  ],
  "page": 1,
  "total": 1,
  "cursor": "WzIwLFsiYjU3Yzc2MmMtMzAzNi00NjVjLTliZmItN2JmYjVlNmU1MTVhIl1d",
  "per_page": 20
}
Response examples (400) 
{
  "error": "Bad Request,",
  "message": "[request query]: list_id: Required",
  "statusCode": "400,"
}
Response examples (401) 
{
  "error": "Unauthorized",
  "message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
  "statusCode": 401
}
Response examples (403) 
{
  "error": "Forbidden",
  "message": "API [GET /api/lists/items/_find?list_id=ip_list&page=1&per_page=20] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
  "statusCode": 403
}
Response examples (500) 
{
  "message": "Internal Server Error",
  "status_code": 500
}

Security Osquery

Run live queries, manage packs and saved queries.

Delete Timelines or Timeline templates

DELETE /api/timeline
Api key auth

Delete one or more Timelines or Timeline templates.

application/json

Body Required

The IDs of the Timelines or Timeline templates to delete.

  • savedObjectIds array[string] Required

    The list of IDs of the Timelines or Timeline templates to delete

  • searchIds array[string]

    Saved search IDs that should be deleted alongside the timelines

Responses

  • 200

    Indicates the Timeline was successfully deleted.

DELETE /api/timeline 
curl \
 --request DELETE 'https://<KIBANA_URL>/api/timeline' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"savedObjectIds":["15c1929b-0af7-42bd-85a8-56e234cc7c4e"],"searchIds":["23f3-43g34g322-e5g5hrh6h-45454","6ce1b592-84e3-4b4a-9552-f189d4b82075"]}'

Batch delete rollup and summary data

POST /s/{spaceId}/api/observability/slos/_delete_instances
Api key auth

The deletion occurs for the specified list of sloId and instanceId. You must have all privileges for the SLOs feature in the Observability section of the Kibana feature privileges.

Headers

  • kbn-xsrf string Required

    Cross-site request forgery protection

Path parameters

  • spaceId string Required

    An identifier for the space. If /s/ and the identifier are omitted from the path, the default space is used.

application/json

Body Required

  • list array[object] Required

    An array of slo id and instance id

    Hide list attributes Show list attributes object
    • instanceId string Required

      The SLO instance identifier

    • sloId string Required

      The SLO unique identifier

Responses

  • 204

    Successful request

  • 400 application/json

    Bad request

    Hide response attributes Show response attributes object
  • 401 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
  • 403 application/json

    Unauthorized response

    Hide response attributes Show response attributes object
POST /s/{spaceId}/api/observability/slos/_delete_instances 
curl \
 --request POST 'https://<KIBANA_URL>/s/default/api/observability/slos/_delete_instances' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --header "kbn-xsrf: string" \
 --data '{"list":[{"instanceId":"8853df00-ae2e-11ed-90af-09bb6422b258","sloId":"8853df00-ae2e-11ed-90af-09bb6422b258"}]}'