Unmute all alerts

POST /api/alerting/rule/{id}/_unmute_all
Api key auth

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Path parameters

  • id string Required

    The identifier for the rule.

Responses

  • 204

    Indicates a successful call.

  • 400

    Indicates an invalid schema or parameters.

  • 403

    Indicates that this call is forbidden.

  • 404

    Indicates a rule with the given ID does not exist.

POST /api/alerting/rule/{id}/_unmute_all 
curl \
 --request POST 'http://api.example.com/api/alerting/rule/{id}/_unmute_all' \
 --header "Authorization: $API_KEY" \
 --header "kbn-xsrf: true"

Read a Knowledge Base Entry

GET /api/security_ai_assistant/knowledge_base/entries/{id}
Api key auth

Read a Knowledge Base Entry

Path parameters

  • id string(nonempty) Required

    The Knowledge Base Entry's id value.

    Minimum length is 1.

Responses

  • 200 application/json

    Successful request returning a Knowledge Base Entry

    Any of:
    Security_AI_Assistant_API_DocumentEntryResponseFields object Security_AI_Assistant_API_IndexEntryResponseFields object
    Hide attributes Show attributes
    • global boolean Required

      Whether this Knowledge Base Entry is global, defaults to false

    • name string Required

      Name of the Knowledge Base Entry

    • namespace string Required

      Kibana Space, defaults to 'default' space

    • users array[object] Required

      Users who have access to the Knowledge Base Entry, defaults to current user. Empty array provides access to all users.

      Could be any string, not necessarily a UUID

      Hide users attributes Show users attributes object
    • createdAt string Required

      Time the Knowledge Base Entry was created

    • createdBy string Required

      User who created the Knowledge Base Entry

    • id string(nonempty) Required

      A string that does not contain only whitespace characters

      Minimum length is 1.

    • updatedAt string Required

      Time the Knowledge Base Entry was last updated

    • updatedBy string Required

      User who last updated the Knowledge Base Entry

    • kbResource string Required

      Knowledge Base resource name for grouping entries, e.g. 'security_labs', 'user', etc

      Values are security_labs or user.

    • source string Required

      Source document name or filepath

    • text string Required

      Knowledge Base Entry content

    • type string Required Discriminator

      Entry type

      Value is document.

    • required boolean

      Whether this resource should always be included, defaults to false

    • vector object

      Object containing Knowledge Base Entry text embeddings and modelId used to create the embeddings

      Hide vector attributes Show vector attributes object
      • modelId string Required

        ID of the model used to create the embeddings

      • tokens object Required

        Tokens with their corresponding values

        Hide tokens attribute Show tokens attribute object
        • * number Additional properties
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
GET /api/security_ai_assistant/knowledge_base/entries/{id} 
curl \
 --request GET 'http://api.example.com/api/security_ai_assistant/knowledge_base/entries/{id}' \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "kbResource": "security_labs",
  "source": "string",
  "text": "string",
  "type": "document",
  "required": true,
  "vector": {
    "modelId": "string",
    "tokens": {
      "additionalProperty1": 42.0,
      "additionalProperty2": 42.0
    }
  }
}
{
  "global": true,
  "name": "string",
  "namespace": "string",
  "users": [
    {
      "id": "string",
      "name": "string"
    }
  ],
  "createdAt": "string",
  "createdBy": "string",
  "id": "string",
  "updatedAt": "string",
  "updatedBy": "string",
  "description": "string",
  "field": "string",
  "index": "string",
  "queryDescription": "string",
  "type": "index",
  "inputSchema": [
    {
      "description": "string",
      "fieldName": "string",
      "fieldType": "string"
    }
  ],
  "outputFields": [
    "string"
  ]
}
Response examples (400) 
{
  "error": "string",
  "message": "string",
  "statusCode": 42.0
}

Create a pack

POST /api/osquery/packs
Api key auth

Create a query pack.

application/json

Body Required

  • description string | null

    The pack description.

  • enabled boolean | null

    Enables the pack.

  • name string

    The pack name.

  • policy_ids array[string] | null

    A list of agents policy IDs.

  • queries object

    An object of queries.

    Hide queries attribute Show queries attribute object
    • * object Additional properties
      Hide * attributes Show * attributes object
      • ecs_mapping object | null

        Map osquery results columns or static values to Elastic Common Schema (ECS) fields

        Hide ecs_mapping attribute Show ecs_mapping attribute object | null
      • id string

        The ID of the query.

      • platform string | null

        Restricts the query to a specified platform. The default is all platforms. To specify multiple platforms, use commas. For example, linux,darwin.

      • query string

        The SQL query you want to run.

      • removed boolean | null

        Indicates whether the query is removed.

      • saved_query_id string | null

        The ID of a saved query.

      • snapshot boolean | null

        Indicates whether the query is a snapshot.

      • version string | null

        Uses the Osquery versions greater than or equal to the specified version string.

  • shards object

    An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.

    Hide shards attribute Show shards attribute object
    • * number Additional properties

Responses

  • 200 application/json

    OK
POST /api/osquery/packs 
curl \
 --request POST 'http://api.example.com/api/osquery/packs' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"name":"my_pack","shards":{"my_policy_id":35,"fleet-server-policy":58},"enabled":true,"queries":{"my_query":{"query":"SELECT * FROM listening_ports;","timeout":120,"interval":60,"ecs_mapping":{"tags":{"value":["tag1","tag2"]},"client.port":{"field":"port"}}}},"policy_ids":["my_policy_id","fleet-server-policy"],"description":"My pack"}'
Request example 
{
  "name": "my_pack",
  "shards": {
    "my_policy_id": 35,
    "fleet-server-policy": 58
  },
  "enabled": true,
  "queries": {
    "my_query": {
      "query": "SELECT * FROM listening_ports;",
      "timeout": 120,
      "interval": 60,
      "ecs_mapping": {
        "tags": {
          "value": [
            "tag1",
            "tag2"
          ]
        },
        "client.port": {
          "field": "port"
        }
      }
    }
  },
  "policy_ids": [
    "my_policy_id",
    "fleet-server-policy"
  ],
  "description": "My pack"
}
Response examples (200) 
{
  "data": {
    "name": "my_pack",
    "shards": [
      {
        "key": "47638692-7c4c-4053-aa3e-7186f28df349",
        "value": 35
      },
      {
        "key": "5e267651-fe50-443e-8d3f-3bbc9171b618",
        "value": 58
      }
    ],
    "enabled": true,
    "queries": {
      "ports": {
        "query": "SELECT * FROM listening_ports;",
        "removed": false,
        "timeout": 120,
        "interval": 60,
        "snapshot": true,
        "ecs_mapping": {
          "client.port": {
            "field": "port"
          }
        }
      }
    },
    "created_at": "2025-02-26T13:37:30.452Z",
    "created_by": "elastic",
    "updated_at": "2025-02-26T13:37:30.452Z",
    "updated_by": "elastic",
    "description": "My pack",
    "saved_object_id": "1c266590-381f-428c-878f-c80c1334f856"
  }
}