Alerting enables you to define rules, which detect complex conditions within your data. When a condition is met, the rule tracks it as an alert and runs the actions that are defined in the rule. Actions typically involve the use of connectors to interact with Kibana services or third party integrations.
The identifier for the rule.
curl \
--request POST 'http://api.example.com/api/alerting/rule/{id}/_mute_all' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"The identifier for the rule.
curl \
--request POST 'http://api.example.com/api/alerting/rule/{id}/_unmute_all' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"The identifier for the rule.
The identifier for the snooze schedule.
curl \
--request DELETE 'http://api.example.com/api/alerting/rule/{ruleId}/snooze_schedule/{scheduleId}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"The version of the API to use
Value is 2023-10-31. Default value is 2023-10-31.
A required header to protect against CSRF attacks
If the config exists ?overwrite=true is required
The agent name is used by the UI to determine which settings to display.
Service
Agent configuration settings
curl \
--request PUT 'http://api.example.com/api/apm/settings/agent-configuration' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "elastic-api-version: 2023-10-31" \
--header "kbn-xsrf: true" \
--data '"{\n \"service\": {\n \"name\": \"frontend\",\n \"environment\": \"production\"\n },\n \"settings\": {\n \"transaction_sample_rate\": \"0.4\",\n \"capture_body\": \"off\",\n \"transaction_max_spans\": \"500\"\n },\n \"agent_name\": \"nodejs\"\n}\n"'{
"service": {
"name": "frontend",
"environment": "production"
},
"settings": {
"transaction_sample_rate": "0.4",
"capture_body": "off",
"transaction_max_spans": "500"
},
"agent_name": "nodejs"
}
{}{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}{
"error": "Forbidden",
"message": "string",
"statusCode": 403
}{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}The version of the API to use
Value is 2023-10-31. Default value is 2023-10-31.
The name of the service
curl \
--request GET 'http://api.example.com/api/apm/settings/agent-configuration/environments' \
--header "Authorization: $API_KEY" \
--header "elastic-api-version: 2023-10-31"{
"environments": [
{
"alreadyConfigured": true,
"name": "ALL_OPTION_VALUE"
}
]
}{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}{
"error": "Not Found",
"message": "Not Found",
"statusCode": 404
}Annotate visualizations in the APM app with significant events. Annotations enable you to easily see how events are impacting the performance of your applications.
Search for annotations related to a specific service.
The version of the API to use
Value is 2023-10-31. Default value is 2023-10-31.
The name of the service
The environment to filter annotations by
The start date for the search
The end date for the search
curl \
--request GET 'http://api.example.com/api/apm/services/{serviceName}/annotation/search' \
--header "Authorization: $API_KEY" \
--header "elastic-api-version: 2023-10-31"{
"annotations": [
{
"@timestamp": 42.0,
"id": "string",
"text": "string",
"type": "version"
}
]
}{
"error": "Not Found",
"message": "Not Found",
"statusCode": 400
}{
"error": "Unauthorized",
"message": "string",
"statusCode": 401
}{
"error": "Internal Server Error",
"message": "string",
"statusCode": 500
}Create APM fleet server schema.
Configure APM source maps. A source map allows minified files to be mapped back to original source code--allowing you to maintain the speed advantage of minified code, without losing the ability to quickly and easily debug your application. For best results, uploading source maps should become a part of your deployment procedure, and not something you only do when you see unhelpful errors. That's because uploading source maps after errors happen won't make old errors magically readable--errors must occur again for source mapping to occur.
[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.
curl \
--request GET 'http://api.example.com/api/fleet/remote_synced_integrations/{outputId}/remote_status' \
--header "Authorization: $API_KEY"{
"custom_assets": {
"additionalProperty1": {
"name": "string",
"package_name": "string",
"package_version": "string",
"sync_status": "completed",
"type": "string"
},
"additionalProperty2": {
"name": "string",
"package_name": "string",
"package_version": "string",
"sync_status": "completed",
"type": "string"
}
},
"error": "string",
"integrations": [
{
"error": "string",
"id": "string",
"package_name": "string",
"package_version": "string",
"sync_status": "completed",
"updated_at": "string"
}
]
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: fleet-settings-read AND integrations-read.
curl \
--request GET 'http://api.example.com/api/fleet/remote_synced_integrations/status' \
--header "Authorization: $API_KEY"{
"custom_assets": {
"additionalProperty1": {
"name": "string",
"package_name": "string",
"package_version": "string",
"sync_status": "completed",
"type": "string"
},
"additionalProperty2": {
"name": "string",
"package_name": "string",
"package_version": "string",
"sync_status": "completed",
"type": "string"
}
},
"error": "string",
"integrations": [
{
"error": "string",
"id": "string",
"package_name": "string",
"package_version": "string",
"sync_status": "completed",
"updated_at": "string"
}
]
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}curl \
--request GET 'http://api.example.com/api/data_views/data_view/ff959d40-b880-11e8-a6d9-e546fe2bba5f/runtime_field/hour_of_day' \
--header "Authorization: $API_KEY"{
"fields": [
{
"name": "hour_of_day",
"type": "number",
"count": 0,
"esTypes": [
"long"
],
"scripted": false,
"searchable": true,
"aggregatable": true,
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc['timestamp'].value.getHour());"
}
},
"shortDotsEnable": false,
"readFromDocValues": false
}
],
"data_view": {
"id": "d3d7af60-4c81-11e8-b3d7-01146121b73d",
"name": "Kibana Sample Data Flights",
"title": "kibana_sample_data_flights",
"fields": {
"_id": {
"name": "_id",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"_id"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"Dest": {
"name": "Dest",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"Origin": {
"name": "Origin",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"_index": {
"name": "_index",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"_index"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": false
},
"_score": {
"name": "_score",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"isMapped": true,
"scripted": false,
"searchable": false,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"Carrier": {
"name": "Carrier",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"_source": {
"name": "_source",
"type": "_source",
"count": 0,
"format": {
"id": "_source"
},
"esTypes": [
"_source"
],
"isMapped": true,
"scripted": false,
"searchable": false,
"aggregatable": false,
"shortDotsEnable": false,
"readFromDocValues": false
},
"Cancelled": {
"name": "Cancelled",
"type": "boolean",
"count": 0,
"format": {
"id": "boolean"
},
"esTypes": [
"boolean"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightNum": {
"name": "FlightNum",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"dayOfWeek": {
"name": "dayOfWeek",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"timestamp": {
"name": "timestamp",
"type": "date",
"count": 0,
"format": {
"id": "date"
},
"esTypes": [
"date"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestRegion": {
"name": "DestRegion",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestCountry": {
"name": "DestCountry",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestWeather": {
"name": "DestWeather",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightDelay": {
"name": "FlightDelay",
"type": "boolean",
"count": 0,
"format": {
"id": "boolean"
},
"esTypes": [
"boolean"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"hour_of_day": {
"name": "hour_of_day",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "00"
}
},
"esTypes": [
"long"
],
"scripted": false,
"searchable": true,
"aggregatable": true,
"runtimeField": {
"type": "long",
"script": {
"source": "emit(doc['timestamp'].value.getHour());"
}
},
"shortDotsEnable": false,
"readFromDocValues": false
},
"DestCityName": {
"name": "DestCityName",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestLocation": {
"name": "DestLocation",
"type": "geo_point",
"count": 0,
"format": {
"id": "geo_point",
"params": {
"transform": "wkt"
}
},
"esTypes": [
"geo_point"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginRegion": {
"name": "OriginRegion",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DestAirportID": {
"name": "DestAirportID",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DistanceMiles": {
"name": "DistanceMiles",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightTimeMin": {
"name": "FlightTimeMin",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginCountry": {
"name": "OriginCountry",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginWeather": {
"name": "OriginWeather",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"AvgTicketPrice": {
"name": "AvgTicketPrice",
"type": "number",
"count": 0,
"format": {
"id": "number",
"params": {
"pattern": "$0,0.[00]"
}
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightDelayMin": {
"name": "FlightDelayMin",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"integer"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightTimeHour": {
"name": "FlightTimeHour",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginCityName": {
"name": "OriginCityName",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginLocation": {
"name": "OriginLocation",
"type": "geo_point",
"count": 0,
"format": {
"id": "geo_point",
"params": {
"transform": "wkt"
}
},
"esTypes": [
"geo_point"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"FlightDelayType": {
"name": "FlightDelayType",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"OriginAirportID": {
"name": "OriginAirportID",
"type": "string",
"count": 0,
"format": {
"id": "string"
},
"esTypes": [
"keyword"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
},
"DistanceKilometers": {
"name": "DistanceKilometers",
"type": "number",
"count": 0,
"format": {
"id": "number"
},
"esTypes": [
"float"
],
"isMapped": true,
"scripted": false,
"searchable": true,
"aggregatable": true,
"shortDotsEnable": false,
"readFromDocValues": true
}
},
"version": "WzM2LDJd",
"fieldAttrs": {},
"allowNoIndex": false,
"fieldFormats": {
"hour_of_day": {
"id": "number",
"params": {
"pattern": "00"
}
},
"AvgTicketPrice": {
"id": "number",
"params": {
"pattern": "$0,0.[00]"
}
}
},
"sourceFilters": [],
"timeFieldName": "timestamp",
"runtimeFieldMap": {
"hour_of_day": {
"type": "long",
"script": {
"source": "emit(doc['timestamp'].value.getHour());"
}
}
}
}
}{
"error": "Not Found",
"message": "Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] not found",
"statusCode": 404
}The data view identifier. NOTE: The API does not validate whether it is a valid identifier. Use null to unset the default data view.
Update an existing default data view identifier.
Default value is false.
curl \
--request POST 'http://api.example.com/api/data_views/default' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"force":true,"data_view_id":"ff959d40-b880-11e8-a6d9-e546fe2bba5f"}'{
"force": true,
"data_view_id": "ff959d40-b880-11e8-a6d9-e546fe2bba5f"
}{
"acknowledged": true
}{
"error": "Bad Request",
"message": "string",
"statusCode": 400
}Changes saved object references from one data view identifier to another. WARNING: Misuse can break large numbers of saved objects! Practicing with a backup is recommended.
Deletes referenced saved object if all references are removed.
Limit the affected saved objects to one or more by identifier.
Limit the affected saved objects by type.
The saved object reference to change.
Specify the type of the saved object reference to alter. The default value is index-pattern for data views.
New saved object reference value to replace the old value.
curl \
--request POST 'http://api.example.com/api/data_views/swap_references' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"toId":"xyz-123","delete":true,"fromId":"abcd-efg"}'{
"toId": "xyz-123",
"delete": true,
"fromId": "abcd-efg"
}{
"deleteStatus": {
"deletePerformed": true,
"remainingRefs": 42
},
"result": [
{
"id": "string",
"type": "string"
}
]
}Preview the impact of swapping saved object references from one data view identifier to another.
Deletes referenced saved object if all references are removed.
Limit the affected saved objects to one or more by identifier.
Limit the affected saved objects by type.
The saved object reference to change.
Specify the type of the saved object reference to alter. The default value is index-pattern for data views.
New saved object reference value to replace the old value.
curl \
--request POST 'http://api.example.com/api/data_views/swap_references/_preview' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: string" \
--data '{"toId":"xyz-123","fromId":"abcd-efg"}'{
"toId": "xyz-123",
"fromId": "abcd-efg"
}{
"result": [
{
"id": "string",
"type": "string"
}
]
}[Required authorization] Route required privileges: fleet-agents-all.
curl \
--request POST 'http://api.example.com/api/fleet/agents/{agentId}/actions' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"action":{"type":"UNENROLL"}}'# Headers
kbn-xsrf: true
# Payload
{
"action": {
"type": "UNENROLL"
}
}{
"item": {
"agents": [
"string"
],
"created_at": "string",
"expiration": "string",
"id": "string",
"minimum_execution_duration": 42.0,
"namespaces": [
"string"
],
"rollout_duration_seconds": 42.0,
"sent_at": "string",
"source_uri": "string",
"start_time": "string",
"total": 42.0,
"type": "string"
}
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: fleet-agents-all.
curl \
--request POST 'http://api.example.com/api/fleet/agents/actions/{actionId}/cancel' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"{
"item": {
"agents": [
"string"
],
"created_at": "string",
"expiration": "string",
"id": "string",
"minimum_execution_duration": 42.0,
"namespaces": [
"string"
],
"rollout_duration_seconds": 42.0,
"sent_at": "string",
"source_uri": "string",
"start_time": "string",
"total": 42.0,
"type": "string"
}
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: fleet-agents-read.
Value is CPU.
curl \
--request POST 'http://api.example.com/api/fleet/agents/bulk_request_diagnostics' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"additional_metrics":["CPU"],"agents":["string"],"batchSize":42.0}'# Headers
kbn-xsrf: true
# Payload
{
"additional_metrics": [
"CPU"
],
"agents": [
"string"
],
"batchSize": 42.0
}{
"actionId": "string"
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: fleet-agents-all.
curl \
--request POST 'http://api.example.com/api/fleet/agents/bulk_update_agent_tags' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"agents":["string"],"batchSize":42.0,"includeInactive":false,"tagsToAdd":["string"],"tagsToRemove":["string"]}'# Headers
kbn-xsrf: true
# Payload
{
"agents": [
"string"
],
"batchSize": 42.0,
"includeInactive": false,
"tagsToAdd": [
"string"
],
"tagsToRemove": [
"string"
]
}{
"actionId": "string"
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: fleet-agents-read.
curl \
--request POST 'http://api.example.com/api/fleet/agents' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"actionIds":["string"]}'# Headers
kbn-xsrf: true
# Payload
{
"actionIds": [
"string"
]
}{
"items": [
"string"
]
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Delete a file uploaded by an agent.
[Required authorization] Route required privileges: fleet-agents-all.
curl \
--request DELETE 'http://api.example.com/api/fleet/agents/files/{fileId}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"{
"deleted": true,
"id": "string"
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.
curl \
--request GET 'http://api.example.com/api/fleet/agents/setup' \
--header "Authorization: $API_KEY"{
"is_secrets_storage_enabled": true,
"is_space_awareness_enabled": true,
"isReady": true,
"missing_optional_features": [
"encrypted_saved_object_encryption_key_required"
],
"missing_requirements": [
"security_required"
],
"package_verification_key_id": "string"
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
curl \
--request GET 'http://api.example.com/api/fleet/epm/categories' \
--header "Authorization: $API_KEY"{
"items": [
{
"count": 42.0,
"id": "string",
"parent_id": "string",
"parent_title": "string",
"title": "string"
}
]
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
Default value is false.
Default value is false.
curl \
--request POST 'http://api.example.com/api/fleet/epm/packages' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/gzip; application/zip" \
--header "kbn-xsrf: true" \
--data-binary '@file'[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
curl \
--request DELETE 'http://api.example.com/api/fleet/epm/packages/{pkgName}/{pkgVersion}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"{
"items": [
{
"id": "string",
"originId": "string",
"type": "dashboard"
}
]
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
curl \
--request GET 'http://api.example.com/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}' \
--header "Authorization: $API_KEY"{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
curl \
--request POST 'http://api.example.com/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"force":true,"space_ids":["string"]}'# Headers
kbn-xsrf: true
# Payload
{
"force": true,
"space_ids": [
"string"
]
}{
"success": true
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: integrations-all AND fleet-agent-policies-all.
curl \
--request DELETE 'http://api.example.com/api/fleet/epm/packages/{pkgName}/{pkgVersion}/kibana_assets' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"{
"success": true
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
curl \
--request GET 'http://api.example.com/api/fleet/epm/packages/{pkgName}/stats' \
--header "Authorization: $API_KEY"{
"response": {
"agent_policy_count": 42.0
}
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
Values are json, yml, or yaml. Default value is json.
curl \
--request GET 'http://api.example.com/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs' \
--header "Authorization: $API_KEY"string{
"inputs": [
{
"id": "string",
"streams": [
{
"data_stream": {
"dataset": "string",
"type": "string"
},
"id": "string"
}
],
"type": "string"
}
]
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: integrations-read OR fleet-setup OR fleet-all.
curl \
--request GET 'http://api.example.com/api/fleet/epm/verification_key_id' \
--header "Authorization: $API_KEY"{
"id": "string"
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: fleet-agents-all OR fleet-setup.
curl \
--request GET 'http://api.example.com/api/fleet/enrollment_api_keys' \
--header "Authorization: $API_KEY"{
"items": [
{
"active": true,
"api_key": "string",
"api_key_id": "string",
"created_at": "string",
"id": "string",
"name": "string",
"policy_id": "string"
}
],
"list": [
{
"active": true,
"api_key": "string",
"api_key_id": "string",
"created_at": "string",
"id": "string",
"name": "string",
"policy_id": "string"
}
],
"page": 42.0,
"perPage": 42.0,
"total": 42.0
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: fleet-agents-all.
curl \
--request POST 'http://api.example.com/api/fleet/enrollment_api_keys' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"expiration":"string","name":"string","policy_id":"string"}'# Headers
kbn-xsrf: true
# Payload
{
"expiration": "string",
"name": "string",
"policy_id": "string"
}{
"action": "created",
"item": {
"active": true,
"api_key": "string",
"api_key_id": "string",
"created_at": "string",
"id": "string",
"name": "string",
"policy_id": "string"
}
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}[Required authorization] Route required privileges: fleet-agents-read OR fleet-agent-policies-read OR fleet-settings-read OR fleet-setup.
curl \
--request POST 'http://api.example.com/api/fleet/setup' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"{
"isInitialized": true,
"nonFatalErrors": [
{
"message": "string",
"name": "string"
}
]
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}{
"message": "string"
}Delete output by ID.
[Required authorization] Route required privileges: fleet-settings-all.
curl \
--request DELETE 'http://api.example.com/api/fleet/outputs/{outputId}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"{
"id": "string"
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Get a proxy by ID.
[Required authorization] Route required privileges: fleet-settings-read.
curl \
--request GET 'http://api.example.com/api/fleet/proxies/{itemId}' \
--header "Authorization: $API_KEY"{
"item": {
"certificate": "string",
"certificate_authorities": "string",
"certificate_key": "string",
"id": "string",
"is_preconfigured": false,
"name": "string",
"proxy_headers": {},
"url": "string"
}
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}Delete a proxy by ID
[Required authorization] Route required privileges: fleet-settings-all.
curl \
--request DELETE 'http://api.example.com/api/fleet/proxies/{itemId}' \
--header "Authorization: $API_KEY" \
--header "kbn-xsrf: true"{
"id": "string"
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}List the metadata for the latest uninstall tokens per agent policy.
[Required authorization] Route required privileges: fleet-agents-all.
curl \
--request GET 'http://api.example.com/api/fleet/uninstall_tokens' \
--header "Authorization: $API_KEY"{
"items": [
{
"created_at": "string",
"id": "string",
"namespaces": [
"string"
],
"policy_id": "string",
"policy_name": "string"
}
],
"page": 42.0,
"perPage": 42.0,
"total": 42.0
}{
"error": "string",
"errorType": "string",
"message": "string",
"statusCode": 42.0
}The role name.
Minimum length is 1.
If true and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.
curl \
--request GET 'http://api.example.com/api/security/role/{name}' \
--header "Authorization: $API_KEY"Retrieve sets of saved objects that you want to import into Kibana. You must include type or objects in the request body.
Exported saved objects are not backwards compatible and cannot be imported into an older version of Kibana.
NOTE: The savedObjects.maxImportExportSize configuration setting limits the number of saved objects which may be exported.
Do not add export details entry at the end of the stream.
Default value is false.
Includes all of the referenced objects in the exported objects.
Default value is false.
A list of objects to export. NOTE: this optiona cannot be combined with types option
Not more than 10000 elements.
Search for documents to export using the Elasticsearch Simple Query String syntax.
The saved object types to include in the export. Use * to export all the types.
curl \
--request POST 'http://api.example.com/api/saved_objects/_export' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true" \
--data '{"objects":[{"id":"de71f4f0-1902-11e9-919b-ffe5949a18d2","type":"map"}],"excludeExportDetails":true,"includeReferencesDeep":false}'{
"objects": [
{
"id": "de71f4f0-1902-11e9-919b-ffe5949a18d2",
"type": "map"
}
],
"excludeExportDetails": true,
"includeReferencesDeep": false
}{
"id": "de71f4f0-1902-11e9-919b-ffe5949a18d2",
"type": "map",
"managed": false,
"version": "WzEzLDFd",
"attributes": {
"title": "[Logs] Total Requests and Bytes",
"description": "",
"uiStateJSON": "{\"isDarkMode\":false}",
"mapStateJSON": "{\"zoom\":3.64,\"center\":{\"lon\":-88.92107,\"lat\":42.16337},\"timeFilters\":{\"from\":\"now-7d\",\"to\":\"now\"},\"refreshConfig\":{\"isPaused\":true,\"interval\":0},\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"settings\":{\"autoFitToDataBounds\":false}}",
"layerListJSON": "[{\"id\":\"0hmz5\",\"alpha\":1,\"sourceDescriptor\":{\"type\":\"EMS_TMS\",\"isAutoSelect\":true,\"lightModeDefault\":\"road_map_desaturated\"},\"visible\":true,\"style\":{},\"type\":\"EMS_VECTOR_TILE\",\"minZoom\":0,\"maxZoom\":24},{\"id\":\"edh66\",\"label\":\"Total Requests by Destination\",\"minZoom\":0,\"maxZoom\":24,\"alpha\":0.5,\"sourceDescriptor\":{\"type\":\"EMS_FILE\",\"id\":\"world_countries\",\"tooltipProperties\":[\"name\",\"iso2\"]},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e\",\"origin\":\"join\"},\"color\":\"Greys\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"STATIC\",\"options\":{\"size\":10}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\",\"joins\":[{\"leftField\":\"iso2\",\"right\":{\"type\":\"ES_TERM_SOURCE\",\"id\":\"673ff994-fc75-4c67-909b-69fcb0e1060e\",\"indexPatternTitle\":\"kibana_sample_data_logs\",\"term\":\"geo.dest\",\"indexPatternRefName\":\"layer_1_join_0_index_pattern\",\"metrics\":[{\"type\":\"count\",\"label\":\"web logs count\"}],\"applyGlobalQuery\":true}}]},{\"id\":\"gaxya\",\"label\":\"Actual Requests\",\"minZoom\":9,\"maxZoom\":24,\"alpha\":1,\"sourceDescriptor\":{\"id\":\"b7486535-171b-4d3b-bb2e-33c1a0a2854c\",\"type\":\"ES_SEARCH\",\"geoField\":\"geo.coordinates\",\"limit\":2048,\"filterByMapBounds\":true,\"tooltipProperties\":[\"clientip\",\"timestamp\",\"host\",\"request\",\"response\",\"machine.os\",\"agent\",\"bytes\"],\"indexPatternRefName\":\"layer_2_source_index_pattern\",\"applyGlobalQuery\":true,\"scalingType\":\"LIMIT\"},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#2200ff\"}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#FFFFFF\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":2}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"bytes\",\"origin\":\"source\"},\"minSize\":1,\"maxSize\":23,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"},{\"id\":\"tfi3f\",\"label\":\"Total Requests and Bytes\",\"minZoom\":0,\"maxZoom\":9,\"alpha\":1,\"sourceDescriptor\":{\"type\":\"ES_GEO_GRID\",\"resolution\":\"COARSE\",\"id\":\"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b\",\"geoField\":\"geo.coordinates\",\"requestType\":\"point\",\"metrics\":[{\"type\":\"count\",\"label\":\"web logs count\"},{\"type\":\"sum\",\"field\":\"bytes\"}],\"indexPatternRefName\":\"layer_3_source_index_pattern\",\"applyGlobalQuery\":true},\"visible\":true,\"style\":{\"type\":\"VECTOR\",\"properties\":{\"fillColor\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"color\":\"Blues\",\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"lineColor\":{\"type\":\"STATIC\",\"options\":{\"color\":\"#cccccc\"}},\"lineWidth\":{\"type\":\"STATIC\",\"options\":{\"size\":1}},\"iconSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"sum_of_bytes\",\"origin\":\"source\"},\"minSize\":7,\"maxSize\":25,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelText\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"labelSize\":{\"type\":\"DYNAMIC\",\"options\":{\"field\":{\"name\":\"doc_count\",\"origin\":\"source\"},\"minSize\":12,\"maxSize\":24,\"fieldMetaOptions\":{\"isEnabled\":false,\"sigma\":3}}},\"symbolizeAs\":{\"options\":{\"value\":\"circle\"}},\"icon\":{\"type\":\"STATIC\",\"options\":{\"value\":\"marker\"}}}},\"type\":\"GEOJSON_VECTOR\"}]"
},
"created_at": "2023-08-23T20:03:32.204Z",
"references": [
{
"id": "90943e30-9a47-11e8-b64d-95841ca0b247",
"name": "layer_1_join_0_index_pattern",
"type": "index-pattern"
},
{
"id": "90943e30-9a47-11e8-b64d-95841ca0b247",
"name": "layer_2_source_index_pattern",
"type": "index-pattern"
},
{
"id": "90943e30-9a47-11e8-b64d-95841ca0b247",
"name": "layer_3_source_index_pattern",
"type": "index-pattern"
}
],
"updated_at": "2023-08-23T20:03:32.204Z",
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "8.4.0"
}{
"error": "string",
"message": "string",
"statusCode": 400
}Manage and interact with Security Assistant resources.
Create a model response for the given chat conversation.
If true, the response will not include content references.
Default value is false.
A string that does not contain only whitespace characters
Minimum length is 1.
AI assistant message.
curl \
--request POST 'http://api.example.com/api/security_ai_assistant/chat/complete' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"connectorId":"string","conversationId":"string","isStream":true,"langSmithApiKey":"string","langSmithProject":"string","messages":[{"content":"string","data":{},"fields_to_anonymize":["string"],"role":"system"}],"model":"string","persist":true,"promptId":"string","responseLanguage":"string"}'{
"connectorId": "string",
"conversationId": "string",
"isStream": true,
"langSmithApiKey": "string",
"langSmithProject": "string",
"messages": [
{
"content": "string",
"data": {},
"fields_to_anonymize": [
"string"
],
"role": "system"
}
],
"model": "string",
"persist": true,
"promptId": "string",
"responseLanguage": "string"
}{
"error": "string",
"message": "string",
"statusCode": 42.0
}Retrieves whether or not the user is authenticated, and the user's Kibana space and index privileges, which determine if the user can create an index for the Elastic Security alerts generated by detection engine rules.
curl \
--request GET 'http://api.example.com/api/detection_engine/privileges' \
--header "Authorization: $API_KEY"{
"index": {
".alerts-security.alerts-default": {
"all": true,
"read": true,
"index": true,
"write": true,
"create": true,
"delete": true,
"manage": true,
"monitor": true,
"create_doc": true,
"maintenance": true,
"create_index": true,
"delete_index": true,
"view_index_metadata": true
}
},
"cluster": {
"all": true,
"manage": true,
"monitor": true,
"manage_ml": true,
"monitor_ml": true,
"manage_api_key": true,
"manage_pipeline": true,
"manage_security": true,
"manage_transform": true,
"monitor_transform": true,
"manage_own_api_key": true,
"manage_index_templates": true
},
"username": "elastic",
"application": {},
"is_authenticated": true,
"has_all_requested": true,
"has_encryption_key": true
}{
"error": "string",
"message": "string",
"statusCode": 42
}{
"message": "string",
"status_code": 42
}Export detection rules to an .ndjson file. The following configuration items are also included in the .ndjson file:
Rule actions and connectors are included in the exported file, but sensitive information about the connector (such as authentication credentials) is not included. You must re-add missing connector details after importing detection rules.
You can use Kibana’s Saved Objects UI (Stack Management → Kibana → Saved Objects) or the Saved Objects APIs (experimental) to export and import any necessary connectors before importing detection rules.
Similarly, any value lists used for rule exceptions are not included in rule exports or imports. Use the Manage value lists UI (Rules → Detection rules (SIEM) → Manage value lists) to export and import value lists separately.
Determines whether a summary of the exported rules is returned.
Default value is false.
File name for saving the exported rules.
When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL.
Default value is export.ndjson.
curl -X POST "localhost:5601/api/detection_engine/rules/_export?exclude_export_details=true&file_name=exported_rules.ndjson" -H 'kbn-xsrf: true' -H 'Content-Type: application/json' -d'
{
"objects": [
{
"rule_id":"343580b5-c811-447c-8d2d-2ccf052c6900"
},
{
"rule_id":"2938c9fa-53eb-4c04-b79c-33cbf041b18d"
}
]
}
{
"objects": [
{
"rule_id": "string"
}
]
}@fileInteract with and manage endpoints running the Elastic Defend integration.
Terminate a running process on an endpoint.
List of agent types to retrieve. Defaults to endpoint.
Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.
A list of alerts ids.
At least 1 element. Minimum length of each is 1.
Case IDs to be updated (cannot contain empty strings)
At least 1 element. Minimum length of each is 1.
Optional comment
List of endpoint IDs (cannot contain empty strings)
At least 1 element. Minimum length of each is 1.
Optional parameters object
curl \
--request POST 'http://api.example.com/api/endpoint/action/kill_process' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"comment":"terminate the process","parameters":{"entity_id":"abc123"},"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'{
"comment": "terminate the process",
"parameters": {
"entity_id": "abc123"
},
"endpoint_ids": [
"ed518850-681a-4d60-bb98-e22640cae2a8"
]
}{
"data": {
"id": "233db9ea-6733-4849-9226-5a7039c7161d",
"agents": [
"ed518850-681a-4d60-bb98-e22640cae2a8"
],
"errors": [],
"command": "kill-process",
"comment": "terminate the process",
"outputs": {
"ed518850-681a-4d60-bb98-e22640cae2a8": {
"type": "json",
"content": {
"key": "value"
}
}
},
"agentType": "endpoint",
"createdBy": "myuser",
"isExpired": false,
"startedAt": "2022-07-29T19:08:49.126Z",
"parameters": {
"entity_id": "abc123"
},
"completedAt": "2022-07-29T19:09:44.961Z",
"isCompleted": true,
"wasSuccessful": true
}
}Create or update an asset criticality record for a specific entity.
If a record already exists for the specified entity, that record is overwritten with the specified value. If a record doesn't exist for the specified entity, a new record is created.
Values are host.name, user.name, service.name, or entity.id.
The ID value of the asset.
The criticality level of the asset.
Values are low_impact, medium_impact, high_impact, or extreme_impact.
If 'wait_for' the request will wait for the index refresh.
Value is wait_for.
curl \
--request POST 'http://api.example.com/api/asset_criticality' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"id_field":"host.name","id_value":"my_host","criticality_level":"high_impact"}'{
"id_field": "host.name",
"id_value": "my_host",
"criticality_level": "high_impact"
}{
"host": {
"name": "my_host",
"asset": {
"criticality": "high_impact"
}
},
"asset": {
"criticality": "high_impact"
},
"id_field": "host.name",
"id_value": "my_host",
"@timestamp": "2024-08-02T11:15:34.290Z",
"criticality_level": "high_impact"
}Bulk upsert up to 1000 asset criticality records.
If asset criticality records already exist for the specified entities, those records are overwritten with the specified values. If asset criticality records don't exist for the specified entities, new records are created.
curl \
--request POST 'http://api.example.com/api/asset_criticality/bulk' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"records":[{"id_field":"host.name","id_value":"host-1","criticality_level":"low_impact"},{"id_field":"host.name","id_value":"host-2","criticality_level":"medium_impact"}]}'{
"records": [
{
"id_field": "host.name",
"id_value": "host-1",
"criticality_level": "low_impact"
},
{
"id_field": "host.name",
"id_value": "host-2",
"criticality_level": "medium_impact"
}
]
}{
"stats": {
"total": 2,
"failed": 1,
"successful": 1
},
"errors": [
{
"index": 0,
"message": "Invalid ID field"
}
]
}curl \
--request GET 'http://api.example.com/api/entity_analytics/monitoring/privileges/health' \
--header "Authorization: $API_KEY"{
"ok": true
}curl \
--request GET 'http://api.example.com/api/entity_store/engines' \
--header "Authorization: $API_KEY"{
"count": 42,
"engines": [
{
"delay": "1m",
"docsPerSecond": 42,
"error": {
"action": "init",
"message": "string"
},
"fieldHistoryLength": 42,
"filter": "string",
"frequency": "1m",
"indexPattern": "string",
"lookbackPeriod": "24h",
"status": "installing",
"timeout": "180s",
"timestampField": "string",
"type": "user"
}
]
}The entity type of the engine (either 'user' or 'host').
Values are user, host, service, or generic.
curl \
--request GET 'http://api.example.com/api/entity_store/engines/{entityType}' \
--header "Authorization: $API_KEY"{
"delay": "1m",
"docsPerSecond": 42,
"error": {
"action": "init",
"message": "string"
},
"fieldHistoryLength": 42,
"filter": "string",
"frequency": "1m",
"indexPattern": "string",
"lookbackPeriod": "24h",
"status": "installing",
"timeout": "180s",
"timestampField": "string",
"type": "user"
}The entity type of the engine (either 'user' or 'host').
Values are user, host, service, or generic.
curl \
--request POST 'http://api.example.com/api/entity_store/engines/{entityType}/stop' \
--header "Authorization: $API_KEY"{
"stopped": true
}Get a summary of the specified exception list.
Exception list's identifier generated upon creation.
Minimum length is 1.
Exception list's human readable identifier.
Minimum length is 1.
Determines whether the exception container is available in all Kibana spaces or just the space in which it is created, where:
single: Only available in the Kibana space in which it is created.agnostic: Available in all Kibana spaces.Values are agnostic or single. Default value is single.
Search filter clause
Successful response
Invalid input data response
Unsuccessful authentication response
Not enough privileges response
Exception list not found response
Internal server error response
curl \
--request GET 'http://api.example.com/api/exception_lists/summary' \
--header "Authorization: $API_KEY"{
"linux": 0,
"macos": 0,
"total": 0,
"windows": 0
}{
"error": "Bad Request",
"message": "[request query]: namespace_type.0: Invalid enum value. Expected 'agnostic' | 'single', received 'blob'",
"statusCode": 400
}{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}{
"error": "Forbidden",
"message": "API [GET /api/exception_lists/summary?list_id=simple_list&namespace_type=agnostic] is unauthorized for user, this action is granted by the Kibana privileges [lists-summary]",
"statusCode": 403
}{
"message\"": "exception list id: \"foo\" does not exist",
"status_code\"": 404
}{
"message": "Internal Server Error",
"status_code": 500
}Export list item values from the specified value list.
Value list's id to export.
Minimum length is 1.
Successful response
A .txt file containing list items from the specified list
Invalid input data response
Unsuccessful authentication response
Not enough privileges response
List not found response
Internal server error response
curl \
--request POST 'http://api.example.com/api/lists/items/_export?list_id=21b01cfb-058d-44b9-838c-282be16c91cd' \
--header "Authorization: $API_KEY"127.0.0.1
127.0.0.2
127.0.0.3
127.0.0.4
127.0.0.5
127.0.0.6
127.0.0.7
127.0.0.8
127.0.0.9
{
"error": "Bad Request\",\"message\":\"[request query]: list_id: Required",
"statusCode": 400
}{
"error": "Unauthorized",
"message": "[security_exception\\n\\tRoot causes:\\n\\t\\tsecurity_exception: unable to authenticate user [elastic] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic] for REST request [/_security/_authenticate]",
"statusCode": 401
}{
"error": "Forbidden",
"message": "API [POST /api/lists/items/_export?list_id=ips.txt] is unauthorized for user, this action is granted by the Kibana privileges [lists-read]",
"statusCode": 403
}{
"message": "string",
"status_code": 42
}{
"message": "Internal Server Error",
"status_code": 500
}Run live queries, manage packs and saved queries.
Get the details of a live query using the query ID.
The ID of the live query result you want to retrieve.
curl \
--request GET 'http://api.example.com/api/osquery/live_queries/3c42c847-eb30-4452-80e0-728584042334' \
--header "Authorization: $API_KEY"{
"data": {
"agents": [
"16d7caf5-efd2-4212-9b62-73dafc91fa13"
],
"status": "completed",
"queries": [
{
"id": "6724a474-cbba-41ef-a1aa-66aebf0879e2",
"docs": 0,
"query": "select * from uptime;",
"agents": [
"16d7caf5-efd2-4212-9b62-73dafc91fa13"
],
"failed": 1,
"status": "completed",
"pending": 0,
"action_id": "609c4c66-ba3d-43fa-afdd-53e244577aa0",
"responded": 1,
"successful": 0,
"ecs_mapping": {
"host.uptime": {
"field": "total_seconds"
}
},
"saved_query_id": "42ba9c50-0cc5-11ed-aa1d-2b27890bc90d"
}
],
"user_id": "elastic",
"action_id": "3c42c847-eb30-4452-80e0-728584042334",
"@timestamp": "2022-07-26T09:59:32.220Z",
"expiration": "2022-07-26T10:04:32.220Z"
}
}The pack description.
Enables the pack.
The pack name.
A list of agents policy IDs.
An object of queries.
An object with shard configuration for policies included in the pack. For each policy, set the shard configuration to a percentage (1–100) of target hosts.
curl \
--request POST 'http://api.example.com/api/osquery/packs' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"name":"my_pack","shards":{"my_policy_id":35,"fleet-server-policy":58},"enabled":true,"queries":{"my_query":{"query":"SELECT * FROM listening_ports;","timeout":120,"interval":60,"ecs_mapping":{"tags":{"value":["tag1","tag2"]},"client.port":{"field":"port"}}}},"policy_ids":["my_policy_id","fleet-server-policy"],"description":"My pack"}'{
"name": "my_pack",
"shards": {
"my_policy_id": 35,
"fleet-server-policy": 58
},
"enabled": true,
"queries": {
"my_query": {
"query": "SELECT * FROM listening_ports;",
"timeout": 120,
"interval": 60,
"ecs_mapping": {
"tags": {
"value": [
"tag1",
"tag2"
]
},
"client.port": {
"field": "port"
}
}
}
},
"policy_ids": [
"my_policy_id",
"fleet-server-policy"
],
"description": "My pack"
}{
"data": {
"name": "my_pack",
"shards": [
{
"key": "47638692-7c4c-4053-aa3e-7186f28df349",
"value": 35
},
{
"key": "5e267651-fe50-443e-8d3f-3bbc9171b618",
"value": 58
}
],
"enabled": true,
"queries": {
"ports": {
"query": "SELECT * FROM listening_ports;",
"removed": false,
"timeout": 120,
"interval": 60,
"snapshot": true,
"ecs_mapping": {
"client.port": {
"field": "port"
}
}
}
},
"created_at": "2025-02-26T13:37:30.452Z",
"created_by": "elastic",
"updated_at": "2025-02-26T13:37:30.452Z",
"updated_by": "elastic",
"description": "My pack",
"saved_object_id": "1c266590-381f-428c-878f-c80c1334f856"
}
}The ID of the pack you want to run, retrieve, update, or delete.
curl \
--request DELETE 'http://api.example.com/api/osquery/packs/3c42c847-eb30-4452-80e0-728584042334' \
--header "Authorization: $API_KEY"{}Get the details of a saved query using the query ID.
The ID of a saved query.
curl \
--request GET 'http://api.example.com/api/osquery/saved_queries/3c42c847-eb30-4452-80e0-728584042334' \
--header "Authorization: $API_KEY"{
"data": {
"id": "3c42c847-eb30-4452-80e0-728584042334",
"type": "osquery-saved-query",
"version": "WzQzMTcsMV0=",
"attributes": {
"id": "saved_query_id",
"query": "select * from uptime;",
"version": "2.8.0",
"interval": "60",
"platform": "linux,darwin",
"prebuilt": false,
"created_at": "2022-07-26T09:28:08.597Z",
"created_by": "elastic",
"updated_at": "2022-07-26T09:28:08.597Z",
"updated_by": "elastic",
"description": "Saved query description",
"ecs_mapping": {
"host.uptime": {
"field": "total_seconds"
}
}
},
"namespaces": [
"default"
],
"references": [],
"updated_at": "2022-07-26T09:28:08.600Z",
"coreMigrationVersion": "8.4.0"
}
}Specifies which authorization checks are applied to the API call. The default value is any.
Values are any, copySavedObjectsIntoSpace, or shareSavedObjectsIntoSpace.
curl \
--request GET 'http://api.example.com/api/spaces/space?' \
--header "Authorization: $API_KEY"[
{
"id": "default",
"name": "Default",
"imageUrl": "",
"_reserved": true,
"description": "This is the Default Space",
"disabledFeatures": []
},
{
"id": "marketing",
"name": "Marketing",
"color": null,
"imageUrl": "data:image/png;base64,iVBORw0KGgoAAAANSU",
"initials": "MK",
"description": "This is the Marketing Space",
"disabledFeatures": [
"apm"
]
},
{
"id": "sales",
"name": "Sales",
"imageUr\"": "",
"initials": "MK",
"solution": "oblt",
"disabledFeatures": [
"discover"
]
}
][
{
"id": "default",
"name": "Default",
"imageUrl": "",
"_reserved": true,
"description": "This is the Default Space",
"disabledFeatures": [],
"authorizedPurposes": {
"any": true,
"findSavedObjects": true,
"copySavedObjectsIntoSpace": true,
"shareSavedObjectsIntoSpace": true
}
},
{
"id": "marketing",
"name": "Marketing",
"color": null,
"imageUrl": "data:image/png;base64,iVBORw0KGgoAAAANSU",
"initials": "MK",
"description": "This is the Marketing Space",
"disabledFeatures": [
"apm"
],
"authorizedPurposes": {
"any": true,
"findSavedObjects": true,
"copySavedObjectsIntoSpace": true,
"shareSavedObjectsIntoSpace": true
}
},
{
"id": "sales",
"name": "Sales",
"imageUrl": "",
"initials": "MK",
"disabledFeatures": [
"discover"
],
"authorizedPurposes": {
"any": true,
"findSavedObjects": true,
"copySavedObjectsIntoSpace": false,
"shareSavedObjectsIntoSpace": false
}
}
]curl \
--request POST 'http://api.example.com/api/streams/_enable' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true"# Headers
kbn-xsrf: true
# Payload
{}Resyncs all streams, making sure that Elasticsearch assets are up to date
curl \
--request POST 'http://api.example.com/api/streams/_resync' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--header "kbn-xsrf: true"# Headers
kbn-xsrf: true
# Payload
{}